{ "id": "f991e745-9d4a-4d11-9c53-264d574b02a1", "created_at": "2026-04-06T00:10:20.782141Z", "updated_at": "2026-04-10T03:34:22.885818Z", "deleted_at": null, "sha1_hash": "2eadb32aa2640db33aab1230057689ab132ba286", "title": "Potential MuddyWater Campaign Seen in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 109426, "plain_text": "Potential MuddyWater Campaign Seen in the Middle East\r\nBy By: Jaromir Horejsi Mar 12, 2018 Read time: 7 min (1785 words)\r\nPublished: 2018-03-12 · Archived: 2026-04-05 18:03:51 UTC\r\nWe discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some\r\nsimilarities with an earlier campaign named MuddyWater, which hit various industries in several countries,\r\nprimarily in the Middle East and Central Asia. Third party security researchers named the MuddyWater campaign\r\nas such because of the difficulties in attributing the attacks. However, given the nature of the targets, as well as the\r\ngathering and uploading of information to C\u0026C servers, it appears that the attackers are mainly concerned with\r\nespionage activities — with the Saudi Arabia’s National Cyber Security Center (NCSC) publishing an alert on\r\ntheir website regarding the attacks.\r\nGiven the number of similarities, we can assume that there is a connection between these new attacks and the\r\nMuddyWater campaign. It also signifies that the attackers are not merely interested in a one-off campaign, but will\r\nlikely continue to perform cyberespionage activities against the targeted countries and industries.\r\nComparing the earlier MuddyWater campaign with this new one reveals some distinct similiarities:\r\n  2017 MuddyWater Campaign 2018 “MuddyWater” Campaign\r\nCountries of\r\nTargeted\r\nOrganizations\r\nGeorgia, India, Iraq, Israel, Pakistan,\r\nSaudi Arabia Turkey United Arab\r\nEmirates, and the USA\r\nTurkey, Pakistan, Tajikistan\r\nDecoy\r\nDocuments\r\nThe documents try to mimic government\r\norganizations, including the Iraqi\r\nNational Intelligence Service, the\r\nNational Security Agency, and the\r\nMinistry of Interior of Saudi Arabia  \r\nThe documents try to mimic government\r\norganizations such as the Ministry of\r\nInternal Affairs of the Republic of\r\nTajikistan. Some documents also come\r\nwith government emblems.\r\nDropped Files Visual Basic file and Powershell file; the VBS file executes the PS file  \r\nProxies Hundreds of hacked websites are used as proxies.  \r\n In addition to the common characteristics seen above, the campaigns also use similar obfuscation processes, as\r\nare the internal variables after deobfuscation. A list of isDebugEnv is also present in both campaigns.\r\nInfection Chain\r\nintel\r\nFigure 1. Infection chain for the attack\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\nPage 1 of 7\n\nOur research found malicious delivery documents (Detected by Trend Micro as JS_VALYRIA.DOCT and\r\nW2KM_VALYRIA.DOCT) containing text and file names in the Tajik language attempting to target individuals\r\nworking for government organizations and telecommunication companies in Tajikistan. Each document uses\r\nsocial engineering to trick potential victims into clicking it to enable the macros and activate the payload. While\r\nsome of the payloads we observed were embedded inside the document itself, some of the payloads were also\r\ndownloaded from the internet after the lure was clicked.There is a separate lure with a program key generator\r\nwritten in Java that was bundled with a Java downloader. However, the actual payload is the same.\r\nSome examples of the lure documents used in the campaign can be seen below:\r\nintel\r\nFigure 2. A sample document used in the campaign. Note that it uses the Tajikistan emblem, signifying that this is\r\nlikely used to target government organizations or make it seem that it came from one\r\nintel\r\nFigure 3. A second lure document that we found being used in the campaign designed to look like a document sent\r\nto telecommunication companies regarding dissatisfaction with their service; it also asks them to fill out a form,\r\nwhich can be seen in the table at the bottom\r\nintel\r\nFigure 4. Another example of a header allegedly from the Ministry of Internal Affairs of Tajikistan\r\nAfter enabling the macros and the payload executes, two files – an obfuscated  Visual Basic script (Detected by\r\nTrend Micro as VBS_VALYRIA.DOCT), and an obfuscated PowerShell script (Detected by Trend Mico as\r\nTROJ_VALYRIA.PS) — are created in the ProgramData directory placed in randomly-named directories. The\r\npurpose of the .VBS script is to execute the PowerShell script. The path to the VBS script is added to the task\r\nscheduler as a form of persistence.