{ "id": "81cd2171-aabc-4801-aa86-6cc0b6355497", "created_at": "2026-04-06T00:08:15.993883Z", "updated_at": "2026-04-10T03:34:22.517008Z", "deleted_at": null, "sha1_hash": "6cb7ac5730c33ab58bf85a9f4aa2dea9ca6f4515", "title": "MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 890314, "plain_text": "MuddyWater replaces Atera by custom MuddyRot implant in a\r\nrecent campaign\r\nBy Sekoia TDR\r\nPublished: 2024-07-15 · Archived: 2026-04-05 18:18:28 UTC\r\nThis report was originally published for our customers on 20 June 2024.\r\nToday, the Check Point Research (CPR) team published a report on the same implant, providing details of recent\r\nMuddyWater campaigns.\r\nTable of contents\r\nIntroduction\r\nTechnical analysis\r\nRecent infection chain\r\nMuddyRot analysis\r\nPersistence\r\nC2 communication of the “MuddyRot” malware\r\nReverse Shell\r\nConclusion\r\nMuddyWater IOCs\r\nIntroduction\r\nOn June 9 2024, ClearSky tweeted about a new campaign associated with the MuddyWater intrusion set,\r\nemployed by the Iranian intelligence service MOIS (Ministry of Intelligence) against Western and Middle Eastern\r\nentities. According to the source, MuddyWater is suspected of targeting Turkey, Azerbaijan, Jordan, Saudi Arabia,\r\nand Israel, although the full list of targeted countries has not been confirmed during our investigation.\r\nBy examining the posted hashes and relevant infrastructure, we found that compared to previous campaigns, this\r\ntime MuddyWater changed their infection chain and did not rely on the legitimate Atera remote monitoring and\r\nmanagement tool (RMM) as a validator. Instead, we observed that they used a new and undocumented implant.\r\nSekoia TDR analysts dubbed this tool ”MuddyRot”.\r\nThis report aims to compare past and current infection chains associated with MuddyWater and present a technical\r\nanalysis of the “MuddyRot” malware, a new validator in the intrusion set’s arsenal.\r\nTechnical analysis\r\nRecent infection chain\r\nhttps://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nPage 1 of 7\n\nThe MuddyWater intrusion set is known to rely primarily on two intrusion vectors when targeting Windows\r\nenvironments. They use public exploits to compromise internet-exposed servers, such as Exchange or SharePoint\r\nservers, and then move laterally within the network. Additionally, they send spear phishing emails from previously\r\ncompromised email accounts to bypass security measures and increase the emails’ legitimacy in the recipient’s\r\neyes.\r\nOn April 22 2024, our fellows at HarfangLab published a blogpost on recent MuddyWater infection chains leading\r\nto the installation of SimpleHelp (2023) and Atera (2023-2024). These infection chains involved an email (or\r\npossibly an instant messaging message) sent from a compromised account. The email included a link to an online\r\nstorage service hosting a malicious ZIP archive, which contained the remote monitoring and management\r\nsoftware.\r\nIn the recently observed campaigns, MuddyWater seems to have changed this infection chain by embedding the\r\nlinks in PDF files instead of emails. The one-page PDF used resembles MuddyWater’s recent emails—\r\nstraightforward, without any images, and with decoys related to online courses or webinars to face cyber threats,\r\nas shown below. By clicking the embedded links, the user is redirected to a webpage hosted on the Egnyte service\r\nto download a ZIP archive containing the MuddyRot validator.\r\nFigure 1. Malicious PDF used by MuddyWater\r\nMuddyRot analysis\r\nThe MuddyRot malware is a x64 implant developed in C with several capabilities such as reverse shell,\r\npersistence and the possibility for the operators to download and upload files from/to the compromised\r\nworkstation. Upon execution, the malware carries out a series of standard tasks, such as deobfuscating strings,\r\ndynamic API loading necessary functions, and creating a mutex.\r\nAll relevant strings, such as the malware configuration, file paths, and imported methods, are obfuscated through a\r\nsimple method: each character of any relevant string has its decimal value subtracted by an integer. Several\r\nhttps://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nPage 2 of 7\n\nintegers, such as 3, 4, 5, or 6, are used for obfuscation.\r\nFigure 2. Obfuscation used by Muddywater’s MuddyRot implant\r\nThe created mutex is named DocumentUpdater, which is checked upon execution. If it already exists, the malware\r\nstops its execution.\r\nMoreover, to reduce its detection, the malware uses the popular and well-spread technique of dynamic import\r\nloading using the pair LoadLibrary / GetProcAddress to load methods from various DLLs. To do so, the malware\r\nuses the PE header structures to access the InMemoryOrderModuleList, a doubly linked list containing loaded\r\nmodules with the structure _LDR_DATA_TABLE_ENTRY. This structure provides information about the DLLs,\r\nincluding their names and address, that the malware uses to determine which DLLs to load afterwards. The\r\nmalware then employs GetProcAddress to retrieve addresses of functions from Kernel32.dll, Advapi32.dll,\r\nOle32.dll, and Ws2_32.dll.\r\nPersistence\r\nAt the very beginning of the malware execution, MuddyRot copies itself in the c:\\programdata\\softwarememory\r\ndirectory with the name documentsmanagerreporter.exe. The malware establishes persistence on the infected host\r\nby creating a scheduled task named DocumentsManagerReporter.\r\nTo avoid detection by security solutions that monitor the at command and the schtask.exe service, the malware\r\nuses the CoCreateInstance method with the object identifier (CLSID) 0F87369F-A4E5-4CFC-BD3E-73E6154572DDBD3E73E6154572DD, which corresponds to the Scheduled Task class object. The task is set to\r\nrun daily at the time of the initial infection plus 1 minute.\r\nhttps://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nPage 3 of 7\n\nFigure 3. MuddyRot decompiled function in charge of coping itself\r\nC2 communication of the “MuddyRot” malware\r\nThe malware communicates over a raw TCP socket on port 443, and the data are obfuscated using the same\r\nobfuscation as the one used for the strings where the subtraction value is fixed to… “3”.