Iranian APT Seedworm Targets Global Organizations via Microsoft Teams
In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations. The attack demonstrates the group's evolution in using collaboration platforms as initial access vectors while combining dual-use tooling with living-off-the-land techniques to bypass traditional security controls.
AI Analysis
Technical Summary
The Iranian APT group Seedworm launched a sophisticated campaign in February 2026 targeting global organizations via Microsoft Teams. Attackers used social engineering by impersonating IT support personnel with deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The payload deployed is a custom backdoor called Dindoor, which leverages the legitimate Deno runtime environment to run obfuscated code entirely in memory, minimizing forensic footprints. The malware includes modules for persistence, command-and-control communications, and data exfiltration. The attack infrastructure overlaps with the previously known MuddyWater APT operations. This campaign demonstrates the group's advanced use of collaboration platforms as an initial access vector combined with living-off-the-land techniques and dual-use tooling to evade detection and maintain stealth.
Potential Impact
The campaign enables attackers to gain persistent remote access to compromised systems via the Dindoor backdoor, facilitating command execution and data exfiltration. The use of in-memory execution and legitimate runtimes reduces the likelihood of detection by traditional antivirus and endpoint security solutions. The impersonation of IT support and use of trusted collaboration platforms increase the chance of successful social engineering, potentially impacting a wide range of global organizations. There are no known public exploits or patches since this is a targeted malware campaign rather than a software vulnerability.
Mitigation Recommendations
No official patches are applicable as this is a malware campaign rather than a software vulnerability. Organizations should educate users to be cautious of unexpected requests via collaboration platforms, especially those involving installation of software or MSI files. Monitoring for unusual MSI execution and anomalous use of the Deno runtime may help detect this threat. Since the attack uses social engineering and living-off-the-land techniques, endpoint detection and response solutions should be tuned to identify suspicious behaviors related to in-memory execution and command-and-control traffic. Review and restrict permissions for Microsoft 365 tenant domains and collaboration platform usage where possible.
Indicators of Compromise
- domain: serialmenot.com
- hash: 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
- hash: 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
- hash: 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
- hash: ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888
- hash: a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377
- hash: 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1
- hash: 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d
- hash: 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14
- hash: 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
- hash: 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90
- hash: 1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6
- hash: a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0
- hash: 29953b2e46aeaf0157d487c13c4a0643
- hash: 439c0a0a46627bd166e08436f383ad56
- hash: 4860758863fd040a8c809ce53cb7fb37
- hash: 56a4b425aba37ef886bdfbd8343a1bd5
- hash: 591aae15106147bdb5bc7b26049b943f
- hash: 76c59282e44a461105dc5739a6ba7c33
- hash: 7a4119e116ecdefe0a1017110e250e61
- hash: 7f3c8a7fe78d3d05b6022df3ea0c15fb
- hash: 838c8fd4ae7e3c4972adc8800db44929
- hash: e2bcc41ddea5cf9d759380701d14f258
- hash: e6fafcb72f2f315692218182ba84e0ef
- hash: 0ba2306ec15f7124fafc7615e81f34c7986ba9a5
- hash: 2b781b3a352db44db67ad56e8477e6a1016b2597
- hash: 3ab3fee4daac90bb7bee470b5b2de8ee0d6bec8b
- hash: 429efcf0370b53cc3c455b634dc066b1d08b568d
- hash: 7a8963d123918ca86727649492cd1ff4e020cb72
- hash: 9c5cc25e80df75f91873bf31a6269e7bdab7c6d2
- hash: a42b4914b0c8dc47a3a5f8114d0fcbef02d84e0a
