{ "id": "a3f9c3a6-0a89-4bce-93b0-fa87de457471", "created_at": "2026-04-15T02:22:37.987265Z", "updated_at": "2026-04-18T02:21:16.051473Z", "deleted_at": null, "sha1_hash": "08829d09f17839b9295f5612c9be6043f0308058", "title": "New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92499, "plain_text": "New BugSleep Backdoor Deployed in Recent MuddyWater\r\nCampaigns\r\nBy stcpresearch\r\nPublished: 2024-07-15 · Archived: 2026-04-15 02:16:24 UTC\r\nKey Findings\r\nMuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has\r\nsignificantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023.\r\nThis parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal.\r\nThe threat actors consistently use phishing campaigns sent from compromised organizational email\r\naccounts. The phishing campaigns typically lead to the deployment of legitimate Remote Management\r\nTools (RMM) such as Atera Agent and Screen Connect.\r\nRecently, Muddy Water campaigns also led to the deployment of a new, previously undocumented tailor-made backdoor we dubbed BugSleep, that is used to target organizations in Israel.\r\nBugSleep is a backdoor designed to execute the threat actors’ commands and transfer files between the\r\ncompromised machine and the C\u0026C server. The backdoor is currently in development, with the threat\r\nactors continuously improving its functionality and addressing bugs.\r\nIntroduction\r\nMuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), is known to\r\nbe active since at least 2017. During the last year, MuddyWater engaged in widespread phishing campaigns\r\ntargeting the Middle East, with a particular focus on Israel. Since October 2023, the actors’ activities have\r\nincreased significantly. Their methods remain consistent, utilizing phishing campaigns sent from compromised\r\nemail accounts targeting a wide array of organizations in countries of interest. These campaigns typically lead to\r\nthe deployment of legitimate Remote Management Tools (RMM) such as Atera Agent or Screen Connect.\r\nRecently, however, they have deployed a custom backdoor we track as BugSleep.\r\nIn this report, we discuss the details of the most recent phishing campaigns and how they reflect the group’s\r\ninterests. In addition, we provide an analysis of MuddyWater’s most recent techniques, tactics, and procedures\r\n(TTPs) including the BugSleep custom backdoor and the abuse of Egnyte, a legitimate file-sharing service.\r\nEmails and Lures\r\nMuddyWater campaigns usually consist of sending large numbers of emails to a wide range of targets from a\r\ncompromised email account. Although their lures are aimed at a large and varied set of organizations or\r\nindividuals, they often focus on specific industries or sectors, highlighting the group’s points of interest. Among\r\nthose are notable phishing campaigns aimed at Israeli municipalities as well as a broader group of airlines, travel\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 1 of 10\n\nagencies, and journalists. Overall, since February 2024 we identified over 50 spear phishing emails targeting more\nthan 10 sectors that were sent to hundreds of recipients.\nFigure 1 - Notable phishing campaigns.\nFigure 1 – Notable phishing campaigns.\nIn each of these campaigns, the actors used a tailored lure that was sent to dozens of targets in the same sector. For\nexample, lures aimed at municipalities contained a suggestion to download a new app created just for\nmunicipalities:\nFigure 2 - Lure email sent to municipalities in Israel.\n\nTranslated email:\nFigure 2 – Lure email sent to municipalities in Israel.\nTranslated email:\nSubject: Special Offer: New App for Municipalities – Limited Time Only!\nDear Customer, in celebration of International Mother’s Day, we are excited to announce the\nlaunch of our latest municipal app. This innovative tool is meticulously designed to automate\ntasks, enhance efficiency, and ensure maximum safety in operations.\nFor today only, we are offering this app as a free download. Empower your municipality to\nstreamline workflows and securely prepare for future tasks. Download Now\nTake advantage of this opportunity to revolutionize your municipality’s operations with our\ninnovative solution. Don’t miss out!\nBest regards, [Redacted]\nIn more recent campaigns, the group shifted to more generic-themed, yet well-crafted phishing lures, such as\ninvitations to webinars and online courses. This approach allows them to reuse the same lure across different\ntargets and regions. Additionally, while they primarily used the locally spoken languages of their targets, they now\nuse the English language more frequently.\nThis shift is exemplified in two different emails that use the same exact lure: one sent to targets in Saudi Arabia\nand the other to Israel. The main differences were the email addresses used to send them, and the final payload. In\nSaudi Arabia it was an RMM, and in Israel, the custom backdoor BugSleep.