Threats Feed|Boggy Serpens|Last Updated 06/04/2026|AuthorCertfa Radar|Publish Date16/03/2026

Boggy Serpens Evolves Tactics: Hijacked Accounts and AI-Enhanced Malware Targeting Critical Infrastructure

  • Actor Motivations: Espionage,Exfiltration,Sabotage
  • Attack Vectors: Compromised Credentials,Backdoor,Dropper,Malicious Macro,Malware,Ransomware,RAT,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

Iranian state-sponsored actor Boggy Serpens has escalated cyberespionage campaigns against energy, maritime, finance, aviation, and diplomatic sectors across the Middle East, Europe, Asia, and South America, notably targeting Israel, the UAE, and Turkmenistan. By hijacking trusted corporate and government email accounts, the group bypasses perimeter defenses to deliver highly tailored spear-phishing lures. Recent operations reveal a strategic shift toward stealth and long-term persistence. The group has modernized its toolkit using AI-assisted development, deploying sophisticated custom implants like the Rust-based BlackBeard backdoor, UDPGangster, Nuso, and LampoRAT. To evade detection, Boggy Serpens utilizes evasive C2 mechanisms, including Telegram API abuse, customized UDP traffic, and HTTP status code triggers, cementing its status as a highly adaptable and formidable threat.

Reference and Credit: Palo Alto Networks - March 2026

Boggy Serpens Threat Assessment

Detected Targets

TypeDescriptionConfidence
CaseMinistry of Foreign Affairs
Ministry of Foreign Affairs has been targeted by Boggy Serpens as the main target.
Verified
CaseTechnion Institute
The Technion – Israel Institute of Technology is a public research university located in Haifa, Israel. It was established in 1912 and is the oldest university in the country. Technion Institute has been targeted by Boggy Serpens as the main target.
Verified
SectorFinancial
Verified
SectorGovernment Agencies and Services
Verified
SectorInformation Technology
Verified
SectorLogistics
Verified
SectorMilitary
Verified
SectorAerospace
Verified
SectorEnergy
Verified
SectorPolitical
Verified
SectorResearchers
Verified
SectorTelecommunication
Verified
RegionAzerbaijan
Verified
RegionEgypt
Verified
RegionHungary
Verified
RegionIsrael
Verified
RegionSaudi Arabia
Verified
RegionTurkey
Verified
RegionTurkmenistan
Verified
RegionUnited Arab Emirates
Verified
RegionMiddle East Countries
Verified
RegionEuropean Countries
Verified

Extracted IOCs

  • bootcamptg[.]org
  • codefusiontech[.]org
  • maxisteq[.]org
  • miniquest[.]org
  • netivtech[.]org
  • promoverse[.]org
  • screenai[.]online
  • stratioai[.]org
  • nomercys.it[.]com
  • reminders.trahum[.]org
  • 0be499354dc498248d27f6d186eb3bb75a607ae4a2c0a6734c76f1a1b7b1d316
  • 0ce54a5a6f061b158e3891aadd03773d0bae220b0316e84fc042a741924b3525
  • 156b325231742a73ded4104fbde1c55ad3913d2eaf09b5194ef74c81ee3ba393
  • 167d5ab70f55c100e51833fbfea44048095889c162e1330df0631423fc547409
  • 1b9e6fe4b03285b2e768c57e320d84323ac9167598395918d56a12e568b0009a
  • 1bcd8d7dc7bed5873bbdd2822e84e19773a33d659b16587ca9dc6db204447a86
  • 1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1
  • 23f3a98befdff13c802eed32eea754018b8b525ec0dd3afce8459a0287df74ec
  • 2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0
  • 47bb271c34210f52e3e08339a0c83688d9e9aa5c7cfc45b3e4bdffd1753f6cb2
  • 4d2958d93d4650fc4a70f70663fe6943e8c11d61b2824512da296e8fd84e5bb9
  • 4db3645f678fb519b9f529dde41f77944754f574f16a9a845c22d3703da5bed0
  • 52d8fb9a11920f27b9a3b43f27c275767a57cdffc95af94b7b66433506287314
  • 5323a573e3f423b69ef965dadb3c059879d718b1c9052038ef749868cf361891
  • 5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839
  • 668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e
  • 69e038b9f3a228f09059bc1ce92b1c5c49396bb70987a38df0fdb39eed380b22
  • 6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d
  • 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58
  • 7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53
  • 81a6e6416eb7ab6ce6367c6102c031e2ae2730c3c50ab9ce0b8668fec3487848
  • 84e665a0dfbff74b4c356bfa282c7c253ae3411a8f4d58bfe121c8411c52552c
  • 8d2227f2c53d7e22a57e12c45cecdd43dbec08dbc3ab93e74e6df52cdf80548b
  • 9c207c51c448f96eaae91241a39c8bb85e2307f2d2a99244763a53176cf4c02f
  • a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79
  • b2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122
  • c3afd5ce1ca50a38438bb5026cca27bfbf2d8e786e03f323adceb8ad17517eca
  • c91413ad7c94c0e2694862b9d671d1204873bf65576ba2cb91fbd562a4ccf79b
  • cc2ec568f978f328b6de112670a1b35ca1f9db377ff32cb9d313a5b2ac3c127b
  • f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f
  • fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430
  • 157[.]20.182.75
  • 159[.]198.66.153
  • 159[.]198.68.25
  • 46[.]101.36.39
  • 64[.]7.198.12
download

Tip: 46 related IOCs (5 IP, 10 domain, 0 URL, 0 email, 31 file hash) to this threat have been found.

