Cyber attackers have been conducting a long-term, highly deceptive email campaign to break into the computer networks of various organizations. They use fake documents and legitimate software tools to sneak past security systems and establish permanent, hidden access to these networks.

Who was behind the attack?

The attacks are attributed to MuddyWater, an advanced state-sponsored cyber threat group. They are a well-resourced organization known for conducting complex espionage and intelligence-gathering operations against international targets over many years.

The nature and goals of the attack?

The primary goal is long-term intelligence collection and establishing a permanent foothold within target networks. Instead of immediate financial theft or causing destruction, the attackers aim to quietly monitor communications, steal sensitive data, and maintain silent control over the compromised computers.

The scope or scale of the targeting?

The campaign is international in scope, spanning from 2019 to early 2026. While heavily focused on the Middle East, it has also reached organizations in Asia and global international bodies, impacting hundreds of accounts across multiple sectors.

Were specific industries or people targeted?

Yes, the attackers specifically targeted high-value sectors including telecommunications providers, universities, diplomatic institutions, foreign ministries, insurance companies, pension funds, and IT service providers. They specifically sought access to networks that hold critical national infrastructure data, customer information, and government communications.

How the attack was carried out from a high-level perspective?

Attackers sent highly convincing, fake emails impersonating trusted government entities or partner organizations. When victims opened the attached files or clicked the links, hidden programs or legitimate remote-management software would silently install on their computers, handing over remote control to the attackers.

Why the targeted entities may be attractive to attackers?

Organizations like telecommunications companies and universities hold vast amounts of user data, manage critical infrastructure, and often have direct connections to government projects. This makes them highly valuable for state-sponsored attackers looking to gather strategic intelligence or spy on specific populations.

What actions organizations or individuals should take to protect themselves?

Organizations must enhance their email security systems to block malicious attachments and heavily restrict the use of unauthorized remote management software. Individuals must remain vigilant against unexpected emails, carefully verify sender addresses, and never enable "macros" or open attachments from unverified sources.

Is this a widespread issue or a targeted one?

This is a highly targeted issue. The attackers carefully select specific organizations and tailor their deceptive emails to match the professional interests, language, and daily routines of the victims, rather than sending indiscriminate spam to the general public.

Threats Feed|MuddyWater|Last Updated 26/02/2026|AuthorCertfa Radar|Publish Date22/02/2026

MuddyWater APT's Evolving Tactics: From Macros to RMM Tool Abuse

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Dropper,Malicious Macro,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

MuddyWater APT has conducted sustained cyberespionage campaigns across the Middle East and globally, targeting telecommunications, education, insurance, IT services, and diplomatic sectors. Affected countries include Iraq, Jordan, Egypt, Israel, Malaysia, Oman, and Turkmenistan. The threat actor’s tactics have evolved significantly, shifting from traditional spear-phishing with macro-enabled Microsoft Word documents to deploying malicious HTML files and encrypted archives. Notably, the group increasingly abuses legitimate Remote Monitoring and Management (RMM) tools, such as Syncro and Atera, as initial access vectors. By distributing properly signed installer files disguised as official communications, MuddyWater successfully evades security detection, establishing persistent, stealthy footholds for long-term intelligence collection without relying on custom malware.

Reference and Credit: Genians - February 2026

Chronology of MuddyWater APT Attacks Targeting the Middle East

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Sector	Information Technology	Verified
Sector	Insurance	Verified
Sector	Education	Verified
Sector	Telecommunication	Verified
Sector	University	Verified
Region	Egypt	Verified
Region	Iraq	Verified
Region	Israel	Verified
Region	Jordan	Verified
Region	Malaysia	Verified

