Threats Feed

The Iranian threat group MuddyWater recently launched highly targeted phishing campaigns against Israeli organizations, utilizing compromised corporate email accounts to distribute malicious macro-enabled Word documents. The attacks rely on localized social engineering, featuring tailored Hebrew content, legitimate branding, and lookalike domains. Upon execution, the campaign deploys "BlackBeard," a custom Rust-based backdoor capable of EDR evasion, system reconnaissance, and downloading additional payloads via encrypted HTTPS channels. Persistence is achieved through stealthy file association hijacking. The threat actors then leverage the newly compromised accounts to conduct internal spearphishing, enabling rapid lateral movement. This campaign demonstrates MuddyWater's persistent cyber espionage efforts and sophisticated tactical adaptations.

The Iranian threat group MuddyWater recently launched highly targeted phishing campaigns against Israeli organizations, utilizing compromised corporate email accounts to distribute malicious macro-enabled Word documents. The attacks rely on localized social engineering, featuring tailored Hebrew content, legitimate branding, and lookalike domains. Upon execution, the campaign deploys "BlackBeard," a custom Rust-based backdoor capable of EDR evasion, system reconnaissance, and downloading additional payloads via encrypted HTTPS channels. Persistence is achieved through stealthy file association hijacking. The threat actors then leverage the newly compromised accounts to conduct internal spearphishing, enabling rapid lateral movement. This campaign demonstrates MuddyWater's persistent cyber espionage efforts and sophisticated tactical adaptations.

ESET researchers uncovered a new MuddyWater campaign targeting organizations in Israel and one in Egypt, primarily within the telecommunications, government, oil and energy, and manufacturing sectors. The Iran-aligned group deployed a suite of newly developed tools, including the Fooder reflective loader and MuddyViper, a C/C++ backdoor capable of credential theft, system reconnaissance, and file operations. Additional stealers such as CE-Notes, LP-Notes, and Blub, along with customized go-socks5 reverse tunnels, enhanced persistence and defense evasion. The campaign also revealed operational overlap with Lyceum, indicating MuddyWater’s role as an initial access broker. Activity ran from September 30, 2024 to March 18, 2025.

ESET researchers uncovered a new MuddyWater campaign targeting organizations in Israel and one in Egypt, primarily within the telecommunications, government, oil and energy, and manufacturing sectors. The Iran-aligned group deployed a suite of newly developed tools, including the Fooder reflective loader and MuddyViper, a C/C++ backdoor capable of credential theft, system reconnaissance, and file operations. Additional stealers such as CE-Notes, LP-Notes, and Blub, along with customized go-socks5 reverse tunnels, enhanced persistence and defense evasion. The campaign also revealed operational overlap with Lyceum, indicating MuddyWater’s role as an initial access broker. Activity ran from September 30, 2024 to March 18, 2025.

Amazon’s threat intelligence team has identified a growing trend in which nation-state actors integrate cyber operations directly into kinetic warfare. The research highlights Imperial Kitten and MuddyWater, two Iranian-linked groups that used cyber intrusions to support physical attacks. Imperial Kitten compromised AIS maritime systems and CCTV feeds to track vessels later targeted by Houthi missile strikes. MuddyWater accessed live CCTV streams in Jerusalem, providing real-time intelligence ahead of Iran’s June 2025 missile attacks. These cases show a shift toward cyber-enabled kinetic targeting, where digital reconnaissance directly informs physical military objectives, reshaping modern conflict across the Middle East’s maritime and urban environments.

Group-IB uncovered a global phishing campaign by the Iran-linked APT MuddyWater, targeting international and humanitarian organizations across the Middle East, Europe, Africa, and North America. The group used a compromised mailbox accessed via NordVPN to send phishing emails with malicious Word documents containing VBA macros that deployed the Phoenix backdoor v4 through the FakeUpdate injector. The malware achieved persistence via Winlogon registry keys and COM hijacking, while a custom browser credential stealer and RMM tools (PDQ, Action1) facilitated remote access and credential harvesting. The campaign reflects MuddyWater’s evolving espionage capabilities and integration of custom and legitimate tools for stealth operations.

