An Iranian threat group known as MuddyWater launched advanced phishing and malware campaigns throughout 2024, primarily targeting Israeli entities and strategic sectors.

Who is behind the attack?

The operations are attributed to MuddyWater, a state-aligned Iranian APT group active since 2017, known for espionage and strategic intelligence gathering.

What was the goal of the attack?

The primary objective was long-term infiltration of critical sectors to gather intelligence, disrupt operations, and establish persistent access to sensitive systems.

How large was the targeting scope?

Tens of thousands of accounts across various countries were targeted, with a notable spike in Israeli victims through widespread phishing and malware delivery campaigns.

What industries or entities were targeted?

Aviation, healthcare, telecommunications, IT, and small businesses were among the top targets, indicating a focus on both critical infrastructure and broader access points.

How were the attacks carried out?

The group used targeted phishing, spoofing of known brands (like Microsoft), and sophisticated malware such as BugSleep and Blackout, often hidden in legitimate tools and cloud services.

Why are these entities attractive to attackers?

They hold sensitive personal, operational, or strategic data that can benefit state-level cyber espionage or be used to disrupt national operations.

What should organizations do to protect themselves?

Implement strong email security, monitor for unusual behavior, restrict the use of remote tools, and train employees to recognize phishing attempts.

Is this a widespread issue or a targeted campaign?

While the group conducted broad campaigns, their more effective operations were highly targeted, focusing on specific regions and sectors of strategic value.

Threats Feed|MuddyWater|Last Updated 17/12/2025|AuthorCertfa Radar|Publish Date04/02/2025

MuddyWater Expands Custom Tooling and Phishing Operations Targeting Israel in 2024

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Dropper,RAT,Trojan,Phishing,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

In 2024, the Iranian-linked threat group MuddyWater significantly advanced its operational capabilities, conducting large-scale spear-phishing and broad phishing campaigns worldwide with a strong focus on Israel and the Middle East. The group abused legitimate file-sharing platforms and remote management tools to gain initial access, while increasingly deploying custom-developed malware such as BugSleep, Blackout, AnchorRat, CannonRat, and BlackPearl. Operations leveraged persistence mechanisms including COM hijacking, DLL side-loading, registry modifications, and Windows services. MuddyWater relied on encrypted HTTP, DNS, and SOCKS5-based C2 channels, targeting aviation, healthcare, telecommunications, IT, and small and medium-sized businesses for long-term intelligence collection.

Reference and Credit: Israel National Cyber Directorate - February 2025

Technological Advancement and Evolution of MuddyWater in 2024

Detected Targets

Type	Description	Confidence
Sector	Information Technology	Verified
Sector	Aerospace	Verified
Sector	Healthcare	Verified
Sector	Telecommunication	Verified
Region	Israel	Verified
Region	Middle East Countries	Verified

FAQs

Understanding MuddyWater’s 2024 Cyber Campaign

: An Iranian threat group known as MuddyWater launched advanced phishing and malware campaigns throughout 2024, primarily targeting Israeli entities and strategic sectors.
: The operations are attributed to MuddyWater, a state-aligned Iranian APT group active since 2017, known for espionage and strategic intelligence gathering.
: The primary objective was long-term infiltration of critical sectors to gather intelligence, disrupt operations, and establish persistent access to sensitive systems.
: Tens of thousands of accounts across various countries were targeted, with a notable spike in Israeli victims through widespread phishing and malware delivery campaigns.
: Aviation, healthcare, telecommunications, IT, and small businesses were among the top targets, indicating a focus on both critical infrastructure and broader access points.
: The group used targeted phishing, spoofing of known brands (like Microsoft), and sophisticated malware such as BugSleep and Blackout, often hidden in legitimate tools and cloud services.
: They hold sensitive personal, operational, or strategic data that can benefit state-level cyber espionage or be used to disrupt national operations.
: Implement strong email security, monitor for unusual behavior, restrict the use of remote tools, and train employees to recognize phishing attempts.
: While the group conducted broad campaigns, their more effective operations were highly targeted, focusing on specific regions and sectors of strategic value.

About Affiliation

MuddyWater

Associate threats