Iranian APT Seedworm Targets Global Organizations via Microsoft Teams
Essential information
- Published
- 17/04/2026 14:19
- Modified
- 20/04/2026 11:22
- Tags
- 2026-04-17 deno runtime dindoor dindoor backdoor dinodance in-memory execution iran apt microsoft teams muddywater infrastructure seedworm social engineering
- Related entities
- 28 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware, 3 others
Description
In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations. The attack demonstrates the group's evolution in using collaboration platforms as initial access vectors while combining dual-use tooling with living-off-the-land techniques to bypass traditional security controls.