APT MuddyWater has launched a multi-stage spear-phishing campaign targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia. Disguised as recruiters from Rothschild & Co, the attackers use Firebase-hosted phishing pages with CAPTCHA lures and malicious ZIP/VBS payloads to deploy legitimate remote-access tools like NetBird and OpenSSH for persistent control. The infection chain creates hidden admin accounts, enables RDP, and automates persistence via scheduled tasks. Infrastructure analysis reveals overlaps with earlier MuddyWater operations, confirming attribution and highlighting the group’s evolving phishing toolkit and adaptive use of trusted cloud services for global financial espionage.

Iranian APT group MuddyWater deployed new versions of its Android surveillanceware DCHSpy amid the Israel-Iran conflict, targeting individuals via politically themed lures such as fake Starlink VPN apps. Distributed through Telegram and disguised as legitimate VPN or banking apps, DCHSpy harvests sensitive data including WhatsApp messages, SMS, call logs, contacts, device location, and audio. The malware compresses and encrypts exfiltrated data before uploading it to an attacker-controlled SFTP server. DCHSpy shares infrastructure with SandStrike, a tool previously used to target Baháʼí practitioners. Sectors targeted include telecommunications, defense, local government, and oil and gas across the Middle East, Asia, Africa, Europe, and North America.

A sophisticated spear-phishing campaign targeted CFOs and finance executives in banking, energy, insurance, and investment sectors across the UK, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil. Disguised as a Rothschild & Co recruiter, the attackers used Firebase-hosted phishing pages protected by custom CAPTCHAs to deliver multi-stage payloads. Victims who executed malicious VBS scripts unknowingly installed NetBird and OpenSSH, granting attackers persistent, encrypted remote access through hidden admin accounts and RDP activation. Trellix researchers identified infrastructure overlaps with previous nation-state campaigns but withheld attribution.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

The MuddyWater APT group has been observed using malicious macro-enabled Microsoft Word documents to compromise targets. Upon opening these documents and enabling macros, a VBScript backdoor is deployed, establishing communication with attacker-controlled command and control (C2) servers via HTTP. The VBScript backdoor receives and executes remote commands and sends results back to the C2 servers. Identified infrastructure includes domains and IP addresses employing HTTPS over port 443 for covert communication, aiding in firewall evasion.

In 2024, the Iranian-linked threat group MuddyWater significantly advanced its operational capabilities, conducting large-scale spear-phishing and broad phishing campaigns worldwide with a strong focus on Israel and the Middle East. The group abused legitimate file-sharing platforms and remote management tools to gain initial access, while increasingly deploying custom-developed malware such as BugSleep, Blackout, AnchorRat, CannonRat, and BlackPearl. Operations leveraged persistence mechanisms including COM hijacking, DLL side-loading, registry modifications, and Windows services. MuddyWater relied on encrypted HTTP, DNS, and SOCKS5-based C2 channels, targeting aviation, healthcare, telecommunications, IT, and small and medium-sized businesses for long-term intelligence collection.

Sophos MDR has identified a targeted phishing campaign, with moderate confidence attributed to the Iranian-linked threat actor group MuddyWater (TA450), which targeted organisations in Israel. The campaign involved phishing emails that tricked users into downloading a ZIP file containing an installer for the legitimate remote management tool Atera. After gaining access, the threat actors misused Atera, using a trial account believed to be compromised, to install the Atera Agent and run a PowerShell script for credential dumping and creating a backup of the SYSTEM registry hive, which Sophos behavioural rules detected and blocked. Post-compromise activities included domain enumeration commands, establishing an SSH tunnel to a remote IP address, and downloading another remote management tool, Level RMM, via an obfuscated PowerShell command. This campaign's tactics align with previously reported activity by TA450 and highlights the tactic of abusing legitimate software for malicious purposes.

