Threats Feed

MuddyWater APT has conducted sustained cyberespionage campaigns across the Middle East and globally, targeting telecommunications, education, insurance, IT services, and diplomatic sectors. Affected countries include Iraq, Jordan, Egypt, Israel, Malaysia, Oman, and Turkmenistan. The threat actor’s tactics have evolved significantly, shifting from traditional spear-phishing with macro-enabled Microsoft Word documents to deploying malicious HTML files and encrypted archives. Notably, the group increasingly abuses legitimate Remote Monitoring and Management (RMM) tools, such as Syncro and Atera, as initial access vectors. By distributing properly signed installer files disguised as official communications, MuddyWater successfully evades security detection, establishing persistent, stealthy footholds for long-term intelligence collection without relying on custom malware.

Operation Olalampo is a new cyber campaign by the Iranian threat group MuddyWater, targeting organizations primarily across the MENA region. Aligning with ongoing geopolitical tensions, the attacks focus on energy and marine services, system integrators, and specific individuals of interest. The adversary gains initial access by exploiting vulnerabilities on public-facing servers and distributing macro-enabled phishing documents. This campaign introduces four novel malware variants: GhostFetch, HTTP_VIP, GhostBackDoor, and a Rust-based backdoor named CHAR. Notably, CHAR leverages a Telegram bot for command-and-control and exhibits evidence of AI-assisted development. Post-exploitation activities include local reconnaissance, credential theft, and the deployment of legitimate tools like AnyDesk. Infrastructure analysis also reveals overlap with MuddyWater’s historical operations from late 2025.

The RedKitten campaign, observed in early 2026, targets Iranian interests, specifically NGOs and individuals documenting human rights abuses during the "Dey 1404" protests. Assessing the actor as Iranian state-aligned, researchers identified "SloppyMIO," a modular .NET implant likely developed with AI assistance. The attack chain utilizes spearphishing with "shock lures" regarding execution lists to deliver malware via AppDomainManager injection. The threat actor leverages legitimate infrastructure, using GitHub as a Dead Drop Resolver for steganographic configuration, Google Drive for payload hosting, and Telegram for command and control. This campaign highlights the growing use of LLMs in rapid malware development and the exploitation of civil unrest for targeted surveillance in Iran.

APT42 utilizes TAMECAT, a modular PowerShell-based backdoor, to target high-value senior defense and government officials. Israel’s National Digital Agency reports that the group employs social engineering to gain initial access. The infection chain begins with a VBScript that profiles antivirus software via WMI to determine whether to deploy PowerShell or Command Shell downloaders. TAMECAT features sophisticated capabilities, including screen capture, Chrome data collection, and Microsoft Edge remote debugging. It leverages legitimate services like Telegram and Discord for Command and Control (C2). Data is encrypted via AES and exfiltrated to domains such as glitch[.]me, demonstrating APT42's focus on stealth and persistent espionage operations.