Extracted IOCs

stratioai[.]org
nomercys.it[.]com
0873ce3db84b79da935f71df3d6c8e6d
0a95918fd6000a69b8a70609f93e910f
1e9a4e774b61acc8a6b35ee50417e661
1f280f51eeb6cf895fe80082ce725841
23d99f912f2491749b89e4fd337273bc
242098c3e87822bffa7c337987065fbe
244a4f81cff4a8dc5872628a40713735
2ed6ebaa28a9bfccc59c6e89a8990631
3a95186019af1943a0ea0f8eb07a288f
3ab16bd1c339fd0727be650104b74dd1
4055d8b5c2e909f5db8b75a5750a7005
43be8a405a7f57cf9f910d829c521b21
4c169dde3bc184c42ca7a712a61c6f3c
64fc017a451ef273dcacdf6c099031f3
68352f61da6e3236c4fe760997a981ea
6d7ce5b03fe61683229c29a859505163
74e75830252220cbbe7e3adec4340d2d
75060f5394b72421c0d8f81f79931aa9
7da3d206519086f2725494b3ab095fbb
806adc79e7ea3be50ef1d3974a16b7fb
809334c0b55009c5a50f37e4eec63c43
93be13bbcad30440a0d0ef3868d67003
95d9e6c262632abe004c4693a71eaced
96d5a7e0e75654c444cb1a915c666ac8
aaa9db79b5d6ba319e24e6180a7935d6
aba760ec55fdeccb35adb068443feb89
b181ecbb7394e3b1394a8c97af65b7e2
b9a67ffb81420e68f9e5607cc200604a
c381c2cb8fdd6acf1636280b9424f573
c478e472f6223e7ee92cff8b459e55e2
c5c0829df294cc4fd701df5d5c55718f
c89671f994af65677aa48b699a01fe9d
cdeb7abfc7775c63745135431272dda3
e2d6031afd81bf3b6a44de4d0b039055
ef6ec560efd05d21976a6fd3f489e206
f06e30dee8629e951cefa73373fdef9d
f1c935ce028022ab2a495eae83adacc6
f6a4c531e92cbdd5ffac75c76939d7f3
f97650ede0c39a29b0b5c5472f685d11
159[.]198.66.153
159[.]198.68.25

download

Tip: 43 related IOCs (2 IP, 2 domain, 0 URL, 0 email, 39 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Adopts Rust-Based RustyWater Implant in Middle East Espionage Campaign

Source: CloudSEK - January 2026

Detection (four cases): 159[.]198.66.153, 159[.]198.68.25, nomercys.it[.]com, stratioai[.]org

UNG0801UNG0801 Operation IconCat Targets Israeli Organizations via AV Icon Spoofing

Source: Seqrite - December 2025

Detection (two cases): 159[.]198.68.25, stratioai[.]org

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (one case): 64fc017a451ef273dcacdf6c099031f3

MuddyWaterMuddyWater Cyber Campaign Expands to Target Korek Telecom in Iraq

Source: 360 Threat Intelligence Center - March 2019

Detection (one case): 806adc79e7ea3be50ef1d3974a16b7fb

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

MuddyWater Cyber Espionage Campaign

: Cyber attackers have been conducting a long-term, highly deceptive email campaign to break into the computer networks of various organizations. They use fake documents and legitimate software tools to sneak past security systems and establish permanent, hidden access to these networks.
: The attacks are attributed to MuddyWater, an advanced state-sponsored cyber threat group. They are a well-resourced organization known for conducting complex espionage and intelligence-gathering operations against international targets over many years.
: The primary goal is long-term intelligence collection and establishing a permanent foothold within target networks. Instead of immediate financial theft or causing destruction, the attackers aim to quietly monitor communications, steal sensitive data, and maintain silent control over the compromised computers.
: The campaign is international in scope, spanning from 2019 to early 2026. While heavily focused on the Middle East, it has also reached organizations in Asia and global international bodies, impacting hundreds of accounts across multiple sectors.
: Yes, the attackers specifically targeted high-value sectors including telecommunications providers, universities, diplomatic institutions, foreign ministries, insurance companies, pension funds, and IT service providers. They specifically sought access to networks that hold critical national infrastructure data, customer information, and government communications.
: Attackers sent highly convincing, fake emails impersonating trusted government entities or partner organizations. When victims opened the attached files or clicked the links, hidden programs or legitimate remote-management software would silently install on their computers, handing over remote control to the attackers.
: Organizations like telecommunications companies and universities hold vast amounts of user data, manage critical infrastructure, and often have direct connections to government projects. This makes them highly valuable for state-sponsored attackers looking to gather strategic intelligence or spy on specific populations.
: Organizations must enhance their email security systems to block malicious attachments and heavily restrict the use of unauthorized remote management software. Individuals must remain vigilant against unexpected emails, carefully verify sender addresses, and never enable "macros" or open attachments from unverified sources.
: This is a highly targeted issue. The attackers carefully select specific organizations and tailor their deceptive emails to match the professional interests, language, and daily routines of the victims, rather than sending indiscriminate spam to the general public.

About Affiliation

MuddyWater

Associate threats