A cyber-espionage group linked to Iran has launched a new campaign targeting entities in several Middle Eastern countries using a newly developed malware called MuddyRot.

Who is behind the attack?

The group responsible is MuddyWater, believed to operate under Iran’s Ministry of Intelligence (MOIS), and known for previous cyber-espionage operations.

What was the purpose of the attack?

The goal was likely intelligence gathering. The malware can steal data, give remote shell access to attackers, and establish long-term persistence on infected machines.

How was the attack carried out?

Hackers used phishing emails with PDF attachments containing links to download malware. Infected users unknowingly installed the new MuddyRot tool.

Why are these organizations being targeted?

These countries are of strategic interest to Iranian intelligence, likely due to geopolitical or economic reasons.

What can organizations do to protect themselves?

Avoid opening suspicious PDF attachments, patch internet-facing systems, and monitor network traffic and scheduled tasks for signs of compromise.

Is this a widespread threat or a targeted one?

This is a targeted campaign focused on specific regions, but the techniques used could be applied more broadly in the future.

Threats Feed|MuddyWater|Last Updated 11/04/2025|AuthorCertfa Radar|Publish Date15/07/2024

MuddyWater Shifts Tactics: New MuddyRot Malware in Spear Phishing Attacks

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Vulnerability Exploitation,Downloader,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

The MuddyWater group has updated its tactics in targeting entities in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. The group shifted from using the Atera RMM tool to deploying a new implant called MuddyRot. Recent campaigns involved spear phishing with PDF-embedded links, leading to malware downloads. MuddyRot features reverse shell capabilities, dynamic API loading, and obfuscated communication over port 443. It establishes persistence via scheduled tasks and exploits public-facing applications for initial access. This campaign primarily targets sectors involving Western and Middle Eastern entities.

Reference and Credit: Sekoia - July 2024

MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Medium
Region	Azerbaijan	High
Region	Israel	High
Region	Jordan	High
Region	Saudi Arabia	High
Region	Turkey	High

Extracted IOCs

73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472
960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca
146[.]19.143.14
91[.]235.234.202

download

Tip: 6 related IOCs (2 IP, 0 domain, 0 URL, 0 email, 4 file hash) to this threat have been found.

FAQs

MuddyWater’s New Malware Campaign Explained

: A cyber-espionage group linked to Iran has launched a new campaign targeting entities in several Middle Eastern countries using a newly developed malware called MuddyRot.
: The group responsible is MuddyWater, believed to operate under Iran’s Ministry of Intelligence (MOIS), and known for previous cyber-espionage operations.
: The goal was likely intelligence gathering. The malware can steal data, give remote shell access to attackers, and establish long-term persistence on infected machines.
: Suspected targets include organizations in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel, although other countries may also be affected.
: Hackers used phishing emails with PDF attachments containing links to download malware. Infected users unknowingly installed the new MuddyRot tool.
: These countries are of strategic interest to Iranian intelligence, likely due to geopolitical or economic reasons.
: Avoid opening suspicious PDF attachments, patch internet-facing systems, and monitor network traffic and scheduled tasks for signs of compromise.
: This is a targeted campaign focused on specific regions, but the techniques used could be applied more broadly in the future.

About Affiliation

MuddyWater

Associate threats