- hash: be3c8f93e9d7f42ec1133ab36f555b104b23fe1b
- hash: c16099c29ccdb34764e4d15b1dab2d141d159950
- hash: cecf87d582b4df4323eaef04c9a648d43325043a
- hash: fa49d1fd5a938b3de0840759db62867e6382cea1
- hash: 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
- hash: 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1
- hash: 2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043
- hash: 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
- hash: 42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f
- hash: 7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4
- hash: 7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef
- hash: 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444
- hash: b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0
- hash: bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a
- hash: c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e
- hash: 2115e69f71d9f51a6c6c2effdaee2df2
- hash: 3962bfa78c7acd8d85b3700e99ae8d24
- hash: 41c19fc6c8a8687988f28fc487048bf3
- hash: 5c057af2f358fc10107d5ccdb39938ad
- hash: 64e4b0ffd8bed9307eb50b541b1d8fdb
- hash: 6d1d4e938ed1e46210375308ef3bcb08
- hash: 7236f1a51da141e422d553e36ef6c9d0
- hash: 8d8aa0be8f82d22deab96f96d9af34b8
- hash: c0a52cd5dd35bf9d5d08c7eb12cfa422
- hash: c23fc7b74370d590223d962727e67907
- hash: ca37e31d651bbd5bbddef3ea716b8b4f
- hash: f8560b9a893eeb2130fc7159e9c1b851
- hash: 2e1cc87d974aa7f07a8911c631a191dc00535b36
- hash: 3de597e3237d5c7e7cc66ecb58b9ea2af149afa1
- hash: 3f441a009a907af55bd6d52b0f0f06b601c961dd
- hash: 42111d2ebcd42fa1fa7069560401db736c483776
- hash: 4a54b7237dc9fdd745d0d19083a1ce4857c91de4
- hash: 4ebfa2d967ce7983790b77a3987cb1c5d1b868f2
- hash: 559052799a52d1b29ac7e87935e9a0c80df5fb16
- hash: 58af8d0e3e77f8d16a5a42fc173ebccb5ecb1cd0
- hash: 5e9d1be3cc70d617cba3953cc901e304951ea8cb
- hash: 6b186f2881729a977beb6aecb61ac0fe83c5777d
- hash: de9707a8505683930fccf5536e311242425d420a
- hash: e2e8516b4f275e8c636620b7377ee3b9f9f47bb0
- hash: 3916604ebd3eab1dec27e4ad904e3a0d50c671ee1559c35ae116975338197f2e
- hash: 500ee77471669175b359bf57384291cab791200191d0e5a5bb190da53ccb30ee
- hash: ddf75e118db8a5614483ee7e7528a3e2621901059899a8a497335bdef2fba437
- url: https://dd3.filedwnl.top
- url: https://dd4.filedwnl.top
- domain: dd3.filedwnl.top
- domain: dd4.filedwnl.top
Iranian APT Seedworm Targets Global Organizations via Microsoft Teams
Description
In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations. The attack demonstrates the group's evolution in using collaboration platforms as initial access vectors while combining dual-use tooling with living-off-the-land techniques to bypass traditional security controls.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Iranian APT group Seedworm launched a sophisticated campaign in February 2026 targeting global organizations via Microsoft Teams. Attackers used social engineering by impersonating IT support personnel with deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The payload deployed is a custom backdoor called Dindoor, which leverages the legitimate Deno runtime environment to run obfuscated code entirely in memory, minimizing forensic footprints. The malware includes modules for persistence, command-and-control communications, and data exfiltration. The attack infrastructure overlaps with the previously known MuddyWater APT operations. This campaign demonstrates the group's advanced use of collaboration platforms as an initial access vector combined with living-off-the-land techniques and dual-use tooling to evade detection and maintain stealth.
Potential Impact
The campaign enables attackers to gain persistent remote access to compromised systems via the Dindoor backdoor, facilitating command execution and data exfiltration. The use of in-memory execution and legitimate runtimes reduces the likelihood of detection by traditional antivirus and endpoint security solutions. The impersonation of IT support and use of trusted collaboration platforms increase the chance of successful social engineering, potentially impacting a wide range of global organizations. There are no known public exploits or patches since this is a targeted malware campaign rather than a software vulnerability.
