{
	"id": "13f3cf9d-a5f7-4f70-91a0-860c271967a2",
	"created_at": "2026-04-06T00:17:53.580977Z",
	"updated_at": "2026-04-10T03:34:22.601665Z",
	"deleted_at": null,
	"sha1_hash": "4e197fb87d964e5ed3091e1cefce34e3fa289edd",
	"title": "MuddyWater’s “light” first-stager targeting Middle East",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 803677,
	"plain_text": "MuddyWater’s “light” first-stager targeting Middle East\r\nPublished: 2022-06-21 · Archived: 2026-04-05 23:33:20 UTC\r\nSince the last quarter of 2020 MuddyWater has maintained a “long-term” infection campaign targeting Middle\r\nEast countries. We have gathered samples from November 2020 to January 2022, and due to the recent samples\r\nfound, it seems that this campaign might still be currently active. The latest campaigns of the Muddy Water threat\r\ngroup, allegedly sponsored by the Iranian government and linked to the Iranian revolutionary guard (the main\r\narmed forces of the Iranian government), could be framed within the dynamics of maintaining Iran’s regional\r\nsovereignty.\r\nThis infection campaign always starts with a compressed file wrapping a malicious Word document containing\r\nVBA macros.\r\nMalicious document sample\r\nWhile our oldest sample looks a little more sophisticated based on the content of the document, which seems more\r\nspecifically crafted for Arabic speakers as shown in the previous image, the rest of them contain generic English\r\nmessage to enable macros.\r\nhttps://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nPage 1 of 7\n\nMalicious document sample\r\nMalicious document sample\r\nAlthough it has not been possible to clearly identify their specific target, it has been observed that these campaigns\r\nhave been directed against countries such as Pakistan, Kazahstan, Armenia, Syria, Israel, Bahrain, Turkey, South\r\nAfrica, Sudan, etc. Many of these countries may be of interest to the alleged Iranian threat actor, as some of them\r\nhave been involved in recent internal conflicts, or are implicated in nuclear energy improvement, or may serve as\r\nstrategic footholds for the development and influence of Iranian interests in other parts of the world.\r\nThe macros are very concise and their only purpose is to write a not-so-much obfuscated VBS script into a file\r\nlocated in C:\\ProgramData or the Windows Startup folder, with names such as Temp_[3-5 random chars].txt.\r\nhttps://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nPage 2 of 7\n\nMalicious VBA macro code\r\nThe dropped script is a small RAT which allows to execute commands via cmd. It first calls a recon function\r\nwhich executes whoami, and sets a country code which is already present in the script. The result of this will then\r\nbe part of the URI used for the C2 contact. The set of different country codes found in the gathered samples are\r\nthe following, and might indeed reveal the targets for each campaign:\r\nPK –\u003e Pakistan\r\nAR –\u003e Argentina\r\nAM –\u003e Armenia\r\nSY –\u003e Syria\r\nIL –\u003e Israel\r\nBH –\u003e Bahrain\r\nTR –\u003e Turkey\r\nSA –\u003e Saudi Arabia\r\nSD –\u003e Sudan\r\nKK –\u003e Kazakhstan\r\nhttps://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nPage 3 of 7\n\nCode snippet from dropped VB Script (Deobfuscated)\r\nCode snippet from dropped VB Script (Obfuscated)\r\nAfter building the recon string, it will execute its main function. This function first executes explorer.exe (without\r\napparent functional reason), and then calls a function to choose one IP from an array which will rotate in case of\r\nthe chosen IP not replying to the subsequent C2 connection. This connection to the C2 server will use an HTTP\r\nGET request using the following structure:\r\nhttp://{ IP_address }/getCommand?guid={ recon_string }\r\nHTTP GET communication from VBS sample\r\nAs aforementioned, in the case of an empty reply, it will rotate the IP address and try again with the next.