A cyber-espionage group known as MuddyWater launched a new campaign using a legitimate IT management tool, Atera Agent, to remotely access and control victims' computers.

Who is behind the attack?

The attacks were conducted by MuddyWater, an Iranian state-sponsored threat actor known for espionage-focused operations targeting global sectors.

What was the goal of the attack?

The attackers aimed to gain remote access to systems for further exploitation—potentially including espionage, data theft, or lateral movement within networks.

How were victims targeted?

Victims received convincing spearphishing emails linking to malware disguised as legitimate installers hosted on trusted platforms like Zendesk or Egnyte.

Which industries and countries were affected?

Organizations in airlines, IT, telecom, logistics, pharmaceuticals, and more were targeted across Israel, India, Turkey, Italy, Egypt, and Algeria.

How did the attack work in simple terms?

Attackers used stolen email credentials to register for Atera’s free trials and sent malware disguised as installer files. Once opened, the malware allowed attackers remote access.

Why are these targets attractive to attackers?

Sectors like telecom, government, and academia often handle sensitive information or infrastructure, making them valuable for intelligence gathering.

What should organizations do to stay protected?

Use strong passwords and two-factor authentication, monitor use of remote access tools, and block suspicious file-sharing services. Educate staff to recognize phishing emails.

Is this a widespread threat or a targeted one?

While this campaign was targeted, the techniques used—such as abuse of legitimate tools and leaked credentials—could be adapted for broader attacks in the future.

Threats Feed|MuddyWater|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date22/04/2024

MuddyWater Expands Cyber Espionage Tactics Using Atera Agents Across Multiple Sectors

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Compromised Credentials,Spear Phishing,Supply Chain Compromise
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

The Iranian state-sponsored threat actor MuddyWater has escalated its cyberattacks using the Atera Agent, a legitimate remote monitoring and management (RMM) tool. By exploiting Atera's free trial offers, MuddyWater registered agents with compromised or purpose-created email accounts and distributed them through spearphishing campaigns. The group's advanced social engineering and operational security tactics facilitated stealthier operations. Targeted sectors include Airlines, IT, Telecommunications, Pharmaceuticals, Automotive Manufacturing, Logistics, Travel and Tourism, and Employment/Immigration agencies across Israel, India, Algeria, Turkey, Italy, and Egypt.

Reference and Credit: HarfangLab - April 2024

MuddyWater campaign abusing Atera Agents

Detected Targets

Type	Description	Confidence
Case	Kinneret College The Kinneret Academic College on the Sea of Galilee, also known as Kinneret College and Academic Kinneret, is a college located on the southern shores of the Sea of Galilee in northern Israel. Kinneret College has been targeted by MuddyWater as the main target.	Verified
Case	Rashim Software Founded in 1988, Rahim Software LTD is the leading company in Israel in the field of software solutions for academic administration and training management. Rashim Software has been targeted by MuddyWater as the main target.	Verified
Sector	Information Technology	Verified
Sector	Logistics	Verified
Sector	Manufacturing	Verified
Sector	Pharmaceuticals	Verified
Sector	Aerospace	Verified
Sector	Tourism	Verified
Sector	Telecommunication	Verified
Region	Algeria	Verified
Region	Egypt	Verified
Region	India	Verified
Region	Israel	Verified
Region	Italy	Verified
Region	Turkey	Verified

Extracted IOCs

freeupload[.]store
09e09503962a2a8022859e72b86ad8c69dcbf79839b71897c0bf8a4c4b9f4dd6
14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144
165a80f6856487b3b4f41225ac60eed99c3d603f5a35febab8235757a273d1fd
2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b
2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69
31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab
326dd85d76d33f3f04cbe7eef6d10ea73f800c84bfc3ed6f3963403c981bbb6e
4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b
5d7eb6c36d261adeef1a59bde9eb965f5d8d7f56a2e607da913e782167ba6cb6
638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2
7daab239271e088f04cae95627cc0066f48a1b178a1ff60b1140aa729126e928
7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f
85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b
900d08037d303d9b3d4a855e1a97d1f9283c28fe279e67eefe9997f856eeb439
9b49d6640f5f0f1d68f649252a96052f1d2e0822feadd7ebe3ab6a3cadd75985
bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a
c2f95299d8aa912e1b753f3f0780a00ea6e8b5dab0245d77fcf3b6499677c328
c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4
cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492
cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33
d22fd0cdd6ace24e117d7330e9996a2809c2c2cb280b12f9ea43c484d2bfcfd4
dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5
e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f
ec553e14b84ccca9b84e96a9ed19188a1ba5f4bf1ca278ab88f928f0b00b9bd0
f17f6866f4748e6e762752062acdf983d3b083371db83503686b91512b9bcae3
f9c1a117de8519060a3bf189e72277e895345b8fece73fc0d750946c7f288367
fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1
fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a
ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0
hxxps://freeupload[.]store/rale7/wihituce08.msi/download

download

Tip: 32 related IOCs (0 IP, 1 domain, 1 URL, 0 email, 30 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Targets Global Sectors with Phishing and BugSleep Backdoor

Source: Check Point - July 2024

Detection (three cases): 31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab, fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a, ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909

MuddyWaterMuddyWater Group Adopts New Tactics in Spear-Phishing Campaigns

Source: Malwation - March 2024

Detection (15 cases): hxxps://freeupload[.]store/rale7/wihituce08.msi/download, 14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144, 2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69, 638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2, 7daab239271e088f04cae95627cc0066f48a1b178a1ff60b1140aa729126e928, c2f95299d8aa912e1b753f3f0780a00ea6e8b5dab0245d77fcf3b6499677c328, c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4, cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492, cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33, dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5, e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f, fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1, ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909, ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0, freeupload[.]store

TA450TA450 Shifts Tactics in Latest Phishing Campaign Targeting Israeli Sectors

Source: Proofpoint - March 2024

Detection (two cases): cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492, e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f

MuddyWaterMuddyWater's Covert Phishing Campaign Targets Israeli Government Sectors

Source: National Cyber Array of Israel - March 2024

Detection (four cases): 4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b, 7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f, 85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b, bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding MuddyWater’s Use of Atera Agent in Cyberattacks

: A cyber-espionage group known as MuddyWater launched a new campaign using a legitimate IT management tool, Atera Agent, to remotely access and control victims' computers.
: The attacks were conducted by MuddyWater, an Iranian state-sponsored threat actor known for espionage-focused operations targeting global sectors.
: The attackers aimed to gain remote access to systems for further exploitation—potentially including espionage, data theft, or lateral movement within networks.
: Victims received convincing spearphishing emails linking to malware disguised as legitimate installers hosted on trusted platforms like Zendesk or Egnyte.
: Organizations in airlines, IT, telecom, logistics, pharmaceuticals, and more were targeted across Israel, India, Turkey, Italy, Egypt, and Algeria.
: Attackers used stolen email credentials to register for Atera’s free trials and sent malware disguised as installer files. Once opened, the malware allowed attackers remote access.
: Sectors like telecom, government, and academia often handle sensitive information or infrastructure, making them valuable for intelligence gathering.
: Use strong passwords and two-factor authentication, monitor use of remote access tools, and block suspicious file-sharing services. Educate staff to recognize phishing emails.
: While this campaign was targeted, the techniques used—such as abuse of legitimate tools and leaked credentials—could be adapted for broader attacks in the future.

About Affiliation

MuddyWater

Associate threats