A recent phishing campaign has targeted Armenian individuals through a benign Word document containing a link that directs users to a fake CAPTCHA page. Victims who follow the prompts inadvertently activate a "PasteJacking" technique, where malicious PowerShell code is silently copied and executed in the system's Run box. This script installs PDQ RMM, a legitimate remote management tool, granting attackers remote access without relying on traditional malware. Indicators point to possible attribution to MuddyWater, based on specific social engineering tactics, PowerShell usage, and open-source adaptations, although a definitive link remains unconfirmed. The incident underscores the use of targeted social engineering attacks against Armenian-speaking users, with potential geopolitical implications.

MuddyWater has ramped up cyber activities targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal amid the Israel-Hamas war. Their campaigns utilize phishing emails from compromised accounts, deploying RMM tools like Atera Agent and the new BugSleep backdoor. BugSleep, under continuous development, executes commands and transfers files to C&C servers. The group targets various sectors, including Israeli municipalities, airlines, and journalists. They exploit platforms like Egnyte for phishing and use techniques such as sandbox evasion and process injection. Over 50 spear phishing emails have targeted multiple sectors since February 2024.

The MuddyWater group has updated its tactics in targeting entities in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. The group shifted from using the Atera RMM tool to deploying a new implant called MuddyRot. Recent campaigns involved spear phishing with PDF-embedded links, leading to malware downloads. MuddyRot features reverse shell capabilities, dynamic API loading, and obfuscated communication over port 443. It establishes persistence via scheduled tasks and exploits public-facing applications for initial access. This campaign primarily targets sectors involving Western and Middle Eastern entities.

Seedworm, also known as MuddyWater, is exploiting the Atera Agent, a legitimate remote monitoring and management (RMM) tool, in its spear-phishing campaigns. The group uses Atera’s 30-day free trial offers to register agents with compromised email accounts, enabling them to access targeted systems remotely without needing their own command-and-control infrastructure. These capabilities include file upload/download, interactive shell access, and AI-powered command assistance through Atera’s web UI. Seedworm distributes the malicious RMM installers hosted on free file platforms via spear-phishing emails, though the specific targeted countries and sectors are not mentioned in the report.

The Iranian state-sponsored threat actor MuddyWater has escalated its cyberattacks using the Atera Agent, a legitimate remote monitoring and management (RMM) tool. By exploiting Atera's free trial offers, MuddyWater registered agents with compromised or purpose-created email accounts and distributed them through spearphishing campaigns. The group's advanced social engineering and operational security tactics facilitated stealthier operations. Targeted sectors include Airlines, IT, Telecommunications, Pharmaceuticals, Automotive Manufacturing, Logistics, Travel and Tourism, and Employment/Immigration agencies across Israel, India, Algeria, Turkey, Italy, and Egypt.

In October 2023, the MuddyWater APT group launched new campaigns targeting North and East Africa with its MuddyC2Go toolkit, shifting to Atera, ConnectWise ScreenConnect, Advanced Monitoring Tool, and MeshCentral RMM software in February 2024. These attacks, announced by the Israeli CERT and detected on social media, target specific organizations or individuals through spear-phishing emails containing malicious links or files. The group employs third-party file upload services, including onehub.com, freeupload.store, and others, for malware distribution. The attacks customize RMM software using compromised business email accounts to increase the likelihood of victim engagement. The targeted sectors include telecommunications, with a notable attack on a Turkish company, indicating a politically motivated campaign.

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

A phishing malware campaign targeting Albanian governmental entities was discovered, involving an archived file named "kurs trajnimi.zip." The malware uses "ScreenConnectWindowsClient.exe" for command-and-control (C2) operations, exploiting CVE-2023-36778, a Microsoft Exchange Server vulnerability. Static analysis revealed techniques for screen capture, anti-analysis, and system discovery. The malicious program requires Administrator or SuperUser privileges to execute, indicating an intent to evade detection and exploit higher-level system resources.