Overlaps

MuddyWaterHTTP_VIP Malware Profile: System Reconnaissance and RMM Payload Delivery

Source: IBM - March 2026

Detection (one case): 1b9e6fe4b03285b2e768c57e320d84323ac9167598395918d56a12e568b0009a

MuddyWaterUnmasking Iranian Cyber Operations: Threat Actors Target Global Critical Infrastructure

Source: Hunt.io - March 2026

Detection (six cases): 159[.]198.66.153, 159[.]198.68.25, codefusiontech[.]org, nomercys.it[.]com, screenai[.]online, stratioai[.]org

MuddyWaterMuddyWater APT's Evolving Tactics: From Macros to RMM Tool Abuse

Source: Genians - February 2026

Detection (four cases): 159[.]198.66.153, 159[.]198.68.25, nomercys.it[.]com, stratioai[.]org

MuddyWaterOperation Olalampo: MuddyWater Deploys AI-Assisted Malware in MENA Region Attacks

Source: Group IB - February 2026

Detection (three cases): codefusiontech[.]org, miniquest[.]org, promoverse[.]org

MuddyWaterRustyStealer’s Evolution: Tracking MuddyWater’s Rust Implant from Experimentation to Stealth

Source: Synaptic Systems - January 2026

Detection (two cases): 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58, a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79

MuddyWaterMuddyWater Malware Exposes Developer Build Artifacts Through Poor OPSEC

Source: Synaptic Systems - January 2026

Detection (two cases): 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58, f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f

MuddyWaterMuddyWater Adopts Rust-Based RustyWater Implant in Middle East Espionage Campaign

Source: CloudSEK - January 2026

Detection (eight cases): 159[.]198.66.153, 159[.]198.68.25, 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58, a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79, f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f, bootcamptg[.]org, nomercys.it[.]com, stratioai[.]org

UNG0801UNG0801 Operation IconCat Targets Israeli Organizations via AV Icon Spoofing

Source: Seqrite - December 2025

Detection (three cases): 159[.]198.68.25, 6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d, stratioai[.]org

MuddyWaterMuddyWater Deploys UDPGangster Backdoor in Regional Espionage Campaigns

Source: Fortinet - December 2025

Detection (five cases): 157[.]20.182.75, 64[.]7.198.12, 7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53, fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430, reminders.trahum[.]org

MuddyWaterMuddyWater Unveils New Espionage Toolkit in Global Phishing Campaign

Source: Group-IB - October 2025

Detection (three cases): 5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839, 668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e, screenai[.]online

Homeland JusticeHomeland Justice Phishing Operation Hits Diplomatic and Government Sectors Globally

Source: Dream - August 2025

Detection (four cases): 1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1, 2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0, b2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122, screenai[.]online

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the Boggy Serpens Cyberespionage Campaigns

A sophisticated cyberespionage group has been actively infiltrating various critical organizations across the globe using highly customized phishing campaigns. The attackers compromised trusted internal email accounts to send fake, malicious documents to employees, allowing them to secretly install advanced software to monitor systems and steal data. These attacks occurred in multiple persistent waves over several months.

The attacks are attributed to Boggy Serpens, a nation-state threat group also commonly known as MuddyWater. Cybersecurity researchers assess that this group operates as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) and has been active since at least 2017.

The primary goal of these attacks is cyberespionage, meaning the attackers are focused on quietly gathering intelligence and stealing sensitive information over long periods. However, the group has also been known to conduct disruptive operations, occasionally disguising their state-sponsored intelligence gathering as financially motivated ransomware attacks.

While the attacks are highly tailored, the geographic scope is global. The group has targeted organizations across the Middle East, the Caucasus, Central and Western Asia, Europe, and South America, launching consecutive, multi-wave campaigns against specific high-value networks.

Yes, the attackers specifically targeted government ministries, diplomats, and critical infrastructure sectors, including energy, marine services, telecommunications, aviation, and finance. Within these organizations, they tailored their attacks to specific individuals and departments, such as project engineers, finance staff, and supply chain managers.

Attackers first hacked into legitimate email accounts belonging to government entities or corporate employees. They used these trusted accounts to send emails with attachments—like fake flight itineraries or financial reports—that instructed users to "enable content" to view blurred text. Once clicked, hidden tools were quietly installed on the victim's computer, allowing the attackers to take remote control and communicate with the infected machines using tools like the Telegram app.

The targeted organizations, such as national marine and energy companies, manage critical economic infrastructure and logistics. Infiltrating these networks provides the attackers' state sponsors with highly valuable strategic intelligence, insight into regional supply chains, and access to the communications of key geopolitical figures.

Organizations should strictly limit the use of Microsoft Office macros and enhance the monitoring of their internal email accounts to detect signs of compromise. Individuals should remain vigilant when receiving unexpected attachments—even from known colleagues or internal departments—and report any documents that ask them to "enable content" to view hidden or blurred information.

This is a highly targeted threat. Rather than blasting out generic spam to millions of people, Boggy Serpens carefully selects specific organizations and crafts customized, multi-stage attacks designed specifically to bypass the defenses of those chosen targets.

About Affiliation
Boggy Serpens
View Boggy Serpens's Insights