Pulse Detail — Threat Intelligence

PULSE NAME

Threat Intelligence Report: MANGO SANDSTORM Dindoor / Fakeset Campaign

WHITE MuddyWater PetrP.73 2026-03-24 Modified: 2026-03-24

IOCs

HIGH VOLUME

In February 2026, the Iranian cyber espionage group MuddyWater, also known as Mango Sandstorm, executed a targeted intrusion campaign against select organizations in the U.S., Israel, and Canada. The campaign, revealed in March 2026, employed two primary malware tools: Dindoor, a backdoor utilizing the Deno runtime, and Fakeset, a Python-based implant. This operation was marked by the use of legitimate tools and cloud services to ensure persistent access and facilitate data exfiltration, aligning closely with Iranian state interests, notably the Ministry of Intelligence and Security (MOIS).

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059.006 T1059.007 T1090 T1102 T1105 T1553.002 T1567.002

MALWARE FAMILIES

MuddyViper Dindoor MuddyWater

Indicators of Compromise (74)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	2115e69f71d9f51a6c6c2effdaee2df2	MD5 of 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90	2026-03-24
FileHash-MD5	29953b2e46aeaf0157d487c13c4a0643	MD5 of 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de	2026-03-24
FileHash-MD5	3962bfa78c7acd8d85b3700e99ae8d24	MD5 of 7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4	2026-03-24
FileHash-MD5	41c19fc6c8a8687988f28fc487048bf3	MD5 of 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1	2026-03-24
FileHash-MD5	439c0a0a46627bd166e08436f383ad56	MD5 of 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14	2026-03-24
FileHash-MD5	4860758863fd040a8c809ce53cb7fb37	MD5 of 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444	2026-03-24
FileHash-MD5	56a4b425aba37ef886bdfbd8343a1bd5	MD5 of 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be	2026-03-24
FileHash-MD5	591aae15106147bdb5bc7b26049b943f	MD5 of ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888	2026-03-24
FileHash-MD5	5c057af2f358fc10107d5ccdb39938ad	MD5 of 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5	2026-03-24
FileHash-MD5	64e4b0ffd8bed9307eb50b541b1d8fdb	MD5 of 2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043	2026-03-24
FileHash-MD5	6d1d4e938ed1e46210375308ef3bcb08	MD5 of 42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f	2026-03-24
FileHash-MD5	7236f1a51da141e422d553e36ef6c9d0	MD5 of b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0	2026-03-24
FileHash-MD5	76c59282e44a461105dc5739a6ba7c33	MD5 of 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1	2026-03-24
FileHash-MD5	7a4119e116ecdefe0a1017110e250e61	MD5 of a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377	2026-03-24
FileHash-MD5	7f3c8a7fe78d3d05b6022df3ea0c15fb	MD5 of a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0	2026-03-24
FileHash-MD5	838c8fd4ae7e3c4972adc8800db44929	MD5 of 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb	2026-03-24
FileHash-MD5	8d8aa0be8f82d22deab96f96d9af34b8	MD5 of 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542	2026-03-24
FileHash-MD5	c0a52cd5dd35bf9d5d08c7eb12cfa422	MD5 of c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e	2026-03-24
FileHash-MD5	c23fc7b74370d590223d962727e67907	MD5 of 7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef	2026-03-24
FileHash-MD5	ca37e31d651bbd5bbddef3ea716b8b4f	MD5 of bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a	2026-03-24
FileHash-MD5	e2bcc41ddea5cf9d759380701d14f258	MD5 of 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d	2026-03-24
FileHash-MD5	e6fafcb72f2f315692218182ba84e0ef	MD5 of 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6	2026-03-24
FileHash-MD5	f8560b9a893eeb2130fc7159e9c1b851	MD5 of 1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6	2026-03-24
FileHash-SHA1	0ba2306ec15f7124fafc7615e81f34c7986ba9a5	SHA1 of a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0	2026-03-24
FileHash-SHA1	2b781b3a352db44db67ad56e8477e6a1016b2597	SHA1 of 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb	2026-03-24
FileHash-SHA1	2e1cc87d974aa7f07a8911c631a191dc00535b36	SHA1 of 7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef	2026-03-24
FileHash-SHA1	3ab3fee4daac90bb7bee470b5b2de8ee0d6bec8b	SHA1 of 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be	2026-03-24
FileHash-SHA1	3de597e3237d5c7e7cc66ecb58b9ea2af149afa1	SHA1 of 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1	2026-03-24
FileHash-SHA1	3f441a009a907af55bd6d52b0f0f06b601c961dd	SHA1 of b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0	2026-03-24
