MuddyWater Targets Global Sectors with Phishing and BugSleep Backdoor
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
MuddyWater has ramped up cyber activities targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal amid the Israel-Hamas war. Their campaigns utilize phishing emails from compromised accounts, deploying RMM tools like Atera Agent and the new BugSleep backdoor. BugSleep, under continuous development, executes commands and transfers files to C&C servers. The group targets various sectors, including Israeli municipalities, airlines, and journalists. They exploit platforms like Egnyte for phishing and use techniques such as sandbox evasion and process injection. Over 50 spear phishing emails have targeted multiple sectors since February 2024.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Journalists | Verified |
| Sector | Aerospace | Verified |
| Sector | Healthcare | Verified |
| Sector | Media | Verified |
| Sector | Tourism | Verified |
| Region | Azerbaijan | Verified |
| Region | India | Verified |
| Region | Israel | Verified |
| Region | Portugal | Verified |
| Region | Saudi Arabia | Verified |
| Region | Turkey | Verified |
Extracted IOCs
- onlinemailerservices[.]com
- smartcloudcompany[.]com
- smtpcloudapp[.]com
- softwarehosts[.]com
- airpaz.egnyte[.]com
- airpazfly.egnyte[.]com
- airpazflys.egnyte[.]com
- alkan.egnyte[.]com
- alltrans.egnyte[.]com
- bgu.egnyte[.]com
- cairoairport.egnyte[.]com
- cnsmportal.egnyte[.]com
- downloadfile.egnyte[.]com
- fbcsoft.egnyte[.]com
- filecloud.egnyte[.]com
- fileuploadcloud.egnyte[.]com
- gcare.egnyte[.]com
- getter.egnyte[.]com
- kinneretacil.egnyte[.]com
- ksa1.egnyte[.]com
- megolan.egnyte[.]com
- nour.egnyte[.]com
- rimonnet.egnyte[.]com
- salary.egnyte[.]com
- silbermintz1.egnyte[.]com
- 02060a9ea0d0709e478e2fba6e9b71c1b7315356acc4f64e40802185c4f42f1c
- 0ab2b0a2c46d14593fe900e7c9ce5370c9cfbf6927c8adb5812c797a25b7f955
- 1c0947258ddb608c879333c941f0738a7f279bc14630f2c8877b82b8046acf91
- 20aaeac4dbea89b50d011e9becdf51afc1a1a1f254a5f494b80c108fd3c7f61a
- 31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab
- 39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e
- 4064e4bb9a4254948047858301f2b75e276a878321b0cc02710e1738b42548ca
- 424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4
- 53b4a4359757e7f4e83929fba459677e76340cbec7e2e1588bbf70a4df7b0e97
- 55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2
- 5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0
- 73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
- 7e14ca8cb7980e85aff4038f489442eace33530fd02e2b9c382a4b6907601bee
- 7e6b04e17ae273700cef4dc08349af949dbd4d3418159d607529ae31285e18f7
- 88788208316a6cf4025dbabbef703f51d77d475dc735bf826b8d4a13bbd6a3ee
- 8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1
- 90f94d98386c179a1b98a1f082b0c7487b22403d8d5eb3db6828725d14392ded
- 94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472
- 960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
- a0968e820bbc5e099efd55143028b1997fd728d923c19af03a1ccec34ce73d9b
- b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca
- c23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f
- c80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9
- c88453178f5f6aaab0cab2e126b0db27b25a5cfe6905914cc430f6f100b7675c
- e2810cca5d4b74e0fe04591743e67da483a053a8b06f3ef4a41bdabee9c48cf7
- e7896ccb82ae35e1ee5949b187839faab0b51221d510b25882bbe711e57c16d2
- f925d929602c9bae0a879bb54b08f5f387d908d4766506c880c5d29986320cf9
- fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a
- ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
- 141[.]98.252.143
- 146[.]19.143.14
- 146[.]70.172.227
- 169[.]150.227.205
- 169[.]150.227.230
- 185[.]248.85.20
- 193[.]109.120.59
- 194[.]4.50.133
- 198[.]54.131.36
- 200[.]200.200.248
- 31[.]171.154.54
- 45[.]150.108.198
- 5[.]252.23.52
- 85[.]239.61.97
- 89[.]221.225.81
- 91[.]235.234.202
- 95[.]164.32.69
Tip: 71 related IOCs (17 IP, 25 domain, 0 URL, 0 email, 29 file hash) to this threat have been found.
FAQs
Understanding the BugSleep Malware Campaign
An Iranian-linked threat group, MuddyWater, launched a series of phishing attacks targeting various countries, mainly Israel. These attacks deployed a new custom malware called BugSleep.
The group is known as MuddyWater and is affiliated with Iran’s Ministry of Intelligence and Security. They have been active since at least 2017.
Their primary objective is espionage—gathering sensitive information and maintaining access to systems across multiple sectors such as government, media, and transportation.
Targets included entities in Israel, Turkey, Saudi Arabia, India, Azerbaijan, and Portugal, spanning industries like municipalities, airlines, media, and travel agencies.
The attackers sent emails that appeared to come from trusted sources, tricking recipients into downloading remote access tools or a malicious program called BugSleep.
These sectors hold sensitive information or have strategic value in geopolitical contexts, especially in the Middle East and South Asia.
Organizations should enhance email filtering, educate staff about phishing, monitor for suspicious scheduled tasks or software, and restrict the execution of unverified code.
Yes, the campaigns are broad and involve multiple countries and sectors, showing signs of both widespread and targeted elements.