{ "id": "b0460ab5-ed34-430a-8850-9a45a4765d9b", "created_at": "2026-04-06T00:19:52.064974Z", "updated_at": "2026-04-10T03:34:22.528181Z", "deleted_at": null, "sha1_hash": "3a909979d633cccfbd5a6eccff9ea4b52b2fc9f8", "title": "MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel | Deep Instinct Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 269811, "plain_text": "MuddyC2Go – Latest C2 Framework Used by Iranian APT\r\nMuddyWater Spotted in Israel | Deep Instinct Blog\r\nBy Simon KeninThreat Intelligence ResearcherDeep Instinct Threat Lab\r\nPublished: 2023-11-08 · Archived: 2026-04-05 19:11:06 UTC\r\nThe contents of this blog post were originally scheduled to be presented during an upcoming cybersecurity\r\nconference. However, interest in this topic has heightened due to the war in Israel and a suspected ongoing attack\r\nagainst Israeli targets. As such, we have decided to publish the relevant findings from the presentation now.\r\nExecutive Summary:\r\nDeep Instinct’s Threat Research team has identified a previously unreported C2 framework suspected to be\r\nin use by MuddyWater\r\nThe C2 framework may have been in use by the MuddyWater group since at least 2020\r\nThe framework’s web component is written in the Go programming language – hence the name we gave it:\r\nMuddyC2Go\r\nMuddyWater seems to have stopped using PhonyC2 and is now using MuddyC2Go instead\r\nBackground\r\nIn June 2023, we published a report about PhonyC2, a custom C2 framework used by the MuddyWater APT\r\ngroup.\r\nWhile analyzing previous PhonyC2 infrastructure, Deep Instinct uncovered anomalies that indicated MuddyWater\r\nmight be using an additional C2 framework.\r\nAt that time, we lacked sufficient evidence to support this claim. However, after we published our PhonyC2\r\nresearch, we observed two IP addresses previously related to MuddyWater, one of those addresses which was\r\nhosting PhonyC2 had switched to a different C2 framework delivering a PowerShell payload.\r\nThis behavior heightened suspicions of a new C2 framework. However, without seeing and observing the initial\r\npayload, those IP addresses could have been internal tests by MuddyWater before fully deploying the C2.\r\nRecently, Deep Instinct observed similar C2 activity on a different cluster of IP addresses that has not been\r\nassociated previously with MuddyWater.\r\nThis new activity’s initial payload confirmed our assessment that this activity is related to MuddyWater.\r\nCurrent MuddyWater Activity Using MuddyC2Go\r\nPrevious research has shown typical MuddyWater TTPs include spear-phishing emails containing archives or links\r\nto archives that include various legitimate remote administration tools.\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 1 of 9\n\nIf the receiving target opens the file inside the archive, it installs a remote administration tool that allows the\r\nattacker to execute additional tools and malware, including MuddyWater’s PhonyC2.\r\nDeep Instinct observed the following changes in recent activity:\r\nThe archives are now password protected. This is done to evade email security solutions that scan files\r\ninside archives without a password.\r\nInstead of using a remote administration tool where an operator executes a PowerShell script to connect to\r\nMuddyWater’s C2, a new executable is now being sent. This executable contains an embedded PowerShell\r\nscript that automatically connects to MuddyWater’s C2, eliminating the need for manual execution by the\r\noperator.\r\nLet’s examine several examples of this new C2 framework.\r\nJuly 2023 – Attack Against Jordanian Company\r\nDeep Instinct identified a file named “offtec.exe” which is an executable. Offtec is also the name of a Jordanian\r\ncompany.\r\nWhen executed, it runs a PowerShell script which connects to a MuddyC2Go server located at the IP address\r\n45.150.64[.]239.\r\nThe executable was built using PowerGUI from Quest Software. This tool allows the user to generate an\r\nexecutable that runs an embedded PowerShell script that is provided by the user.\r\nFigure 1: PowerGUI logo\r\nAfter communicating with the C2, the communication is switched to dynamic DNS using the address\r\n“microsoftfice.ddns[.]net”\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 2 of 9\n\nThe response from the C2 is again a PowerShell script that runs every 10 seconds and waits for commands from\r\nthe operator using the C2:\r\nFigure 2: Part of the PowerShell code sent from the C2\r\nSeptember 2023 – Attacks Against an Iraqi Telecommunications Provider\r\nIn September, Deep Instinct identified additional variants of executables created with PowerGUI. The executables\r\nhave been spread via password-protected RAR archives.