Mitigation Recommendations
No official patches are applicable as this is a malware campaign rather than a software vulnerability. Organizations should educate users to be cautious of unexpected requests via collaboration platforms, especially those involving installation of software or MSI files. Monitoring for unusual MSI execution and anomalous use of the Deno runtime may help detect this threat. Since the attack uses social engineering and living-off-the-land techniques, endpoint detection and response solutions should be tuned to identify suspicious behaviors related to in-memory execution and command-and-control traffic. Review and restrict permissions for Microsoft 365 tenant domains and collaboration platform usage where possible.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/"]
- Adversary
- MuddyWater
- Pulse Id
- 69e2417dcac9587a626c98a2
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainserialmenot.com | — | |
domaindd3.filedwnl.top | — | |
domaindd4.filedwnl.top | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 | — | |
hash077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de | — | |
hash4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be | — | |
hashddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 | — | |
hasha4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 | — | |
hash64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 | — | |
hash74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d | — | |
hash24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 | — | |
hash64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb | — | |
hash3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 | — | |
hash1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6 | — | |
hasha92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 | — | |
hash29953b2e46aeaf0157d487c13c4a0643 | — | |
hash439c0a0a46627bd166e08436f383ad56 | — | |
hash4860758863fd040a8c809ce53cb7fb37 | — | |
hash56a4b425aba37ef886bdfbd8343a1bd5 | — | |
hash591aae15106147bdb5bc7b26049b943f | — | |
hash76c59282e44a461105dc5739a6ba7c33 | — | |
hash7a4119e116ecdefe0a1017110e250e61 | — | |
hash7f3c8a7fe78d3d05b6022df3ea0c15fb | — | |
hash838c8fd4ae7e3c4972adc8800db44929 | — | |
hashe2bcc41ddea5cf9d759380701d14f258 | — | |
hashe6fafcb72f2f315692218182ba84e0ef | — | |
hash0ba2306ec15f7124fafc7615e81f34c7986ba9a5 | — | |
hash2b781b3a352db44db67ad56e8477e6a1016b2597 | — | |
hash3ab3fee4daac90bb7bee470b5b2de8ee0d6bec8b | — | |
hash429efcf0370b53cc3c455b634dc066b1d08b568d | — | |
hash7a8963d123918ca86727649492cd1ff4e020cb72 | — | |
hash9c5cc25e80df75f91873bf31a6269e7bdab7c6d2 | — | |
hasha42b4914b0c8dc47a3a5f8114d0fcbef02d84e0a | — | |
hashbe3c8f93e9d7f42ec1133ab36f555b104b23fe1b | — | |
hashc16099c29ccdb34764e4d15b1dab2d141d159950 | — | |
hashcecf87d582b4df4323eaef04c9a648d43325043a | — | |
hashfa49d1fd5a938b3de0840759db62867e6382cea1 | — | |
hash0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542 | — | |
hash1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1 | — | |
hash2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043 | — | |
hash2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 | — | |
hash42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f | — | |
hash7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4 | — | |
hash7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef | — | |
hash94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 | — | |
hashb0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0 | — | |
hashbd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a | — | |
hashc7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e | — | |
hash2115e69f71d9f51a6c6c2effdaee2df2 | — | |
hash3962bfa78c7acd8d85b3700e99ae8d24 | — | |
hash41c19fc6c8a8687988f28fc487048bf3 | — | |
hash5c057af2f358fc10107d5ccdb39938ad | — | |
hash64e4b0ffd8bed9307eb50b541b1d8fdb | — | |
hash6d1d4e938ed1e46210375308ef3bcb08 | — | |
hash7236f1a51da141e422d553e36ef6c9d0 | — | |
hash8d8aa0be8f82d22deab96f96d9af34b8 | — | |
hashc0a52cd5dd35bf9d5d08c7eb12cfa422 | — | |
hashc23fc7b74370d590223d962727e67907 | — | |
hashca37e31d651bbd5bbddef3ea716b8b4f | — | |
hashf8560b9a893eeb2130fc7159e9c1b851 | — | |
hash2e1cc87d974aa7f07a8911c631a191dc00535b36 | — | |
hash3de597e3237d5c7e7cc66ecb58b9ea2af149afa1 | — | |
hash3f441a009a907af55bd6d52b0f0f06b601c961dd | — | |
hash42111d2ebcd42fa1fa7069560401db736c483776 | — | |
hash4a54b7237dc9fdd745d0d19083a1ce4857c91de4 | — | |
hash4ebfa2d967ce7983790b77a3987cb1c5d1b868f2 | — | |
hash559052799a52d1b29ac7e87935e9a0c80df5fb16 | — | |
hash58af8d0e3e77f8d16a5a42fc173ebccb5ecb1cd0 | — | |
hash5e9d1be3cc70d617cba3953cc901e304951ea8cb | — | |
hash6b186f2881729a977beb6aecb61ac0fe83c5777d | — | |
hashde9707a8505683930fccf5536e311242425d420a | — | |
hashe2e8516b4f275e8c636620b7377ee3b9f9f47bb0 | — | |
hash3916604ebd3eab1dec27e4ad904e3a0d50c671ee1559c35ae116975338197f2e | — | |
hash500ee77471669175b359bf57384291cab791200191d0e5a5bb190da53ccb30ee | — | |
hashddf75e118db8a5614483ee7e7528a3e2621901059899a8a497335bdef2fba437 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://dd3.filedwnl.top | — | |
urlhttps://dd4.filedwnl.top | — |
Threat ID: 69e60afe19fe3cd2cde02d2f
Added to database: 4/20/2026, 11:16:14 AM
Last enriched: 4/20/2026, 11:31:29 AM
Last updated: 4/21/2026, 6:42:28 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.