\nComparison of two emails about online courses using the same lure:\nCharacteristics of\nemail\nVersion 1 Version 2\nFrom\nA compromised email account of\na Saudi Arabian company.\nA compromised email account of\nan Israeli company.\nTo Companies in Saudi Arabia. Companies in Israel.\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\nPage 2 of 10\n\nCharacteristics of\r\nemail\r\nVersion 1 Version 2\r\nLink\r\nEmail includes a direct link to an\r\nEgnyte subdomain.\r\nEmail contains a PDF attachment\r\nwith an embedded link.\r\nPayload Atera RMM tool. BugSleep backdoor.\r\nFigure 3 – Email comparison (version 1 on the top).\r\nThe only differences in the content between the two emails are the company name and the last two lines with the\r\nlink that can be found in the PDF attachment.\r\nFigure 4 - PDF attachment of email version 2.\r\nFigure 4 – PDF attachment of email version 2.\r\nAttribution of these campaigns to MuddyWater is supported by the distinct patterns of behavior and RMM tools\r\nthey employ, which have been consistently observed in their operations over the past few years.\r\nBugSleep Infection Chain\r\nThe typical infection chain that delivers the BugSleep backdoor is as follows:\r\nFigure 5 - MuddyWater new infection chain.\r\nFigure 5 – MuddyWater new infection chain.\r\nEgnyte Abuse\r\nEgnyte is a secure file-sharing platform that allows employees and companies to easily share files via a web\r\nbrowser. Recently, MuddyWater has frequently used Egnyte subdomains, aligning them with the company names\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 3 of 10\n\nused in their phishing emails. Upon opening the shared link, recipients can see the name of the purported sender,\r\nwhich often appears legitimate, and matches the naming conventions of the targeted country.\r\nIn a link sent to a transportation company in Saudi Arabia, the displayed name of the owner was Khaled Mashal,\r\nthe former head of Hamas and one of its prominent leaders.\r\nFigure 6 - Archive file shared by ‘Khaled Mashal’.\r\nFigure 6 – Archive file shared by ‘Khaled Mashal’.\r\nBugSleep Technical Analysis\r\nBugSleep is a new tailor-made malware used in MuddyWater phishing lures since May 2024, partially replacing\r\ntheir use of legitimate RMM tools. We discovered several versions of the malware being distributed, with\r\ndifferences between each version showing improvements and bug fixes (and sometimes creating new bugs). These\r\nupdates, occurring within short intervals between samples, suggest a trial-and-error approach.\r\nBugSleep main logic is similar in all versions, starting with many calls to the  Sleep  API to evade sandboxes and\r\nthen it loads the APIs it needs to run properly. It then creates a mutex (we\r\nobserved  “PackageManager”  and  “DocumentUpdater”  in our samples) and decrypts its configuration which\r\nincludes the C\u0026C IP address and port. All the configurations and strings are encrypted in the same way, where\r\nevery byte is subtracted with the same hardcoded value.\r\nIn most BugSleep samples, the malware then creates a scheduled task with the same name as the mutex and adds\r\nthe comment  \"sample comment”  to it. The scheduled task, which ensures persistence for BugSleep, runs the\r\nmalware and is triggered every 30 minutes on a daily basis.\r\nFigure 7 - Scheduled task method of setting up persistence used by BugSleep.\r\nFigure 7 – Scheduled task method of setting up persistence used by BugSleep.\r\nThe malware communication is also encrypted the same way as its strings, adding 3 to every byte modulo 256.\r\nEvery message exchanged between BugSleep and its C\u0026C domain follows this format:  [size_of_data][data] .\r\nBugSleep starts by sending the ID of the victim, consisting of the computer name followed by the username,\r\nformatted as  [computer_name][username] .\r\nThe malware has several commands it can perform based on the data sent from the C\u0026C:\r\n# Of\r\nCommand\r\nArguments Description\r\n1 File name Send a file content to C\u0026C.\r\n2 File name Write content into a file.\r\n3 Command\r\nRun commands through cmd pipe until the command\r\n‘terminate’.\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 4 of 10\n\n# Of\r\nCommand\r\nArguments Description\r\n4\r\nTimeout\r\nvalue\r\nUpdate ‘receive timeout’ by adding the new timeout value.\r\n6 – Stop communication.\r\n9 – Delete the persistence task.\r\n10 – Get the status of the persistence task.\r\n11 – Create the persistence task.\r\n97 Sleep time Update sleep time (not found in the first version).\r\n98\r\nTimeout\r\nvalue\r\nUpdate the receive timeout (not found in the first version).\r\n99 – Sends the same value back (type of ping).\r\nEvasions\r\nIn one of the malware versions, the developers implemented a couple of evasion methods from EDR solutions.