\r\nThe archives were uploaded from Iraq and their file name included the word “Korek.”\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 3 of 9\n\nFigure 3: KorekPro file on VT\r\nKorek is an Iraqi-Kurdish mobile phone operator. MuddyWater targeted Korek in 2019.\r\nIn this attack, the C2 IP addresses and dynamic DNS were different: ghostrider.serveirc[.]com\r\nOctober 2023 – “Swords of Iron” War\r\nWhile Iranian involvement in the war is still being investigated, on October 11, the fourth day of the war, Deep\r\nInstinct identified a scan of the MuddyC2Go URL from Israel in VirusTotal.\r\nBecause the URL is unique and responded with PowerShell, it likely indicates there was a recent attack against an\r\nIsraeli target by MuddyWater. This is also supported by our recent discovery of another active campaign from\r\nMuddyWater against Israeli targets.\r\nDeep Instinct could not identify an associated PowerGUI executable for this attack, although there could have\r\nbeen a different initial access vector to the attack that didn’t rely on social engineering.\r\nThe C2 IP address that was used this time is 94.131.109[.]65.\r\nAttribution\r\nWhile investigating the PhonyC2 framework (written in Python) and its infrastructure, Deep Instinct identified\r\nservers responding with a generic “web.go” header. This header suggests MuddyWater is using a web application\r\nwritten in the Go programming language.\r\nIn 2022, Mandiant reported that MuddyWater wrote malware using Go, showing they are capable of using this\r\nlanguage. However, the malware is “client-side,” whereas the C2 framework is “server-side.” As such, they are\r\nlikely unrelated.\r\nDeep Instinct was able to find traces of a Go-based C2 framework used by MuddyWater dating back to the\r\nbeginning of 2020.\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 4 of 9\n\nDeep Instinct identified 162.223.89[.]11 as the first IP address publicly attributed to MuddyWater using\r\nMuddyC2Go.\r\nBoth SecureWorks and Talos reported a malicious Excel file\r\n(63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf) in January and February. When\r\nthis file is opened, the malicious execution chain eventually leads to the C2 server 162.223.89[.]11.\r\nIn May 2020, this IP address was observed using MuddyC2Go.\r\nThe IP address 109.201.140[.]103 has not been previously associated with MuddyWater. However, multiple scans\r\nfrom January, including one from Egypt, which aligns with MuddyWater’s interests and timeframe of above\r\nreports, contains unique URLs that are used by MuddyC2Go. Additionally, there is scan for a file named ssf.zip on\r\nthis IP. Secure Sockets Funneling (SSF) was mentioned in the SecureWorks report as a tool used by MuddyWater.\r\nSSF is a tool that has been reported by multiple security vendors to be part of MuddyWater’s arsenal.\r\nIn February 2022, CISA published indicators that signal MuddyWater activity, including the IP address\r\n164.132.237[.]65.\r\nIn March 2022, this address was observed to be a MuddyC2Go server. It was previously associated with\r\nPowGoop.\r\nIn April 2022, the IP address 141.95.177[.]130 was observed hosting MuddyC2Go. Additionally, the passive DNS\r\nof this IP resolved to jbf1.nc1310022a[.]biz, a pattern that was already observed with PhonyC2 servers. A year\r\nlater, in April 2023, Group-IB associated this IP address to MuddyWater via a specific ETag header that was used\r\nin numerous MuddyWater servers.\r\nIn the same report, Group-IB identified an LNK file from October 2022 that was communicating with the IP\r\naddress 91.121.240[.]108. The responses from this IP indicate that it was MuddyC2Go. In addition, the LNK file\r\nwas inside an archive named “request-for-service-no10102022.zip” The naming convention is very similar to the\r\nnaming convention MuddyWater used in their Syncro campaign.\r\nBoth Group-IB and Deep Instinct have linked the IP address 137.74.131[.]18 to MuddyWater. Deep Instinct\r\ninitially observed PhonyC2 at this address, and after our publication, MuddyWater switched to MuddyC2Go on\r\nthis IP address. Additionally, the IP address 137.74.131[.]20—which was previously reported by Group-IB —also\r\nstarted to host MuddyC2Go.