A known cyber-espionage group called Seedworm (also known as MuddyWater) is using a legitimate IT tool, Atera Agent, to remotely access targeted computers through phishing emails.

Who is behind the attack?

The group behind the attack is Seedworm, an advanced persistent threat actor known for targeting organizations in the Middle East and beyond.

What was the goal of the attack?

The attackers aimed to quietly take control of targeted systems without triggering common security alerts, using trusted tools to stay hidden.

How was the attack carried out?

They sent deceptive emails with links to install a remote access tool (Atera), which then allowed them to control the victim’s computer over the internet.

Who or what was targeted?

While specific targets weren’t named, the nature of spear-phishing suggests that individuals or organizations were carefully selected, likely for espionage or data theft.

Why is this significant?

Using legitimate tools like Atera allows attackers to blend in with normal system activity, making detection harder for traditional security tools.

What should organizations do to protect themselves?

Organizations should monitor for unusual use of remote access tools, improve phishing defenses, and educate employees on suspicious emails.

Is this part of a larger trend or a one-time event?

This appears to be part of an ongoing and targeted campaign by a known threat actor, not a widespread indiscriminate attack.

Threats Feed|Seedworm|Last Updated 09/07/2025|AuthorCertfa Radar|Publish Date24/04/2024

Seedworm Leverages Atera Agent in Sophisticated Spear-Phishing Scheme

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Compromised Credentials,Trojan,Spear Phishing
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

Seedworm, also known as MuddyWater, is exploiting the Atera Agent, a legitimate remote monitoring and management (RMM) tool, in its spear-phishing campaigns. The group uses Atera’s 30-day free trial offers to register agents with compromised email accounts, enabling them to access targeted systems remotely without needing their own command-and-control infrastructure. These capabilities include file upload/download, interactive shell access, and AI-powered command assistance through Atera’s web UI. Seedworm distributes the malicious RMM installers hosted on free file platforms via spear-phishing emails, though the specific targeted countries and sectors are not mentioned in the report.

Reference and Credit: Symantec - April 2024

Seedworm exploits Atera Agent in a spear-phishing Campaign

FAQs

Seedworm’s Abuse of Atera Agent

: A known cyber-espionage group called Seedworm (also known as MuddyWater) is using a legitimate IT tool, Atera Agent, to remotely access targeted computers through phishing emails.
: The group behind the attack is Seedworm, an advanced persistent threat actor known for targeting organizations in the Middle East and beyond.
: The attackers aimed to quietly take control of targeted systems without triggering common security alerts, using trusted tools to stay hidden.
: They sent deceptive emails with links to install a remote access tool (Atera), which then allowed them to control the victim’s computer over the internet.
: While specific targets weren’t named, the nature of spear-phishing suggests that individuals or organizations were carefully selected, likely for espionage or data theft.
: Using legitimate tools like Atera allows attackers to blend in with normal system activity, making detection harder for traditional security tools.
: Organizations should monitor for unusual use of remote access tools, improve phishing defenses, and educate employees on suspicious emails.
: This appears to be part of an ongoing and targeted campaign by a known threat actor, not a widespread indiscriminate attack.

About Affiliation

Seedworm

Associate threats