\r\nFigure 4. Method used for configuration desobfucation\r\nThe first message to be sent to the C2 is the victim host fingerprint, which is the combination of the hostname and\r\nthe username joined by a slash. The data is obfuscated using the same technique as the one leveraged for the\r\nstring. Finally, the packet is structured as follows:\r\nThe first 4 bytes are the size of the fingerprint;\r\nThe next bytes are the fingerprint obfuscated.\r\nIf the victim received “-1”, the program stops, otherwise the malware enters in an infinite loop to await new order\r\nfrom the C2. Here are the commands supported by the implant:\r\nCommand ID Description\r\nhttps://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nPage 4 of 7\n\n0×1 Upload file (filename: exit)\r\n0×2 Download file (filename: exit)\r\n0×3 Reverse shell\r\n0×4 Update socket optval\r\n0×5 Kill process\r\n0×8 Delete Task\r\n0×9 Check if task exists\r\n0xA Create scheduled task\r\n0×60 Update sleep interval\r\n0×61 Change socket optval\r\n0×62 PingBack C2 with the same message\r\nThere is a file in the working directory named “exit” that is used as a buffer to upload to the C2 or download files\r\nfrom the C2. However, this file does not seem to be used elsewhere in the code. Therefore, it is likely that the\r\noperators handle this file through their reverse shell by renaming its content and copying push data in it for\r\nexfiltration, which is not very handy.\r\nReverse Shell\r\nThe MuddyRot operator can connect to the victim host using the malware’s reverse shell capability. To trigger the\r\nfunctionality, the bot must receive the order ID “2”.\r\nThis technique involves creating anonymous pipes to handle the standard input, output, and/or error streams.\r\nThese pipes are specified in the STARTUPINFO structure, ensuring that the input and output of the spawned\r\ncommand shell (cmd) are redirected through the pipes. By configuring the hStdInput, hStdOutput, and hStdError\r\nmembers of the STARTUPINFO structure to use the pipe handles, the reverse shell can seamlessly transmit\r\ncommands to and receive outputs from the remote shell. This method enhances the stealth and functionality of the\r\nreverse shell, allowing an attacker to execute commands remotely while capturing the results in real-time.\r\nhttps://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nPage 5 of 7\n\nFigure 5. Decompiled method that configures the reverse shell on the infected host\r\nThe content of the reverse shell communication (received input: command to execute, and shell output) is\r\nobfuscated. To decode the incoming inputs the malware used the same deobfuscation as the rest of the C2\r\ncommunication (n.b: subtract by 3 each byte) and for the output it added three bytes. The developer of this\r\nbackdoor added the “terminate” command to stop the reverse shell.\r\nConclusion\r\nThis is not the first time that we have seen MuddyWater using its own implant as victim validators. While\r\npreviously these first-stage backdoors, such as Powerstats, were mostly written in PowerShell, in recent years\r\nMuddyWater has shifted to using Remote Monitoring and Management (RMM) tools such as Atera, Tactical\r\nRMM or SimpleHelp. This is possibly due to the extended functionalities these off-the-shelf tools offer compared\r\nto simple PowerShell-based reverse shells.\r\nWe don’t yet know why MuddyWater operators have reverted to using a homemade implant for their first\r\ninfection stage in a least one campaign. It is likely that the increased monitoring of RMM tools by security\r\nvendors, following their rise in abuse by malicious threat actors, has influenced this change. Maybe one of its\r\ntargets prevent Atera execution on its own network so Muddy operators had to change for something more\r\ncustom.\r\nThe use of specific and homemade implants allows defenders to track MuddyWater activities more effectively.\r\nConsequently, we are providing Indicators of Compromise (IOCs) and Yara rules for MuddyRot.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by\r\nclicking here. You can also contact us at tdr[at]sekoia.io for further discussions.\r\nhttps://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nPage 6 of 7\n\nMuddyWater IOCs\r\nMuddyRot related codes\r\n94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472\r\nb8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca\r\n73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e\r\n960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809\r\nInfrastructure\r\n91.235.234[.]202\r\n146.19.143[.]14 (down)\r\nYARA rules\r\nThe YARA rules are available on Sekoia.io GitHub repository.\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io.\r\nAPT CTI Iran MuddyWater\r\nTDR is the Sekoia Threat Detection \u0026 Research team. Created in 2020, TDR provides exclusive Threat\r\nIntelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also\r\nresponsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules\r\ncatalogue. TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers,\r\ndetection engineers, reverse engineers, and technical and strategic threat intelligence analysts. Threat Intelligence\r\nanalysts and researchers are looking at state-sponsored \u0026 cybercrime threats from a strategic to a technical\r\nperspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries. TDR experts regularly share their\r\nanalysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account.\r\nYou may also come across some of our analysts and experts at international conferences (such as BotConf, Virus\r\nBulletin, CoRIIN and many others), where they present the results of their research work and investigations.\r\nShare this post:\r\nSource: https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nhttps://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/" ], "report_names": [ "muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434095, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6cb7ac5730c33ab58bf85a9f4aa2dea9ca6f4515.pdf", "text": "https://archive.orkl.eu/6cb7ac5730c33ab58bf85a9f4aa2dea9ca6f4515.txt", "img": "https://archive.orkl.eu/6cb7ac5730c33ab58bf85a9f4aa2dea9ca6f4515.jpg" } }