\r\nintel\r\nFigure 5. The installed backdoor and persistence script\r\nIn other campaigns, two files are also dropped. One of them is the VBS script, however, the second file is a base64\r\nencoded text file, which, after decoding, results in the Powershell file, as in the previous campaign. This is one\r\nsimple layer of obfuscation, likely to avoid some antivirus detections.\r\nThe latest change, drops three files – an.sct scriptlet file, an.inf file and a base64 encoded data file. The scriptlet\r\nfile and inf file use publicly available code for bypassing applockerCode examples are also available on github.\r\nThe PowerShell script, which employs several layers of obfuscation, is divided into three parts. Part one contains\r\nglobal variables like paths, encryption keys, a list of a few hundred gates or hacked websites which serve as\r\nproxies:\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\nPage 2 of 7\n\nFigure 6. The configuration portion of the PowerShell script\r\nThe second part contains functions related to the encryption, which is a standard RSA encryption with very small\r\nkeys.\r\nThe third part contains the backdoor function. This function will first collect machine information and take\r\nscreenshots before it sends this data to a command-and-control (C\u0026C) server while waiting for commands. These\r\ninclude the following actions: clean, reboot, shutdown, screenshot, and upload.\r\nThe clean command attempts to recursively delete all the items from drives C, D, E, and F.\r\nintel\r\nFigure 7. The clean command wipes drives C, D, E and F\r\nC\u0026C Communication\r\nThe communication is done via XML messages with the following supported ACTION commands:\r\nREGISTER\r\nIMAGE\r\nCOMMAND RESULT\r\nUPLOAD\r\nThe backdoor first finds out the machine IP address by querying the internet service api[.]ipify[.]org, which\r\nreturns the IP address of the currently infected machine. This IP address is then fed to another internet service\r\ncalled apinotes[.]com, which returns the location information of the given IP address.\r\nThe backdoor then collects the system information about the infected machine such as the Operating System\r\nname, architecture, domain, network adapter configuration, and username. It then separates each piece of\r\ninformation with **, and sends this system info as part of the REGISTER message:\r\nintel\r\nFigure 8. The register message before encryption\r\nA simple RSA algorithm with very small keys encrypts the message seen above. Let’s take the first character as an\r\nexample. Character “{” = 0x7B =123. Variable ${prIVATE} = 959, 713 from section 1 of the PowerShell script\r\nhas two values; the first number is the key and the second number is the modulus. By computing (123 ^ 959) mod\r\n713 = 340 we get the encrypted value of the first character (see number 340 in the figure below).  The message\r\nabove gets encrypted as shown in figure 9 below, then its contents are sent via post request to one of many hacked\r\ngates.\r\nintel\r\nFigure 9. The register message after encryption\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\nPage 3 of 7\n\nThe response to this message is another set of decimal numbers which can be decrypted by the public key, which\r\nis stored in ${pUbLIC} = 37, 437 variable in part 1 of the PowerShell script.\r\nintel\r\nFigure 10. The encrypted response to the register message\r\nThe message above can be decrypted to:\r\n{\"STATUS\": \"OK\", \"TOKEN\": \"d02153ffaf8137b1fa3bb852a27a12f8\"}\r\nThe XML message containing screenshot can be seen below. Note that the previously obtained SYSID that serves\r\nas a machine identifier, ACTION:”IMAGE” tells us that a base64 encoded image will be followed in IMAGE\r\nfield.