FileHash-SHA1	42111d2ebcd42fa1fa7069560401db736c483776	SHA1 of 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542	2026-03-24
FileHash-SHA1	429efcf0370b53cc3c455b634dc066b1d08b568d	SHA1 of 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de	2026-03-24
FileHash-SHA1	4a54b7237dc9fdd745d0d19083a1ce4857c91de4	SHA1 of 1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6	2026-03-24
FileHash-SHA1	4ebfa2d967ce7983790b77a3987cb1c5d1b868f2	SHA1 of 42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f	2026-03-24
FileHash-SHA1	559052799a52d1b29ac7e87935e9a0c80df5fb16	SHA1 of 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90	2026-03-24
FileHash-SHA1	58af8d0e3e77f8d16a5a42fc173ebccb5ecb1cd0	SHA1 of 2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043	2026-03-24
FileHash-SHA1	5e9d1be3cc70d617cba3953cc901e304951ea8cb	SHA1 of 7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4	2026-03-24
FileHash-SHA1	6b186f2881729a977beb6aecb61ac0fe83c5777d	SHA1 of c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e	2026-03-24
FileHash-SHA1	7a8963d123918ca86727649492cd1ff4e020cb72	SHA1 of 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1	2026-03-24
FileHash-SHA1	9c5cc25e80df75f91873bf31a6269e7bdab7c6d2	SHA1 of 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6	2026-03-24
FileHash-SHA1	a42b4914b0c8dc47a3a5f8114d0fcbef02d84e0a	SHA1 of 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d	2026-03-24
FileHash-SHA1	be3c8f93e9d7f42ec1133ab36f555b104b23fe1b	SHA1 of a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377	2026-03-24
FileHash-SHA1	c16099c29ccdb34764e4d15b1dab2d141d159950	SHA1 of 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14	2026-03-24
FileHash-SHA1	cecf87d582b4df4323eaef04c9a648d43325043a	SHA1 of ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888	2026-03-24
FileHash-SHA1	de9707a8505683930fccf5536e311242425d420a	SHA1 of bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a	2026-03-24
FileHash-SHA1	e2e8516b4f275e8c636620b7377ee3b9f9f47bb0	SHA1 of 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5	2026-03-24
FileHash-SHA1	fa49d1fd5a938b3de0840759db62867e6382cea1	SHA1 of 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444	2026-03-24
FileHash-SHA256	077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de	—	2026-03-24
FileHash-SHA256	0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542	—	2026-03-24
FileHash-SHA256	1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6	—	2026-03-24
FileHash-SHA256	15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84	—	2026-03-24
FileHash-SHA256	1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1	—	2026-03-24
FileHash-SHA256	24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14	—	2026-03-24
FileHash-SHA256	2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043	—	2026-03-24
FileHash-SHA256	2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5	—	2026-03-24
FileHash-SHA256	2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6	—	2026-03-24
FileHash-SHA256	3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90	—	2026-03-24
FileHash-SHA256	42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f	—	2026-03-24
FileHash-SHA256	4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be	—	2026-03-24
FileHash-SHA256	64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb	—	2026-03-24
FileHash-SHA256	64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1	—	2026-03-24
FileHash-SHA256	7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4	—	2026-03-24
FileHash-SHA256	74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d	—	2026-03-24
FileHash-SHA256	7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef	—	2026-03-24
FileHash-SHA256	94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444	—	2026-03-24
FileHash-SHA256	a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377	—	2026-03-24
FileHash-SHA256	a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c	—	2026-03-24
FileHash-SHA256	a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0	—	2026-03-24
FileHash-SHA256	b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0	—	2026-03-24
FileHash-SHA256	bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a	—	2026-03-24
FileHash-SHA256	c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e	—	2026-03-24
FileHash-SHA256	ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888	—	2026-03-24
domain	moonzonet.com	—	2026-03-24
domain	serialmenot.com	—	2026-03-24
domain	uppdatefile.com	—	2026-03-24

References (1)

↗ https://krypt3ia.wordpress.com/2026/03/20/threat-intelligence-report-mango-sandstorm-indoor-fakeset-activity/