\r\nConclusion\r\nDue to the leak of PhonyC2 source code, MuddyWater stopped using the framework and switched to using a Go-based C2 framework. Since the actual source code of the new framework is not available, the full capabilities are\r\nunknown. However, based on past leaks and associated known activity, this is another framework that generates\r\nPowerShell payloads that MuddyWater uses in the “Actions on Objectives” phase in the “Cyber Kill Chain.”\r\nPowerShell has always been the bread and butter of MuddyWater operations.\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 5 of 9\n\nWe recommend disabling PowerShell if it is not needed. If it is enabled, we recommend close monitoring of\r\nPowerShell activity.\r\nWhile it is not trivial to fingerprint the MuddyC2Go framework, as it looks like any other generic web application\r\nwritten in Go, Deep Instinct managed to identify previous attacks dating back to 2020 due to unique URL patterns\r\ngenerated by the framework.\r\nCurrently, Deep Instinct has identified all known active MuddyC2Go servers hosted at “Stark Industries,” a VPS\r\nprovider known to host malicious activity. Deep Instinct identified additional suspected MuddyC2Go servers\r\nhosted at Stark Industries without any malicious activity or known URL pattern.\r\nAdditional IOCs and information regarding Iranian Threat Actors can be found in our Git.\r\nIOCs:\r\nNetwork\r\nIP Address Description\r\n91.121.61[.]76 MuddyC2Go (2020)\r\n109.201.140[.]103 MuddyC2Go (2020)\r\n162.223.89[.]11 MuddyC2Go (2020)\r\n164.132.237[.]65 MuddyC2Go (2022)\r\n141.95.177[.]130 MuddyC2Go (2022) – (jbf1.nc1310022a[.]biz)\r\n91.121.240[.]108 MuddyC2Go (2022)\r\n137.74.131[.]18 MuddyC2Go (2023) – (qjk2.6nc051221c[.]co)\r\n137.74.131[.]20 MuddyC2Go (2023)\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 6 of 9\n\nIP Address Description\r\n45.150.64[.]239 MuddyC2Go (2023) – (microsoftfice.ddns[.]net)\r\n95.164.46[.]35 MuddyC2Go (2023) – (ghostrider.serveirc[.]com)\r\n45.67.230[.]91 MuddyC2Go (2023) – (Stark Industries)\r\n94.131.109[.]65 MuddyC2Go (2023) – (Stark Industries)\r\n95.164.46[.]199 MuddyC2Go (2023) – (Stark Industries\r\n185.248.144[.]158 Suspected MuddyC2Go (2023) – (Stark Industries) – (mbcaction.hopto[.]org)\r\n94.131.98[.]14 Suspected MuddyC2Go (2023) – (Stark Industries)\r\n45.150.64[.]23 Suspected MuddyC2Go (2023) – (Stark Industries)\r\n45.150.64[.]39 Suspected MuddyC2Go (2023) – (Stark Industries)\r\n95.164.38[.]99 Suspected MuddyC2Go (2023) – (Stark Industries)\r\nFile\r\nMD5 Description\r\n34212eb9e2af84eceb6a8234d28751b6 PowerShell response from 137.74.131[.]18\r\n3c6486dfb691fc6642f1d35bdf247b90 PowerShell response from 137.74.131[.]18\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 7 of 9\n\nMD5 Description\r\n55b99af81610eb65aabea796130a0462 PowerShell response from 137.74.131[.]18\r\nd7ca8f3b5e21ed56abf32ac7cb158a7e PowerShell response from 137.74.131[.]18\r\nd3a2dee3bb8fcd8e8a0d404e7d1e6efb PowerShell response from 137.74.131[.]20\r\n4a70b1e4cb57c99502d89cdbbed48343 PowerShell response from 137.74.131[.]20\r\nf08aa714fd59b68924843cbfddac4b15 PowerShell response from 137.74.131[.]20\r\ndb0e68d7d81f5c21e6e458445fd6e34b offtec.exe (C2: 45.150.64[.]239)\r\ndbcc0e9c1c6c1fff790caa0b2ffc2fe5 PowerShell script embedded in offtec.exe\r\ne07adc4ee768126dc7c7339f4cb00120 PowerShell response from 45.150.64[.]239\r\nfeede05ba166a3c8668fe580a3399d8f Performance.rar – Password protected archive\r\n9894b84916f9264d897fe3b4a83bc608 KorekFile.rar – Password protected archive\r\n9957250940377b39e405114f0a2fe84b Performance/KorekFile.exe (C2: 95.164.46[.]35)\r\n245c3ed373727c21ad9ee862b767e362 PowerShell script embedded in Performance/KorekFile\r\n22971759adf816c6fb43104c0e1d89d6 PowerShell response from 95.164.46[.]35\r\n5e0cc23a6406930a40696594021edb5f KorekPro.rar – Password protected archive\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 8 of 9\n\nMD5 Description\r\n79a638b2f2cc82bfe137f1d12534cda5 d.exe (C2: 95.164.46[.]35)\r\nfc523904ca6e191eb2fdb254a6225577 PowerShell script embedded in d.exe\r\nb867ec1cef6b1618a21853fb8cafd6e1 PowerShell response from 45.67.230[.]91\r\n57641ce5af4482038c9ea27afcc087ee PowerShell response from 94.131.109[.]65\r\nfe5f94e5df19d95df26aaf774daad9df PowerShell response from 95.164.46[.]199\r\nSource: https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nhttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel" ], "report_names": [ "muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434792, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a909979d633cccfbd5a6eccff9ea4b52b2fc9f8.pdf", "text": "https://archive.orkl.eu/3a909979d633cccfbd5a6eccff9ea4b52b2fc9f8.txt", "img": "https://archive.orkl.eu/3a909979d633cccfbd5a6eccff9ea4b52b2fc9f8.jpg" } }