\r\nintel\r\nFigure 11. The XML message with the screenshot\r\nIt seems that the attackers are actively monitoring the incoming connections to the C\u0026C. In one of our attempts,\r\nwe sent an improper request to the C\u0026C server, which replied with the following message: “Stop!!! I Kill You\r\nResearcher.” This level of personalized messaging implies that the attackers are monitoring what data is going to\r\nand from their C\u0026C server.\r\nintel\r\nFigure 12. When the threat actor discovers the researcher via an improper request\r\nAnother hidden message or a false flag?\r\nFor the PowerShell script, the first part contains a variable named dragon_middle, which is an array containing a\r\nfew hundred URLs ending with connection.php that serve as proxies between victim and C\u0026C. If communication\r\nwith C\u0026C fails, and if the PowerShell script is run from a command line, a few error messages written in\r\nsimplified Mandarin Chinese are displayed, with a curious phrase that translates to \"waiting for dragon\":\r\n无法访问本地计算机寄存器 (Unable to access local computer register)\r\n任务计划程序访问被拒绝 (Mission Scheduler access is denied)\r\n无法连接到网址,请等待龙 (Cannot connect to URL, please wait for dragon)\r\n无法连接到网址,请等待龙 (Cannot connect to website, please wait for dragon)\r\nThese messages may not reveal anything about the real attackers as the malware writers sometimes like to embed\r\nfalse flags into their programs to confuse researchers. The syntax and grammar suggest that the language could\r\nhave been machine-translated rather than written by a native speaker.\r\nCountermeasures and Trend Micro Solutions\r\nUsers unfamiliar with the various kinds of social engineering techniques might find it difficult to distinguish a\r\nlegitimate message from a malicious one – thus the need for education on identifying and mitigating phishing\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\nPage 4 of 7\n\nattacksnews- cybercrime-and-digital-threats – especially if it involves organizations in sensitive industries such as\r\ngovernment and manufacturing.  Context, in this case, is important. Users need to consider why they received an\r\nemail and avoid clicking on any links or attachments in general until they are certain that they are legitimate.\r\nTrend Micro™ Deep Discovery™products provides detection, in-depth analysis, and proactive response to today’s\r\nstealthy malware, and targeted attacks in real time. It provides a comprehensive defense tailored to protect\r\norganizations against targeted attacks and advanced threats through specialized engines, custom sandboxingnews\r\narticle, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any\r\nengine or pattern update.\r\nMalware such as the one analyzed in this entry also use email as an entry point, which is why it's important to\r\nsecure the email gateway. Trend Micro™ Email Securityproducts is a no-maintenance cloud solution that delivers\r\ncontinuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted\r\nattacks before they reach the network.  Trend Micro™ Deep Discovery™ Inspectorproducts and InterScan™ Web\r\nSecurityproducts prevent malware from ever reaching end users. At the endpoint level, Trend Micro™ Smart\r\nProtection Suitesproducts deliver several capabilities that minimize the impact of these attacks.\r\nThese solutions are powered by the Trend Micro XGen™ security, which provides a cross-generational blend of\r\nthreat defense techniques against a full range of threats for data centers, cloud environments, networks,\r\nand endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications,\r\nand protects physical, virtual, and cloud workloads.\r\nIndicators of Compromise (IOCs)\r\nHashes detected as W2KM_VALYRIA.DOCT:\r\n009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0\r\n153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58\r\n18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6\r\n18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd\r\n1ee9649a2f9b2c8e0df318519e2f8b4641fd790a118445d7a0c0b3c02b1ba942\r\n2727bf97d7e2a5e7e5e41ccbfd7237c59023d70914834400da1d762d96424fde\r\n2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13\r\n3b1d8dcbc8072b1ec10f5300c3ea9bb20db71bd8fa443d97332790b74584a115\r\n3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c\r\n3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb\r\n6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac\r\n76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338\r\n9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c\r\n93745a6605a77f149471b41bd9027390c91373558f62058a7333eb72a26faf84\r\na70aca719b06fc8ef0cd0b0e010c7bc8dc6d632e4f2f874e4c0e553bd8db2df2\r\naa60c1fae6a0ef3b9863f710e46f0a7407cf0feffa240b9a4661a4e8884ac627\r\naf5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102\r\ncee801b7a901eb69cd166325ed3770daffcd9edd8113a961a94c8b9ddf318c88\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\nPage 