{ "id": "ac492bf9-ac0e-4738-81a9-300fe4e9784e", "created_at": "2026-04-06T00:10:44.920004Z", "updated_at": "2026-04-10T03:34:22.88151Z", "deleted_at": null, "sha1_hash": "4e81801f659176008194e670b44055c9df448779", "title": "New PowerShell-based Backdoor, MuddyWater Similarities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81406, "plain_text": "New PowerShell-based Backdoor, MuddyWater Similarities\r\nBy By: Jaromir Horejsi, Daniel Lunghi Nov 30, 2018 Read time: 5 min (1282 words)\r\nPublished: 2018-11-30 · Archived: 2026-04-05 15:51:10 UTC\r\nMuddyWater is a well-known threat actor group that has been active since 2017. They target groups across Middle East and\r\nCentral Asia, primarily using spear phishing emails with malicious attachments. Most recently they were connected to a\r\ncampaign in March that targeted organizations in Turkey, Pakistan, and Tajikistanopen on a new tab.\r\nThe group has been quite visible since the initial 2017 Malwarebytes reportopen on a new tab on their elaborate espionage\r\nattack against the Saudi Arabian government. After that first report, they were extensively analyzedopen on a new tab by\r\nother security companies. Through all that, we’ve only seen minor changes to the tools, techniques and procedures (TTPs)\r\nthey have used.\r\nHowever, we recently observed a few interesting delivery documents similar to the known MuddyWater TTPs. These\r\ndocuments are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and\r\nmaliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus\r\nTotal from Turkey. Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s\r\nknown POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C\u0026C)\r\ncommunication and data exfiltration in this case is done by using the API of a cloud file hosting provider.\r\nThe screenshots below show the malicious attachments, which are disguised to look real, similar to any typical phishing\r\ndocument. The images show blurry logos that we’ve identified as belonging to various Turkish government organizations —\r\nthe logos add to the disguise and lure users into believing the documents are legitimate. Then the document notifies users\r\nthat it is an “old version” and prompts them to enable macros to display the document properly. If the targeted victims\r\nenable macros, then the malicious process continues.\r\nintel\r\nFigure 1. Fake Office document tries to get user to enable malicious macros. The blurred document contains logos of\r\ndifferent Turkish government entities\r\nintel\r\nFigure 2. A similar fake Office document has blurred logos for a Turkish government institution related to taxes\r\nThe macros contain strings encoded in base52, which is rarely used by threat actors other than MuddyWater. The group is\r\nknown to use it to encode their PowerShell backdoor.\r\nAfter enabling macros, a .dll file (with a PowerShell code embedded) and a .reg file are dropped into %temp% directory.\r\nThe macro then runs the following command:\r\n\"C:\\Windows\\System32\\cmd.exe\" /k %windir%\\System32\\reg.exe IMPORT %temp%\\B.reg\r\nRunning this registry file adds the following command to the Run registry key:\r\nrundll32 %Temp%\\png.dll,RunPow\r\nintel\r\nFigure 3. Run registry key\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/\r\nPage 1 of 4\n\nWe assume that RunPow stands for “run PowerShell,” and triggers the PowerShell code embedded inside the .dll file. The\r\nPowerShell code has several layers of obfuscation. The first layer contains a long base64 encoded and encrypted code with\r\nvariables named using English curse words.\r\nintel\r\nFigure 4. Encrypted PowerShell code\r\nThe other layers are simple obfuscated PowerShell scripts. But the last layer is the main backdoor body. This backdoor has\r\nsome features similar to a previously discovered version of the Muddywater backdoor.\r\nFirstly, this backdoor collects the system information and concatenates various pieces of information into one long string.\r\nThe data retrieved includes: OS name, domain name, user name, IP address, and more. It uses the separator \"::\" between\r\neach piece of information.\r\nintel\r\nFigure 5. String of system information collected from the victim’s system\r\nThe previous MuddyWater version collected similar information but used a different separator:\r\nintel\r\nFigure 6. String of system information collected from the victim’s system, from older Muddywater backdoor sample\r\nAs mentioned above, another difference between this and older Muddywater backdoors is that C\u0026C communication is done\r\nby dropping files to the cloud provider. When we analyzed further, we saw that the communication methods use files named\r\n\u003cmd5(hard disk serial number)\u003e with various extensions depending on the purpose of the file.