{ "id": "51c876c9-81d6-449c-bacd-0d450c9106f3", "created_at": "2026-04-06T00:13:03.870429Z", "updated_at": "2026-04-10T03:34:22.814688Z", "deleted_at": null, "sha1_hash": "28f75864f3af4e6ceda243cce1fc9ae2357a38fe", "title": "Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 239055, "plain_text": "Iranian Hackers Targeting Turkey and Arabian Peninsula in New\r\nMalware Campaign\r\nBy The Hacker News\r\nPublished: 2022-03-10 · Archived: 2026-04-02 11:17:19 UTC\r\nThe Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks\r\ntargeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on\r\ncompromised systems.\r\n\"The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage,\r\nintellectual property theft, and deploy ransomware and destructive malware in an enterprise,\" Cisco Talos\r\nresearchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec said in a report published today.\r\nThe group, which has been active since at least 2017, is known for its attacks on various sectors that help further\r\nadvance Iran's geopolitical and national security objectives. In January 2022, the U.S. Cyber Command attributed\r\nthe actor to the country's Ministry of Intelligence and Security (MOIS).\r\nMuddyWater is also believed to be a \"conglomerate of multiple teams operating independently rather than a single\r\nthreat actor group,\" the cybersecurity firm added, making it an umbrella actor in the vein of Winnti, a China-based\r\nhttps://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html\r\nPage 1 of 3\n\nadvanced persistent threat (APT).\r\nThe latest campaigns undertaken by the hacking crew involve the use of malware-laced documents delivered via\r\nphishing messages to deploy a remote access trojan called SloughRAT (aka Canopy by CISA) capable of\r\nexecuting arbitrary code and commands received from its command-and-control (C2) servers.\r\nThe maldoc, an Excel file containing a malicious macro, triggers the infection chain to drop two Windows Script\r\nFiles (.WSF) on the endpoint, the first one of them acting as the instrumentor to invoke and execute the next-stage\r\npayload. \r\nAlso discovered are two additional script-based implants, one written in Visual Basic and the other coded in\r\nJavaScript, both of which are engineered to download and run malicious commands on the compromised host.\r\nFurthermore, the latest set of intrusions marks a continuation of a November 2021 campaign that struck Turkish\r\nprivate organizations and governmental institutions with PowerShell-based backdoors to gather information from\r\nits victims, even as it exhibits overlaps with another campaign that took place in March 2021.\r\nThe commonalities in tactics and techniques adopted by the operators have raised the possibility that these attacks\r\nare \"distinct, yet related, clusters of activity,\" with the campaigns leveraging a \"broader TTP-sharing paradigm,\r\ntypical of coordinated operational teams,\" the researchers noted.\r\nIn a second partial attack sequence observed by Cisco Talos between December 2021 and January 2022, the\r\nadversary set up scheduled tasks to retrieve VBS-based malicious downloaders, which enable the execution of\r\nhttps://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html\r\nPage 2 of 3\n\npayloads retrieved from a remote server. The results of the command are subsequently exfiltrated back to the C2\r\nserver.\r\n\"While they share certain techniques, these campaigns also denote individuality in the way they were conducted,\r\nindicating the existence of multiple sub-teams beneath the Muddywater umbrella — all sharing a pool of tactics\r\nand tools to pick and choose from,\" the researchers concluded.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html\r\nhttps://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html" ], "report_names": [ "iranian-hackers-targeting-turkey-and.html" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434383, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28f75864f3af4e6ceda243cce1fc9ae2357a38fe.pdf", "text": "https://archive.orkl.eu/28f75864f3af4e6ceda243cce1fc9ae2357a38fe.txt", "img": "https://archive.orkl.eu/28f75864f3af4e6ceda243cce1fc9ae2357a38fe.jpg" } }