MuddyWater Hit US Infrastructure With Dindoor and Fakeset. We've Been Mapping Their Cloudflare Rotation Hourly Since March.

CheckPoint published the MuddyWater-Seedworm disclosure on March 9, 2026. The Iranian state-sponsored group, affiliated with the Ministry of Intelligence and Security, deployed two new backdoors against US critical infrastructure — banks, airports, defense suppliers, nonprofits. The campaign had been active since February 20. The tools have been named: Dindoor, written against the Deno runtime to evade traditional binary-aware EDR, and Fakeset, a Python-based loader pulled from Backblaze cloud storage. Both signed with code-signing certificates issued to "Amy Cherne" and "Donald Gay." The Donald Gay certificate has historical lineage to Stagecomp and Darkcomp, two earlier MuddyWater toolchains. Data exfiltration is routed through Rclone to Wasabi cloud storage.

That disclosure is the publicly indexed receipt. What CheckPoint, Microsoft Threat Intelligence, and Mandiant cannot show their readers is the texture of the operational infrastructure between the named tool dropping and the named victim being notified. That texture is what we run.

The receipts that were already in our feed

DugganUSA indexed the CheckPoint disclosure on the day of publication. We tagged the infrastructure pivot points, attributed them to MuddyWater, and wired the rotation domains into our domain-watchdog cron. From that moment forward, every IP change on those domains was captured at hourly granularity. The signal is not a single static IOC. The signal is the pattern of motion.

Five active MuddyWater rotation domains landed in our IOC feed:

• serialmenot.com

• moonzonet.com

• girlsbags.shop

• meetingapp.site

• web14.info

By March 27, our domain-watchdog had captured eleven distinct IP rotations across those five domains in under three hours. The pattern: each domain cycles its A record between two Cloudflare anycast IP pools — the 172.67.x.x range and the 104.21.x.x range. The actor uses Cloudflare's free tier as a fronting service, exploiting the legitimate Cloudflare ASN to defeat coarse-grained IP blocking. A defender who blocks 172.67.216.224 because they see it tied to moonzonet.com loses ground twenty minutes later when moonzonet.com points at 104.21.86.178 and the malicious traffic just routes around them.

The CheckPoint disclosure has the named tools and the named exfiltration paths. The DugganUSA feed has the live operational rhythm.

The infrastructure pattern, named

CheckPoint named one IP explicitly: 18.223.24.218, an AWS-hosted Rclone-Wasabi exfiltration server. That IP entered our IOCs index on March 13, attributed to MuddyWater, sourced as "checkpoint-mois-cybercrime-2026." That single indicator is necessary but not sufficient for defense. The five rotation domains above are what an EDR or DNS sinkhole actually needs to stop the Stage 1 callback, before any Rclone session reaches the exfil bucket.

This is what the structural advantage looks like in operation. The vendor disclosure publishes the headline indicators. We persist the operational tail — the live domain-and-IP rotation that the actor will continue running until the campaign retires.

The Stagecomp-Darkcomp-Dindoor-Fakeset lineage

The Donald Gay code-signing certificate is the more important detail in the CheckPoint report than the two named backdoors. Code-signing certificates leave a forensic trail across years of campaign rotation. Donald Gay signed Stagecomp. Donald Gay signed Darkcomp. Donald Gay now signs Fakeset. The actor maintains a corporate identity, paid for that identity through a certificate authority, and continues to use that identity across three named toolchains spanning at least two years. The implication for defenders is durable: any binary signed by "Donald Gay" is a Stage 2 trigger regardless of which named tool it dropped. Hash-based detection rots in a week. Code-signing-identity detection rots in a year, sometimes longer.

We surface the certificate-signer attribution in the same index that holds the domains. A single search against the iocs index for signer = "Donald Gay" returns the MuddyWater toolchain history in one query. That is the difference between intel and an article.

The defender takeaway

MuddyWater is not a sophisticated actor by the measure of zero-day acquisition or custom cryptography. The Iranian Ministry of Intelligence and Security has not deployed a kernel exploit in our visibility window. MuddyWater is, instead, a mature operational actor. They build their operations on the same legitimate cloud infrastructure that their targets use — Cloudflare for domain fronting, Backblaze for payload distribution, Wasabi for exfiltration. The defensive surface is therefore not "block Iran" or "block AWS." The defensive surface is the texture: the rotation cadence, the certificate-signer identity, the specific .shop and .site TLD preference for the Stage 1 callback domains. Texture is what feeds a STIX 2.1 file. Texture is what fires a Suricata rule. Texture is what we publish.

A defender pulling our STIX feed at 06:00 UTC on March 28 had every rotation in their detection pipeline before the next IP cycle fired. A defender reading the CheckPoint blog at 06:00 UTC on March 28 had the names of the tools and a single hosting IP.

Both pieces of intelligence matter. Only one of them gets a defender to actionable detection inside the hour.

What this looks like in your stack

DugganUSA publishes the MuddyWater infrastructure pivots as part of the public STIX 2.1 / TAXII 2.1 feed at analytics.dugganusa.com. The same indicators are available as plain CSV blocklists, as Suricata rule sets, and as DNS sinkhole zones for OPNsense and Unbound. Microsoft, AT&T, Starlink, and 270-plus other organizations pull the feed daily. The MuddyWater rotation domains are in there. So are the certificate-signer attributions. So is the Rclone-Wasabi exfiltration path tag.

The receipt is in the corpus. It has been in the corpus since March. It will be in the corpus when the next MuddyWater toolchain renames Fakeset to whatever comes after.

— Patrick Duggan, DugganUSA LLC, Minneapolis

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com