MalwareUsed by 3 actors

Fakeset

FakeSet is a Python-based backdoor/downloader associated with the Iranian threat actor MuddyWater, also known as Seedworm, which multiple sources in the content link to Iran’s Ministry of Intelligence and Security (MOIS). It was observed in intrusions beginning in February 2026 and was found on the networks of a U.S. airport, a U.S. non-profit, and in broader reporting tied to compromises affecting a U.S. bank, defense-adjacent software company, and NGOs in the U.S. and Canada. The malware is described both as a Python backdoor and as a downloader used in recent infection chains to deliver CastleLoader. Reporting states that FakeSet samples were signed with code-signing certificates issued to “Amy Cherne” and “Donald Gay,” with the Donald Gay certificate previously linked to other Seedworm-associated malware such as Stagecomp/Darkcomp. FakeSet was reportedly downloaded from Backblaze-hosted infrastructure, including gitempire.s3.us-east-005.backblazeb2.com and elvenforest.s3.us-east-005.backblazeb2.com. Across the cited reporting, FakeSet is characterized as part of MuddyWater’s persistence tooling, designed to remain hidden and preserve long-term footholds in victim environments. High-confidence victim sectors mentioned in the content include banking, aviation/transportation, nonprofits/NGOs, and defense supply chain or defense-adjacent organizations. Related activity in the same campaigns included attempted data exfiltration using Rclone to Wasabi cloud storage and deployment alongside the Deno-based backdoor Dindoor.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

MuddyWater

Fakeset [требует верификации] - Python-бэкдор. Предположительно подписан сертификатами «Amy Cherne» и «Donald Gay».

via codebycodeby.net

Temp Zagros

The group deployed two malware, a newly discovered backdoor called Dindoor and a Python-based tool called Fakeset, across multiple victim environments.

via fieldeffect blogfieldeffect.com

Temp Zagros

The group deployed two malware, a newly discovered backdoor called Dindoor and a Python-based tool called Fakeset, across multiple victim environments.

via fieldeffect blogfieldeffect.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1588.003Code Signing CertificatesEvidence1

Researchers said the malware was signed using a certificate issued to “Amy Cherne.”... The Donald Gay certificate has previously been linked to malware associated with the Seedworm threat.

Initial Access

2 techniques

T1133External Remote ServicesEvidence1

“MuddyWater… had already planted backdoors inside a U.S. bank, airport, defense-adjacent software company, and NGOs… new implant named Dindoor… and… Python-based backdoor called Fakeset.”

T1566PhishingEvidence1

“MuddyWater has previously used spear-phishing, malicious documents, and custom backdoors to gain footholds inside targeted networks.”

Execution

2 techniques

T1059Command and Scripting InterpreterEvidence6

MuddyWater... had already planted backdoors inside a U.S. bank, airport, defense-adjacent software company, and NGOs... with a new implant named Dindoor... alongside a second Python-based backdoor called Fakeset.

T1059.006PythonEvidence2

Execution Command and Scripting Interpreter: Python T1059.006 Python dropper executes downloaded code via exec()

Persistence

2 techniques

T1133External Remote ServicesEvidence1

“MuddyWater… had already planted backdoors inside a U.S. bank, airport, defense-adjacent software company, and NGOs… new implant named Dindoor… and… Python-based backdoor called Fakeset.”

T1547Boot or Logon Autostart ExecutionEvidence1

Investigators found that the group deployed undocumented malware to establish persistent footholds inside victim environments.

Privilege Escalation

1 technique

T1547Boot or Logon Autostart ExecutionEvidence1

Investigators found that the group deployed undocumented malware to establish persistent footholds inside victim environments.

Defense Impairment

1 technique

T1553.002Code SigningEvidence4

This backdoor was signed with a certificate issued to “Amy Cherne”.

Collection

1 technique

T1074Data StagedEvidence1

The malware was signed with certificates issued to “Amy Cherne” and “Donald Gay.”... Fakeset was downloaded from infrastructure hosted on Backblaze cloud storage.

Command and Control

2 techniques

T1102Web ServiceEvidence1

“The malware was hosted on Backblaze servers…”

T1105Ingress Tool TransferEvidence8

Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader.

Exfiltration

2 techniques

T1041Exfiltration Over C2 ChannelEvidence2

Seedworm , a sub-cluster of MuddyWater , established persistent backdoor access on banking, airport, defense, and NGO networks as early as February 2026, using legitimate cloud storage on Backblaze and Wasabi for delivery and Rclone for exfiltration.

T1567.002Exfiltration to Cloud StorageEvidence1

MuddyWater and others compromised U.S.-Israeli-Canadian organizations through Deno-based Dindoor, Python-based Fakeset, and payload delivery and data exfiltration attempts using legitimate cloud storage.

INDICATORS OF COMPROMISE

IOCs tracked for this family

29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

8 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

20 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app2 months ago

hash.sha256●●●●●●●●●●●●View more in app3 months ago

ip.v4●●●●●●●●●●●●View more in app3 months ago

domain●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

25 SOURCESView more in app

codebyNews

Jun 1, 2026

APT42 и Seedworm: credential harvesting без малвари

A purported Python backdoor linked in public reporting to Seedworm, reportedly delivered from Backblaze servers and used alongside Rclone-based exfiltration to Wasabi cloud storage.

security affairsNews

May 6, 2026

Iranian cyber espionage disguised as a Chaos Ransomware attack

A Python backdoor observed on U.S. airport and nonprofit networks; certificate overlap and hosting artifacts linked it to Seedworm.

socradar blogNews

Apr 17, 2026

Iran War Cyber Threat Outlook: Conflict Phases and What Comes Next

A Python-based implant/backdoor used by MuddyWater for pre-positioning access inside victim networks.

ahnlab asec blogNews

Apr 16, 2026

March 2026 Threat Trend Report on APT Groups - ASEC

A Python-based malware/tool used in compromises, associated with payload delivery and data exfiltration activity.

+21 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching29

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.