\r\nFirst, the malware enables the  MicrosoftSignedOnly  flag of the  ProcessSignaturePolicy  structure to prevent\r\nthe process from loading images that are not signed by Microsoft. This prevents other processes from injecting\r\nDLLs into the process.\r\nNext, it enables the  ProhibitDynamicCode  flag of the  ProcessDynamicCodePolicy  structure to prevent the\r\nprocess from generating dynamic code or modifying existing executable code.\r\nEnabling  ProcessDynamicCodePolicy may be useful for protecting it from EDR solutions that hook userland API\r\nfunctions to inspect programs’ intents.\r\nFigure 8 - Evasions method.\r\nFigure 8 – Evasions method.\r\nBugSleep Loader\r\nOne of the samples we analyzed came with a custom loader. The loader injects a shellcode that loads BugSleep in-memory into one of the following processes, based on whether they are already running:\r\nmsedge.exe\r\nopera.exe\r\nchrome.exe\r\nanydesk.exe\r\nOndedrive.exe\r\npowershell.exe\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 5 of 10\n\nThe shellcode in this case is also encrypted with the same algorithm as the strings in BugSleep but with a different\nshift: every byte is subtracted with a hardcoded value of 6. After the decryption, the loader writes the shellcode\ninside the process with the WriteProcessMemory API and invokes the shellcode with\nthe CreateRemoteThread API.\nBugs and Unused Code\nSome of the samples contained several bugs, and parts of the code appear poorly written, with questionable\nomissions or additions that seem to be mistakes.\nOne of the samples checks if the file “C:\\users\\public\\a.txt” exists and if it doesn’t, it creates the file\nwhich it later deletes. The purpose of this code is not entirely clear and may be unfinished code inserted by\nthe authors or borrowed from other places without fully understanding what the code does.\nIn one sample, some of the API names were not encrypted like the others, probably due to lack of attention.\nIn some samples, instead of properly encrypting (adding 3 to each byte), the malware runs the decryption\nalgorithm (subtracting each byte by 3), which is probably by mistake. In a newer sample, the malware\nauthors fixed that bug but did not do the same for all of the commands. Another questionable action is that\nthe malware decrypts the data after it’s sent. We assume that their intent was to encrypt the strings again so\nthey would not be seen in memory, but in this case, it does the opposite.\nFigure 9 - Encryption/Decryption confusion in the send method.\nFigure 9 – Encryption/Decryption confusion in the send method.\nTargets\nAccording to our telemetry, these MuddyWater campaigns target a diverse array of sectors, ranging from\ngovernment entities and municipalities to media outlets and travel agencies. While the majority of the emails was\ndirected at companies in Israel, others were aimed at entities in Turkey, Saudi Arabia, India and Portugal.\nFigure 10 - Map of targeted countries.\nFigure 10 – Map of targeted countries.\nIn addition, files associated with the latest campaign were uploaded to VirusTotal from various IP locations,\nincluding Azerbaijan and Jordan. Notably, in the case of Azerbaijan, we can establish correlation with the target\ndue to the Azerbaijani language used in the PDF lure.\nFigure 11 - PDF lure written in Azerbaijani.\n\nTranslated PDF document:\nFigure 11 – PDF lure written in Azerbaijani.\nTranslated PDF document:\nDear friends and colleagues\nInternational company CASPEL organizes an online webinar on information technologies\nand network solutions.\nThe purpose of this international webinar is to prevent any cyber vandalism and build deep\nrelationship with information technology companies in Africa and the Middle East.\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\nPage 6 of 10\n\nMany reputable companies of the region will participate in this seminar, and any experts in\r\nthis field will discuss and exchange ideas.\r\nTo participate in the webinar, visit the link below and download the webinar software.\r\n[Link]\r\nThank you.\r\nConclusion\r\nThe increased activity of MuddyWater in the Middle East, particularly in Israel, highlights the persistent nature of\r\nthese threat actors, who continue to operate against a wide variety of targets in the region. Their consistent use of\r\nphishing campaigns, now incorporating a custom backdoor, BugSleep, marks a notable development in their\r\ntechniques, tactics and procedures (TTPs).\r\nThe campaigns reflect the group’s interests, focusing on specific sectors such as municipalities, airlines, travel\r\nagencies, and media outlets. Although they are aimed at specific sectors, the nature of the lures themselves have\r\nbecome much simpler over time. The shift from highly customized lures to more generic themes such as webinars\r\nand online courses, combined with the increased use of the English language, allows the group to focus on higher\r\nvolume rather than specific targets.