5 of 7\n\nd07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025\r\ndfbd67177af9d35188fc9ff9363c2b9017e9ccfe6719e3d641a56fb5dc0d47f7\r\neff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894\r\nfbbda9d8d9bcaaf9a7af84d08af3f5140f5f75778461e48253dc761cc9dc027c\r\nHash detected as VBS_VALYRIA.DOCT:\r\n0A9FC303CA03F4D9988A366CBBD96C24857E87374568EC5A4AAA4E55FE2C3C7E\r\n0BC10D5396B3D8ECC54D806C59177B74E167D9F39D8F1B836806127AF36A7C4E\r\n0BC10D5396B3D8ECC54D806C59177B74E167D9F39D8F1B836806127AF36A7C4E\r\n25186621282D1E1BAD649B053BDB7B56E48B38189F80DB5A69B92301EF9ED613\r\n25186621282D1E1BAD649B053BDB7B56E48B38189F80DB5A69B92301EF9ED613\r\n3607432758176a2c41a1971b3c4d14a992a68b231851f8b81c6e816ea9ea29b2\r\n59F9E0FAA73E93537AE4BD3A8695874BA25B66CEFA017537132914C770D0CF70\r\n59F9E0FAA73E93537AE4BD3A8695874BA25B66CEFA017537132914C770D0CF70\r\n59F9E0FAA73E93537AE4BD3A8695874BA25B66CEFA017537132914C770D0CF70\r\n6228d79f56c574ceada16453404c54dd95641aa78d3faed6874daf485116793b\r\n66af894eee6daae66bf0bcb87cb7abe2a0ebb6a59779f652db571e7ee298d751\r\n92C7FEAD5EE0F0ECD35FE247DBE85648AADA4B96F1E960B527B4929E42D47B01\r\nc006911be5480f09e0d8560c167561f68681607ca8f7e3c4f5d476dc6673594f\r\nF05C18C1D4428349137A9DF60CDEBE8A0F9E6DA47B359DC0616FF8D47E46704E\r\nHash detected as TROJ_VALYRIA.PS:\r\n0065d592d739ac1dd04d0335151c8855c7fafbf03e86134510ac2fc6766e8d60\r\n0073ce0f4c82fc4d0470868e124aab9ad08852e1712564136186e5019fca0da0\r\n02F58256FF52ED1CDB21064A28D6E5320005F02EF16E8B2FE851438BBC62A102\r\n02F58256FF52ED1CDB21064A28D6E5320005F02EF16E8B2FE851438BBC62A102\r\n04d61b1d2c3187280b3c4e93d064a051e9ee0f515f74c6c1c44ba577a7a1c804\r\n04d61b1d2c3187280b3c4e93d064a051e9ee0f515f74c6c1c44ba577a7a1c804\r\n0A9FC303CA03F4D9988A366CBBD96C24857E87374568EC5A4AAA4E55FE2C3C7E\r\n0A9FC303CA03F4D9988A366CBBD96C24857E87374568EC5A4AAA4E55FE2C3C7E\r\n4DD5C3CE5ED2145D5AFA8DD476A83DFC693E5FC7216C1EABB3FA0EB6B5F8590D\r\n4DD5C3CE5ED2145D5AFA8DD476A83DFC693E5FC7216C1EABB3FA0EB6B5F8590D\r\n55ae821cf112ff8d6185ce021f777f73d85150c62a835bb1c02fe9e7b3f863bf\r\n61d846708f50024e1c65237eb7158beac9b9c5840853b03ef7c73fe5293a9a8d\r\n624762a90b7272e247e5022576b7912d1aa0b32bc13aabc7ee47197e5b87a41b\r\n6421C22D854C199B761436C87CAE1EAFFBA8783A3A40C00D4A0982D7C242EA79\r\n92C7FEAD5EE0F0ECD35FE247DBE85648AADA4B96F1E960B527B4929E42D47B01\r\na53f832edc18de51e0ffaf67047072a6bbd5237defa74f5bf35dfc0df2aeca1b\r\nC1780F3AD76AF703CEDDD932B187CF919866A00BB3E2D6F0827B9DAE9D8875B6\r\nC1780F3AD76AF703CEDDD932B187CF919866A00BB3E2D6F0827B9DAE9D8875B6\r\nC9D782FFAA98791613FEF828E558B296932FA245192BD0EBA8F76536860DB84E\r\nC9D782FFAA98791613FEF828E558B296932FA245192BD0EBA8F76536860DB84E\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\nPage 6 of 7\n\nCCA8E84901C4184BE2849D29C39294FD4B6940F9A6668FDCFF9728CD319FFF96\r\nCCA8E84901C4184BE2849D29C39294FD4B6940F9A6668FDCFF9728CD319FFF96\r\ncca8e84901c4184be2849d29c39294fd4b6940f9a6668fdcff9728cd319fff96\r\ne57dbce8130e281a73727122d33cbff170a54237cd0016d79b30ace18c94e7d4\r\nHash detected as JS_VALYRIA.DOCT:\r\n070EBCAC92FB7619F957BF3F362099574158E5D2D0BC0CF9206A31BA55EDD48F\r\nScriptlets and inf files related to applocker bypass:\r\n2791fdc54ee037589f951c718935397e43d5f3d5f8e078e8b1e81165a3aebbaf\r\n288afbe21d69e79a1cff44e2db7f491af10381bcc54436a8f900bcbd2a752a6f\r\n5e173fbdcd672dade12a87eff0baf79ec4e80533e2b5f6cf1fac19ad847acba0\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-as\r\nia/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/" ], "report_names": [ "campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434220, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2eadb32aa2640db33aab1230057689ab132ba286.pdf", "text": "https://archive.orkl.eu/2eadb32aa2640db33aab1230057689ab132ba286.txt", "img": "https://archive.orkl.eu/2eadb32aa2640db33aab1230057689ab132ba286.jpg" } }