\r\nOtherwise it will deobfuscate the reply and call a function to execute it by creating a WScript.Shell object to call\r\ncmd:\r\nhttps://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nPage 4 of 7\n\nAs also seen on the deobfuscated snippet, it will output the result into a txt file and immediately read its content to\r\nreturn it to the calling function in order to include the result and send it to the C2 server. The next contact will use\r\nthe POST HTTP method and will follow a slightly different structure and the command output in the body:\r\nhttp://{ IP_address }/getTargetInfo?guid={ recon_string }\u0026status={ flag_value }\r\nHTTP POST communication from VBS sample\r\nInterestingly, the value renamed by us as “flag_value” will be included as the “state” value within the POST\r\nrequest. In the script file, it is a variable that is initialized to 0 in every collected sample, and is always set to 1\r\nbefore executing the received command and sending the result in the POST request. Other than this, it is not\r\nmodified or used in the script file. However, it is checked during the renamed “whoami_wrap” for the initial host\r\nrecon at the beginning of the script. It is compared with the value 126, and in case of resolving True, it will display\r\nthe following message box.\r\nMalicious VBS “alternative functionality”\r\nThe only implemented functionality in every analyzed sample is the #1, which will use WMI to display the\r\nfollowing information about the infected system:\r\nhttps://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nPage 5 of 7\n\nCode snippet for the “alternative functionality”\r\nSuch a small script with incomplete functionality, after almost two years being used for different campaigns could\r\nsuggest that the attackers might modify its functionality in a later stage, based on the obtained information from\r\nthe infected host or, at least, use it to download and drop the next infection stage.\r\n——————————————————————————————————————-\r\nIndicators of compromise\r\n2020\r\nzip.ورشة عمل تدریبیة\r\n4e8a2b592ed90ed13eb604ea2c29bfb3fbc771c799b3615ac84267b85dd26d1c\r\negojt7.vbs\r\nae6dba7da3c8b2787b274c660e0b522ce8ebda89b1864d8a2ac2c9bb2bd4afa6\r\n185.117.73.]52\r\n2021\r\nfbd2a9f400740610febd5a1ae7448536dd95f37b85dfd2ca746e11a51086bd4b\r\nTemp_UFNCR335.vbs\r\n2245fc9d9aea07b0ffdac792d4851ceed851a3bf1d528384e94306e59e3abd16\r\n84d523833db6cc74a079b12312da775d4281bf1034b2af0203c9d14c098e6f29\r\nTemp_WNJJ6.vbs\r\ncab75e26febd111dd5483666c215bb6b56059f806f83384f864c51ceddd0b1cf\r\nzip.مشروع\r\nfaa6258d7bd355329a9ad69e15b2857d24f9ac11a9782d1a215149938460ac4b\r\ndoc.مشروع\r\nhttps://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nPage 6 of 7\n\n2f2492b7bb55f7a12f7530c9973c9b81fdd5e24001e4a21528ff1d5b47e3446e\r\nTemp_K40.vbs\r\ned4b523a0eecc5de172a97eb8acb357bc1f4807efec761ec2764f20ef028cc63\r\nprojectvpn.doc\r\nea24c5a8b976919d4c8c4779dc0b7ef887373f126c4732edf9023b827b4e4dc4\r\nTemp_WZW4.txt\r\n1d133cc388415592e2e2246e6fb1903690068577fc82e2ae682ba0a661cea0dd\r\n107.174.68.]60\r\n192.227.147.]152\r\n2022\r\nyeni yönerge.doc\r\ndba90bd5fdf0321a28f21fccb3a77ee1ed5d73e863e4520ce8eb8fca670189c3\r\nTemp_FU4.txt\r\n0b4d660335b55d96ddf4c76664341ed52519639161a0a0a1aa0ae82951feba01\r\nCustomers with Lab52’s APT intelligence private feed service already have more tools and means of detection for\r\nthis campaign.\r\nIn case of having threat hunting service or being client of S2Grupo CERT, this intelligence has already been\r\napplied.\r\nIf you need more information about Lab52’s private APT intelligence feed service, you can contact us through the\r\nfollowing link\r\nSource: https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nhttps://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/"
	],
	"report_names": [
		"muddywaters-light-first-stager-targetting-middle-east"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434673,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e197fb87d964e5ed3091e1cefce34e3fa289edd.pdf",
		"text": "https://archive.orkl.eu/4e197fb87d964e5ed3091e1cefce34e3fa289edd.txt",
		"img": "https://archive.orkl.eu/4e197fb87d964e5ed3091e1cefce34e3fa289edd.jpg"
	}
}