\r\nCheck Point Customers Remain Protected Against the Threats Described in this Report.\r\nHarmony Email and Collaboration provides comprehensive inline protection at the highest security level.\r\nThreat Emulation signatures:\r\nAPT.Wins.MuddyWater.ta.X\r\nAPT.Wins.MuddyWater.ta.Y\r\nAPT.Win.MuddyWater.X\r\nHarmony Endpoint signatures:\r\nAPT.Win.MuddyWater.U\r\nAPT.Win.MuddyWater.V\r\nAPT.Win.MuddyWater.W\r\nIOCs\r\nDomains:\r\nkinneretacil.egnyte[.]com\r\nsalary.egnyte[.]com\r\ngcare.egnyte[.]com\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 7 of 10\n\nrimonnet.egnyte[.]com\r\nalltrans.egnyte[.]com\r\nmegolan.egnyte[.]com\r\nbgu.egnyte[.]com\r\nfbcsoft.egnyte[.]com\r\ncnsmportal.egnyte[.]com\r\nalkan.egnyte[.]com\r\ngetter.egnyte[.]com\r\nksa1.egnyte[.]com\r\nfilecloud.egnyte[.]com\r\nnour.egnyte[.]com\r\nairpazfly.egnyte[.]com\r\ncairoairport.egnyte[.]com\r\nsilbermintz1.egnyte[.]com\r\nsmartcloudcompany[.]com\r\nonlinemailerservices[.]com\r\nsmtpcloudapp[.]com\r\nsoftwarehosts[.]com\r\nairpaz.egnyte[.]com\r\nairpazflys.egnyte[.]com\r\nfileuploadcloud.egnyte[.]com\r\ndownloadfile.egnyte[.]com\r\nURLs:\r\nhttps://shorturl[.]at/NCxJk\r\nhttps://shorturl[.]at/bYqUx\r\nhttps://ws.onehub[.]com/files/bbmiio1c\r\nhttps://ws.onehub[.]com/files/zgov9aqy\r\nIP addresses:\r\nC\u0026C:\r\n146.19.143[.]14\r\n91.235.234[.]202\r\n85.239.61[.]97\r\nOther:\r\n95.164.32[.]69\r\n5.252.23[.]52\r\n194.4.50[.]133\r\n193.109.120[.]59\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 8 of 10\n\nIP address used for sending emails:\r\n89.221.225[.]81\r\n45.150.108[.]198\r\n200.200.200[.]248\r\n169.150.227[.]230\r\n169.150.227[.]205\r\n185.248.85[.]20\r\n141.98.252[.]143\r\n31.171.154[.]54\r\n146.70.172[.]227\r\n198.54.131[.]36\r\nHashes:\r\nBugSleep:\r\n73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e\r\n960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809\r\nb8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca\r\n94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472\r\n5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0\r\nRMM MSI:\r\n39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e\r\nc23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f\r\nfb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a\r\n7e6b04e17ae273700cef4dc08349af949dbd4d3418159d607529ae31285e18f7\r\nff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909\r\ne2810cca5d4b74e0fe04591743e67da483a053a8b06f3ef4a41bdabee9c48cf7\r\n90f94d98386c179a1b98a1f082b0c7487b22403d8d5eb3db6828725d14392ded\r\n20aaeac4dbea89b50d011e9becdf51afc1a1a1f254a5f494b80c108fd3c7f61a\r\n55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2\r\nf925d929602c9bae0a879bb54b08f5f387d908d4766506c880c5d29986320cf9\r\nArchives:\r\n424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4\r\nc80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9\r\nc88453178f5f6aaab0cab2e126b0db27b25a5cfe6905914cc430f6f100b7675c\r\n31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab\r\na0968e820bbc5e099efd55143028b1997fd728d923c19af03a1ccec34ce73d9b\r\n88788208316a6cf4025dbabbef703f51d77d475dc735bf826b8d4a13bbd6a3ee\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 9 of 10\n\n4064e4bb9a4254948047858301f2b75e276a878321b0cc02710e1738b42548ca\r\ne7896ccb82ae35e1ee5949b187839faab0b51221d510b25882bbe711e57c16d2\r\n1c0947258ddb608c879333c941f0738a7f279bc14630f2c8877b82b8046acf91\r\n8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1\r\n7e14ca8cb7980e85aff4038f489442eace33530fd02e2b9c382a4b6907601bee\r\n02060a9ea0d0709e478e2fba6e9b71c1b7315356acc4f64e40802185c4f42f1c\r\n53b4a4359757e7f4e83929fba459677e76340cbec7e2e1588bbf70a4df7b0e97\r\n0ab2b0a2c46d14593fe900e7c9ce5370c9cfbf6927c8adb5812c797a25b7f955\r\nSource: https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nhttps://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/" ], "report_names": [ "new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-18T02:00:05.113415Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-18T02:00:04.720411Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-18T02:00:03.377188Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "Static Kitten", "G0069", "Mango Sandstorm", "Earth Vetala", "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "ATK51", "Boggy Serpens", "TA450" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-18T02:00:04.592706Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-18T02:00:05.1446Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776219757, "ts_updated_at": 1776478876, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08829d09f17839b9295f5612c9be6043f0308058.pdf", "text": "https://archive.orkl.eu/08829d09f17839b9295f5612c9be6043f0308058.txt", "img": "https://archive.orkl.eu/08829d09f17839b9295f5612c9be6043f0308058.jpg" } }