Threats Feed

HTTP_VIP is a downloader malware attributed to the Iranian state-aligned threat actor MuddyWater. Analyzed during the early-2026 campaign dubbed "Operation Olalampo," this tool functions primarily to establish a foothold on compromised systems. It executes system reconnaissance while employing virtualization and sandbox evasion techniques to bypass defensive analysis. Following successful execution, HTTP_VIP connects to its command and control infrastructure to retrieve secondary payloads. Notably, the threat actors utilize this downloader to deploy legitimate remote monitoring and management (RMM) software, specifically AnyDesk. The deployment of AnyDesk facilitates persistent remote access and control over the victim environments, blending malicious activity with standard administrative tools.

Iranian state-sponsored actor Boggy Serpens has escalated cyberespionage campaigns against energy, maritime, finance, aviation, and diplomatic sectors across the Middle East, Europe, Asia, and South America, notably targeting Israel, the UAE, and Turkmenistan. By hijacking trusted corporate and government email accounts, the group bypasses perimeter defenses to deliver highly tailored spear-phishing lures. Recent operations reveal a strategic shift toward stealth and long-term persistence. The group has modernized its toolkit using AI-assisted development, deploying sophisticated custom implants like the Rust-based BlackBeard backdoor, UDPGangster, Nuso, and LampoRAT. To evade detection, Boggy Serpens utilizes evasive C2 mechanisms, including Telegram API abuse, customized UDP traffic, and HTTP status code triggers, cementing its status as a highly adaptable and formidable threat.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

Huntress researchers have detailed a complete attack chain attributed to the Iranian-linked APT MuddyWater, targeting an Israeli company. The intrusion began with initial access via an RDP login, followed by extensive interactive network and Active Directory reconnaissance. The threat actor demonstrated hands-on-keyboard activity, evidenced by typographical errors during command execution. To establish persistent access and bypass network controls, the attackers utilized the native Windows OpenSSH client to create reverse SSH tunnels. Subsequently, they deployed a malicious payload via DLL side-loading, leveraging the legitimate Fortemedia application (FMAPP.exe) to execute a malicious DLL (FMAPP.dll) for command-and-control communications.

The Iranian APT group Seedworm has targeted multiple organizations across the U.S., Canada, and Israel since February 2026. Leveraging custom malware, the threat actors compromised networks within the financial, aviation, software, defense, and non-profit sectors. Attackers deployed a novel JavaScript/TypeScript backdoor named Dindoor, alongside a Python-based backdoor called Fakeset. To evade detection, the group signed their payloads with digital certificates issued to "Amy Cherne" and "Donald Gay." Additionally, the attackers utilized legitimate cloud services, including Backblaze for staging and Rclone for attempted data exfiltration to Wasabi buckets. Given Seedworm’s affiliation with the Iranian Ministry of Intelligence and Security, these intrusions pose a significant espionage threat amidst current geopolitical conflicts.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.

MuddyWater APT has conducted sustained cyberespionage campaigns across the Middle East and globally, targeting telecommunications, education, insurance, IT services, and diplomatic sectors. Affected countries include Iraq, Jordan, Egypt, Israel, Malaysia, Oman, and Turkmenistan. The threat actor’s tactics have evolved significantly, shifting from traditional spear-phishing with macro-enabled Microsoft Word documents to deploying malicious HTML files and encrypted archives. Notably, the group increasingly abuses legitimate Remote Monitoring and Management (RMM) tools, such as Syncro and Atera, as initial access vectors. By distributing properly signed installer files disguised as official communications, MuddyWater successfully evades security detection, establishing persistent, stealthy footholds for long-term intelligence collection without relying on custom malware.

Operation Olalampo is a new cyber campaign by the Iranian threat group MuddyWater, targeting organizations primarily across the MENA region. Aligning with ongoing geopolitical tensions, the attacks focus on energy and marine services, system integrators, and specific individuals of interest. The adversary gains initial access by exploiting vulnerabilities on public-facing servers and distributing macro-enabled phishing documents. This campaign introduces four novel malware variants: GhostFetch, HTTP_VIP, GhostBackDoor, and a Rust-based backdoor named CHAR. Notably, CHAR leverages a Telegram bot for command-and-control and exhibits evidence of AI-assisted development. Post-exploitation activities include local reconnaissance, credential theft, and the deployment of legitimate tools like AnyDesk. Infrastructure analysis also reveals overlap with MuddyWater’s historical operations from late 2025.

The report analyzes the evolution of RustyStealer (also referenced as RustyWater or Archer RAT), a Rust-based post-compromise implant observed in MuddyWater-attributed activity. By correlating build artefacts, compiler metadata, dependency drift, TLSH similarity, and API-level changes, the analysis reconstructs a development timeline from early baseline builds to a more mature v2.0 architecture. Rather than linear feature growth, the samples reveal experimentation, rollback, and consolidation. A short-lived asynchronous I/O refactor was abandoned in favor of improved stability, while later versions emphasize stealth through native NT API usage, runtime string obfuscation, and restored host fingerprinting.

The report analyzes a newly observed MuddyWater malware sample that exposes extensive build and development artifacts due to improper binary stripping. Delivered via a malicious Word document containing VBA macros, the payload reconstructs and executes a Rust-based executable on disk. Analysis of leftover strings reveals detailed insights into the actor’s development environment, including a Windows-based build host, MSVC Rust toolchain, local Cargo usage, and a recurring username embedded in build paths. These artifacts indicate locally compiled tooling with minimal release hardening and weak OPSEC. The findings highlight how developer mistakes can provide durable fingerprints for clustering, campaign tracking, and long-term threat hunting, beyond traditional infrastructure indicators.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

SEQRITE Labs tracked a threat cluster dubbed UNG0801 (Operation IconCat) targeting organizations in Israel during November 2025. The actor relied on Hebrew-language spear-phishing and heavy antivirus icon spoofing, abusing branding from Check Point and SentinelOne to appear legitimate. Two infection chains were identified. The first delivered a PyInstaller-packed Python implant (PYTRIC) masquerading as a security scanner and capable of destructive, wiper-like actions. The second used malicious Word macros to drop a Rust implant (RUSTRIC) focused on system discovery, antivirus enumeration, and command-and-control. Targets included IT and managed service providers, human resources and staffing firms, and software and technology companies.

UDPGangster is a UDP-based backdoor used in recent MuddyWater cyber espionage campaigns targeting Turkey, Israel, and Azerbaijan. The attacks rely on phishing emails delivering malicious macro-enabled Word documents that decode and execute the payload. Once installed, the malware establishes persistence, performs extensive anti-analysis and sandbox evasion checks, and communicates with its C2 over non-standard UDP channels to execute commands, exfiltrate files, and deploy additional payloads. Related samples and shared infrastructure, including overlap with the Phoenix backdoor, confirm MuddyWater attribution across these regionally focused intrusions.