Threats Feed|Seedworm|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date11/12/2018

Seedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Seedworm has compromised more than 130 victims across 30 organizations since September 2018. The group targets primarily the Middle East, Europe, and North America, focusing on government agencies, oil and gas companies, NGOs, telecoms, and IT firms. Seedworm uses tools such as Powermud, Powemuddy, and PowerShell scripts and has updated its tactics to avoid detection. The main targeted sectors include telecommunications, IT services, oil and gas, universities, and embassies. The group is known for its speed and agility in obtaining actionable intelligence from targeted organizations.

Reference and Credit: Symantec - December 2018

Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorManufacturing
Verified
SectorHealthcare
Verified
SectorOil and Gas
Verified
SectorTelecommunication
Verified
RegionAfghanistan
Verified
RegionArmenia
Verified
RegionEgypt
Verified
RegionIraq
Verified
RegionJordan
Verified
RegionNetherlands
Verified
RegionOman
Verified
RegionPakistan
Verified
RegionRussia
Verified
RegionSaudi Arabia
Verified
RegionTurkey
Verified
RegionUnited States
Verified

Extracted IOCs

  • 2ae299e3693518104bf194d6257d5be6
  • 35c310a1f88e41e777bc2ac4bc5284d9
  • 488723b8e56dbaac8ccdc79499037d5f
  • 54982c616098f6c6fbc48703922f15f4
  • 837eaad1187fe9fbf91f9bc7c054f5d9
  • 8e3a42371d7af2c7d0bb4036c9fb0fe3
  • 8e94d1cb1ec6ea5b2c29353eb7bb5787
  • 989e9dcc2182e2b5903b9acea03be11d
  • 9bea3eb68ea0c215a17fa69f632d9020
  • a750e2885ed3c294de148864723f73e3
  • ddba713c20c232bcd60daf0ffabeffb8
  • e2ed0be977ab9e50055337ec8eb0ddf4
  • e6e7661efb60b9aea7969a30e17ace19
  • e75443a5e825f69c75380b6dc76c6b50
  • f041f96ed1abdcc84157488aa51b62af
  • f5dee1f9cd47dc7bae468da9732c862e
  • f8902df9fe49a04f101d0bfb41a33028
  • fa200e715e856550c76f729604ebaf57
  • 104[.]237.233.60
  • 185[.]34.16.82
  • 31[.]171.154.67
  • 46[.]99.148.96
  • 78[.]129.139.148
  • 78[.]129.222.56
  • 79[.]106.224.203
download

Tip: 25 related IOCs (7 IP, 0 domain, 0 URL, 0 email, 18 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (nine cases): 488723b8e56dbaac8ccdc79499037d5f, 54982c616098f6c6fbc48703922f15f4, 837eaad1187fe9fbf91f9bc7c054f5d9, 989e9dcc2182e2b5903b9acea03be11d, a750e2885ed3c294de148864723f73e3, ddba713c20c232bcd60daf0ffabeffb8, e2ed0be977ab9e50055337ec8eb0ddf4, e6e7661efb60b9aea7969a30e17ace19, fa200e715e856550c76f729604ebaf57

MuddyWaterMuddyWater's Sophisticated Cyber Operations Target Geopolitical Foes in Asia and the Middle East

Source: Trend Micro - June 2019

Detection (five cases): 185[.]34.16.82, 31[.]171.154.67, 46[.]99.148.96, 78[.]129.139.148, 79[.]106.224.203

MuddyWaterDecoding MuddyWater: Inside the APT's Advanced Toolset and Deception Tactics

Source: Kaspersky - April 2019

Detection (one case): 78[.]129.222.56

SeedwormSeedWorm Malware Campaign: Unveiling the LisfonService Backdoor Variants

Source: Rewterz - February 2019

Detection (five cases): 31[.]171.154.67, 46[.]99.148.96, 78[.]129.139.148, 78[.]129.222.56, 79[.]106.224.203

MuddyWaterMuddyWater Expands Spear-Phishing Operations across Multiple Countries and Sectors

Source: Securelist - October 2018

Detection (one case): 104[.]237.233.60

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Seedworm
View Seedworm's Insights