A sophisticated malware campaign used Word documents with macros to run malicious scripts that downloaded a hidden attack payload from a seemingly harmless image on Imgur.

Who was behind the attack?

The campaign is believed to be linked to MuddyWater, a known government-backed hacking group that has previously targeted organizations in the Middle East.

What was the goal of the attack?

The attackers aimed to secretly install a remote access tool (Cobalt Strike) that allows full control of infected computers for spying, data theft, or further attacks.

How was the attack carried out?

Victims were tricked into opening Word documents. These documents executed scripts that pulled an image from Imgur. Hidden inside the image’s pixels was code that activated the attack.

Who or what was targeted?

While no specific victims were named, the methods and suspected actor suggest targets of interest were likely in the Middle East, including government or strategic sectors.

Why use sites like GitHub and Imgur?

Because they are trusted platforms, using them helps attackers hide in normal traffic and avoid raising alarms in security systems.

What should organizations or individuals do?

Avoid opening suspicious Word documents, especially those prompting to enable macros. Keep security tools updated and monitor for unusual activity like PowerShell scripts contacting external servers.

Is this a widespread threat?

It appears to be a targeted attack, but the techniques used could be replicated by others, making it a broader concern for any organization handling sensitive data.

Threats Feed|MuddyWater|Last Updated 30/05/2025|AuthorCertfa Radar|Publish Date28/12/2020

MuddyWater APT Group Linked to Steganography-Based Malware Attack

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Downloader,Dropper,Malicious Macro,RAT
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

A new malware strain, potentially linked to the MuddyWater APT group, uses Word files with macros to deploy PowerShell scripts from GitHub, which then download an image from Imgur. The image's pixel values decode a Cobalt Strike payload. This method, involving steganography, enables attackers to execute commands and establish remote control over Windows systems. The attack primarily targets Middle Eastern entities, using phishing emails to distribute malicious Word documents.

Reference and Credit: BleepingComputer - December 2020

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

Detected Targets

Type	Description	Confidence
Region	Middle East Countries	High

Extracted IOCs

mazzion1234-44451.portmap[.]host
97b5ca432a34b919a59fe8bc8e213fc3
a9506c371418969ea5084b00db54573b
1fb678ab15f3c311d7189d4c80bc7c91bc360e49
6774f7b5e533a4158b2b2375cf06fbc95e434526
d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866

download

Tip: 7 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.

FAQs

Malware Hiding in Plain Sight: GitHub, Imgur, and Stealthy Attacks

: A sophisticated malware campaign used Word documents with macros to run malicious scripts that downloaded a hidden attack payload from a seemingly harmless image on Imgur.
: The campaign is believed to be linked to MuddyWater, a known government-backed hacking group that has previously targeted organizations in the Middle East.
: The attackers aimed to secretly install a remote access tool (Cobalt Strike) that allows full control of infected computers for spying, data theft, or further attacks.
: Victims were tricked into opening Word documents. These documents executed scripts that pulled an image from Imgur. Hidden inside the image’s pixels was code that activated the attack.
: While no specific victims were named, the methods and suspected actor suggest targets of interest were likely in the Middle East, including government or strategic sectors.
: Because they are trusted platforms, using them helps attackers hide in normal traffic and avoid raising alarms in security systems.
: Avoid opening suspicious Word documents, especially those prompting to enable macros. Keep security tools updated and monitor for unusual activity like PowerShell scripts contacting external servers.
: It appears to be a targeted attack, but the techniques used could be replicated by others, making it a broader concern for any organization handling sensitive data.

About Affiliation

MuddyWater

Associate threats