Threats Feed

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

The MuddyWater APT group has been observed using malicious macro-enabled Microsoft Word documents to compromise targets. Upon opening these documents and enabling macros, a VBScript backdoor is deployed, establishing communication with attacker-controlled command and control (C2) servers via HTTP. The VBScript backdoor receives and executes remote commands and sends results back to the C2 servers. Identified infrastructure includes domains and IP addresses employing HTTPS over port 443 for covert communication, aiding in firewall evasion.

Sophos MDR has identified a targeted phishing campaign, with moderate confidence attributed to the Iranian-linked threat actor group MuddyWater (TA450), which targeted organisations in Israel. The campaign involved phishing emails that tricked users into downloading a ZIP file containing an installer for the legitimate remote management tool Atera. After gaining access, the threat actors misused Atera, using a trial account believed to be compromised, to install the Atera Agent and run a PowerShell script for credential dumping and creating a backup of the SYSTEM registry hive, which Sophos behavioural rules detected and blocked. Post-compromise activities included domain enumeration commands, establishing an SSH tunnel to a remote IP address, and downloading another remote management tool, Level RMM, via an obfuscated PowerShell command. This campaign's tactics align with previously reported activity by TA450 and highlights the tactic of abusing legitimate software for malicious purposes.

A recent phishing campaign has targeted Armenian individuals through a benign Word document containing a link that directs users to a fake CAPTCHA page. Victims who follow the prompts inadvertently activate a "PasteJacking" technique, where malicious PowerShell code is silently copied and executed in the system's Run box. This script installs PDQ RMM, a legitimate remote management tool, granting attackers remote access without relying on traditional malware. Indicators point to possible attribution to MuddyWater, based on specific social engineering tactics, PowerShell usage, and open-source adaptations, although a definitive link remains unconfirmed. The incident underscores the use of targeted social engineering attacks against Armenian-speaking users, with potential geopolitical implications.

MuddyWater has ramped up cyber activities targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal amid the Israel-Hamas war. Their campaigns utilize phishing emails from compromised accounts, deploying RMM tools like Atera Agent and the new BugSleep backdoor. BugSleep, under continuous development, executes commands and transfers files to C&C servers. The group targets various sectors, including Israeli municipalities, airlines, and journalists. They exploit platforms like Egnyte for phishing and use techniques such as sandbox evasion and process injection. Over 50 spear phishing emails have targeted multiple sectors since February 2024.

The MuddyWater group has updated its tactics in targeting entities in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. The group shifted from using the Atera RMM tool to deploying a new implant called MuddyRot. Recent campaigns involved spear phishing with PDF-embedded links, leading to malware downloads. MuddyRot features reverse shell capabilities, dynamic API loading, and obfuscated communication over port 443. It establishes persistence via scheduled tasks and exploits public-facing applications for initial access. This campaign primarily targets sectors involving Western and Middle Eastern entities.

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

A phishing malware campaign targeting Albanian governmental entities was discovered, involving an archived file named "kurs trajnimi.zip." The malware uses "ScreenConnectWindowsClient.exe" for command-and-control (C2) operations, exploiting CVE-2023-36778, a Microsoft Exchange Server vulnerability. Static analysis revealed techniques for screen capture, anti-analysis, and system discovery. The malicious program requires Administrator or SuperUser privileges to execute, indicating an intent to evade detection and exploit higher-level system resources.

Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

The MuddyWater group has launched a campaign targeting countries including Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the UAE. The group has employed the remote administration tool "Syncro" and used spear-phishing techniques, leveraging Dropbox and OneDrive to deliver the malicious Syncro MSI installer. The threat actors also utilized legitimate corporate email accounts to distribute their phishing emails. The sectors notably targeted include the data hosting, hospitality, and insurance sectors.

The MuddyWater threat group has been conducting a long-term infection campaign targeting Middle East countries since the last quarter of 2020. The campaign utilizes a malicious Word document containing VBA macros wrapped in a compressed file to compromise victims' systems. The VBA macros drop a concise VBS script, which functions as a small RAT, allowing the execution of commands via cmd and communication with a C2 server using HTTP GET and POST requests. The targeted countries include Pakistan, Kazakhstan, Armenia, Syria, Israel, Bahrain, Turkey, South Africa, Sudan, and others in the Middle East region.

The Iranian government-sponsored APT group, MuddyWater, has been conducting cyber operations against government and private sector organizations across Asia, Africa, Europe, and North America. The targeted sectors include telecommunications, defense, local government, oil and natural gas. MuddyWater's campaigns involve the exploitation of public vulnerabilities, usage of open-source tools, spear-phishing, and the deployment of multiple types of malware such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS. The group has been active since 2018 and is known for maintaining persistence on victim networks and obfuscating PowerShell scripts to hide C2 functions.

The MuddyWater threat group continues to evolve its tactics and techniques. The group exploits publicly available offensive security tools and has been refining its custom toolset to avoid detection. It utilizes the PowGoop malware family, tunneling tools, and targets Exchange servers in high-profile organizations, particularly governmental entities and telecommunication companies in the Middle East. The group has also been observed exploiting CVE-2020-0688 and using Ruler for its malicious activities.

The MuddyWater threat group, through an intrusion set named Earth Vetala, targeted various organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates. The group used spear-phishing emails to distribute malicious packages, predominantly aiming at Government Agencies, Academia, and the Tourism sector. MuddyWater deployed post-exploitation tools to dump passwords and establish a persistent presence within targeted systems. They used multiple C&C servers to execute obfuscated PowerShell scripts and were persistent in attempting multiple techniques to establish connectivity despite repeated failures.

In September 2020, the Iranian threat actor MuddyWater launched "Operation Quicksand," as reported by the ClearSky cybersecurity company. This operation targeted Israeli organizations and others across the Middle East and North Africa, aiming to deploy a destructive variant of Thanos ransomware through "PowGoop," a malicious loader disguised as a Google update DLL. By employing spear-phishing, exploiting vulnerabilities, and using sophisticated malware delivery mechanisms, the campaign focused on destructive attacks rather than financial gain, marking a significant shift in MuddyWater's operational intent from espionage to more aggressive tactics.

The Iranian APT group MuddyWater has expanded its tactics, targeting government, telecommunications and military sectors in countries such as Tajikistan, Pakistan and Iraq. New campaigns include decoy documents exploiting CVE-2017-0199 and malicious VBA macros, with second-stage payloads downloaded from compromised servers. Primary targets have impersonated entities in the region surrounding Iran, including Iraqi and Pakistani organisations. The group also uses RATs for process detection, using obfuscation techniques such as Base64 encoding and JavaScript layers. Compromised servers in Pakistan and China facilitated these operations, demonstrating MuddyWater's sophisticated arsenal and focus on espionage.

The Iranian APT group MuddyWater has expanded its tactics, targeting government, telecommunications and military sectors in countries such as Tajikistan, Pakistan and Iraq. New campaigns include decoy documents exploiting CVE-2017-0199 and malicious VBA macros, with second-stage payloads downloaded from compromised servers. Primary targets have impersonated entities in the region surrounding Iran, including Iraqi and Pakistani organisations. The group also uses RATs for process detection, using obfuscation techniques such as Base64 encoding and JavaScript layers. Compromised servers in Pakistan and China facilitated these operations, demonstrating MuddyWater's sophisticated arsenal and focus on espionage.

The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.