Threats Feed

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

The Iranian threat group MuddyWater recently launched highly targeted phishing campaigns against Israeli organizations, utilizing compromised corporate email accounts to distribute malicious macro-enabled Word documents. The attacks rely on localized social engineering, featuring tailored Hebrew content, legitimate branding, and lookalike domains. Upon execution, the campaign deploys "BlackBeard," a custom Rust-based backdoor capable of EDR evasion, system reconnaissance, and downloading additional payloads via encrypted HTTPS channels. Persistence is achieved through stealthy file association hijacking. The threat actors then leverage the newly compromised accounts to conduct internal spearphishing, enabling rapid lateral movement. This campaign demonstrates MuddyWater's persistent cyber espionage efforts and sophisticated tactical adaptations.