\r\n.cmd - text file with a command to execute\r\n.reg - system info as generated by myinfo() function, see screenshot above\r\n.prc - output of the executed .cmd file, stored on local machine only\r\n.res - output of the executed .cmd file, stored on cloud storage\r\nintel\r\nFigure 7. Example of .cmd file content\r\nintel\r\nFigure 8. Example of .reg file content\r\nintel\r\nFigure 9.Example of .res file content\r\nIn both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous\r\nmechanism instead of connecting directly to the machine and issuing a command. The malware operator leaves a command\r\nto execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.\r\nHowever, in the older MuddyWater backdoor their content was encoded differently. The files are temporarily stored on\r\ncompromised websites. The more recent backdoor uses a legitimate cloud storage service provider instead.\r\nThe .res file can be decoded by replacing “00” with empty string, then converting from hex to ASCII, then reversing the\r\nstring. The figure below is the decoded .res file from Figure 9.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/\r\nPage 2 of 4\n\nFigure 10. Decoded .res file\r\nThe backdoor supports the following commands:\r\n$upload - upload a file to file hosting service\r\n$dispos - remove persistence\r\n$halt - exit\r\n$download - download file from a hosting service\r\nNo prefix - execute command via Invoke Expression (IEX), a PowerShell command that runs commands or\r\nexpressions on the local computer\r\nBased on our analysis, we can confirm that the targets were Turkish government organizations related to the finance and\r\nenergy sectors. This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted\r\nmultiple Turkish government entities. If the group is responsible for this new backdoor, it shows how they are improving\r\nand experimenting with new tools.\r\nSolutions and Recommendations\r\nThe main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to\r\nmanipulate targets into enabling malicious documents. It is important that employers and employees across all organizations\r\nand enterprises be able to identify phishing attacksopen on a new tab and distinguish legitimate emailsopen on a new tab\r\nfrom malicious ones. Awareness of these threats and the tactics they use is an effective first step.\r\nTelltale signs of social engineering include “too-good-to-be-true” offers and messages that lack context. In general, users\r\nshould always practice caution when it comes to email. This includes avoiding clicking on links or downloading any\r\ndocuments unless certain that these are legitimate.\r\nApart from knowledge and awareness of phishing and social engineering, it is also important to be prepared with effective\r\nand layered security solutions. Trend Micro™ Deep Discovery™open on a new tab provides detection, in-depth analysis,\r\nand proactive response to today’s stealthy malware, and targeted attacks in real time. It provides a comprehensive defense\r\ntailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom\r\nsandboxingopen on a new tab, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even\r\nwithout any engine or pattern update.\r\nTrend Micro™ Email Securityopen on a new tab is a no-maintenance cloud solution that delivers continuously updated\r\nprotection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network.\r\nTrend Micro™ Email Inspectoropen on a new tab and InterScan™ Web Securityopen on a new tab prevent malware from\r\never reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suitesopen on a new tab deliver several\r\ncapabilities that minimize the impact of these attacks.\r\nThese solutions are powered by the Trend Micro XGen™ security, which provides a cross-generational blend of threat\r\ndefense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features\r\nhigh-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and\r\ncloud workloads.\r\nIndicators of Compromise\r\nSHA256 Type Detection Name\r\n41ee0ab77b474b0c84a1c25591029533f058e4454d9f83ba30159cc6309c65d1\r\nDelivery\r\ndocuments\r\nW2KM_POWRUN.A\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/\r\nPage 3 of 4\n\n43080479eb1b00ba80c34272c5595e6ebdc6b0ffabcdc2c40ea2af49fcc43db4\r\nDropped\r\nDLL file\r\nBackdoor.Win32.POWRUN.AA\r\n4f509354d8b3152a40c64ce61f7594d592c1256ad6c0829760b8dbdcb10579a2\r\nWeaponized\r\ndocument\r\nBACKDOOR.WIN32.POWRUN.A\r\n685e91bc4e98c38bda7c8e57d5d40a11e7cf48bb43859bb799813f0146a14fcf\r\nDropped\r\nDLL file\r\nBKDR_POWRUN.B\r\n888a6f205ac9fc40d4898d8068b56b32f9692cb75f0dd813f96a7bd8426f8652\r\nDropped\r\nDLL file\r\nTrojan.W97M.POWRUN.AA\r\n0acd10b14d38a4ac469819dfa9070106e7289ecf7360e248b7f10f868c2f373d\r\nDropped\r\nDLL file\r\nBKDR_POWRUN.A\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tool\r\ns/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/" ], "report_names": [ "new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434244, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e81801f659176008194e670b44055c9df448779.pdf", "text": "https://archive.orkl.eu/4e81801f659176008194e670b44055c9df448779.txt", "img": "https://archive.orkl.eu/4e81801f659176008194e670b44055c9df448779.jpg" } }