Starting in February 2024, a cyber espionage group launched new attacks using "phishing" emails to trick victims into installing software. Instead of using obvious viruses, they are installing legitimate remote support tools to take control of computers.

Who was behind the attack?

The attacks are attributed to "MuddyWater," an Advanced Persistent Threat (APT) group known for being aligned with Iran's foreign policy interests.

What are the goals of the attack?

The primary goal appears to be espionage and maintaining long-term access to victim networks. The group uses this access to monitor activity, extract files, and potentially execute further commands.

The campaign targets government and private companies in Israel, Africa, and Turkiye. Specific sectors include energy, telecommunications, and defense.

How was the attack carried out?

Attackers send emails, often from hacked business accounts, containing a PDF or a link. This link downloads a file (often a ZIP) containing an installer for a remote management tool. Once the victim runs this installer, the attackers gain remote control of the device.

Why are these attacks difficult to detect?

The attackers use legitimate software (like Atera or ScreenConnect) that IT support teams normally use. Because the software itself is "clean" and trusted, antivirus programs often do not block it.

What actions should organizations take?

Organizations should check their networks for unauthorized remote management software. Employees should be warned not to download files from file-sharing sites (like OneHub or TeraBox) linked in unsolicited emails.

Is this a widespread issue or a targeted one?

This is a targeted campaign. The attackers customize their files with specific company names and languages (Hebrew, Turkish, English) to trick specific organizations in their regions of interest.

Threats Feed|MuddyWater|Last Updated 16/02/2026|AuthorCertfa Radar|Publish Date29/03/2024

MuddyWater Group Adopts New Tactics in Spear-Phishing Campaigns

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,RAT,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

In October 2023, the MuddyWater APT group launched new campaigns targeting North and East Africa with its MuddyC2Go toolkit, shifting to Atera, ConnectWise ScreenConnect, Advanced Monitoring Tool, and MeshCentral RMM software in February 2024. These attacks, announced by the Israeli CERT and detected on social media, target specific organizations or individuals through spear-phishing emails containing malicious links or files. The group employs third-party file upload services, including onehub.com, freeupload.store, and others, for malware distribution. The attacks customize RMM software using compromised business email accounts to increase the likelihood of victim engagement. The targeted sectors include telecommunications, with a notable attack on a Turkish company, indicating a politically motivated campaign.

Reference and Credit: Malwation - March 2024

New MuddyWater Campaigns After Operation Swords of Iron

Detected Targets

Type	Description	Confidence
Case	Karel Turkish telecommunication company. Karel has been targeted by MuddyWater as the main target.	Verified
Case	Polaristek Analytics, cloud, mobility, IoT service provider. Polaristek has been targeted by MuddyWater as the main target.	Verified
Sector	Defense	Verified
Sector	Government Agencies and Services	Verified
Sector	Energy	Verified
Sector	Telecommunication	Verified
Region	Israel	Verified
Region	Turkey	Verified

Extracted IOCs

14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144
2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69
638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2
77cb08c7889c7b0d443aeacfdcbc1cc6745d3e3441f4b42ddbf7fde6113491ae
7daab239271e088f04cae95627cc0066f48a1b178a1ff60b1140aa729126e928
c2f95299d8aa912e1b753f3f0780a00ea6e8b5dab0245d77fcf3b6499677c328
c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4
cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492
cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33
dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5
e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f
fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1
ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0

download

Tip: 14 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 14 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Targets Global Sectors with Phishing and BugSleep Backdoor

Source: Check Point - July 2024

Detection (one case): ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909

MuddyWaterMuddyWater Expands Cyber Espionage Tactics Using Atera Agents Across Multiple Sectors

Source: HarfangLab - April 2024

Detection (13 cases): 14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144, 2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69, 638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2, 7daab239271e088f04cae95627cc0066f48a1b178a1ff60b1140aa729126e928, c2f95299d8aa912e1b753f3f0780a00ea6e8b5dab0245d77fcf3b6499677c328, c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4, cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492, cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33, dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5, e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f, fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1, ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909, ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0

TA450TA450 Shifts Tactics in Latest Phishing Campaign Targeting Israeli Sectors

Source: Proofpoint - March 2024

Detection (two cases): cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492, e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

New MuddyWater Activity Targeting Critical Sectors

: Starting in February 2024, a cyber espionage group launched new attacks using "phishing" emails to trick victims into installing software. Instead of using obvious viruses, they are installing legitimate remote support tools to take control of computers.
: The attacks are attributed to "MuddyWater," an Advanced Persistent Threat (APT) group known for being aligned with Iran's foreign policy interests.
: The primary goal appears to be espionage and maintaining long-term access to victim networks. The group uses this access to monitor activity, extract files, and potentially execute further commands.
: The campaign targets government and private companies in Israel, Africa, and Turkiye. Specific sectors include energy, telecommunications, and defense.
: Attackers send emails, often from hacked business accounts, containing a PDF or a link. This link downloads a file (often a ZIP) containing an installer for a remote management tool. Once the victim runs this installer, the attackers gain remote control of the device.
: The attackers use legitimate software (like Atera or ScreenConnect) that IT support teams normally use. Because the software itself is "clean" and trusted, antivirus programs often do not block it.
: Organizations should check their networks for unauthorized remote management software. Employees should be warned not to download files from file-sharing sites (like OneHub or TeraBox) linked in unsolicited emails.
: This is a targeted campaign. The attackers customize their files with specific company names and languages (Hebrew, Turkish, English) to trick specific organizations in their regions of interest.

About Affiliation

MuddyWater

Associate threats