{ "id": "031bdda1-02fe-4835-863a-09a73672086e", "created_at": "2026-04-06T00:12:43.049062Z", "updated_at": "2026-04-10T13:11:51.757102Z", "deleted_at": null, "sha1_hash": "8ccce1d35f758f89e74c0c8142cb7fc33f955b37", "title": "MuddyWater eN-Able spear-phishing with new TTPs | Deep Instinct Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 506550, "plain_text": "MuddyWater eN-Able spear-phishing with new TTPs | Deep\r\nInstinct Blog\r\nPublished: 2023-11-01 · Archived: 2026-04-05 20:40:29 UTC\r\nExecutive summary:\r\nDeep Instinct’s Threat Research team has identified a new campaign from the “MuddyWater” group\r\nThe campaign has been observed attacking two Israeli targets\r\nThe campaign exhibits updated TTPs to previously reported MuddyWater activity\r\nFigure 1: Campaign overview\r\nIntroduction\r\nPrevious research showed that MuddyWater has sent spear-phishing emails, starting back in 2020, with direct\r\nlinks, as well as PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing\r\nplatforms.\r\nThose archives contained installers for various legitimate remote administration tools.\r\nBefore launching the new campaign during the Israel-Hamas war, MuddyWater reused previously known remote\r\nadministration tools, utilizing a new file-sharing service called “Storyblok.”\r\nhttps://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps\r\nPage 1 of 6\n\nOn October 30th Deep Instinct identified two archives hosted on “Storyblok” containing a new multi-stage\r\ninfection vector. It contains hidden files, an LNK file that initiates the infection, and an executable file designed to\r\nunhide a decoy document while executing Advanced Monitoring Agent, a remote administration tool.\r\nThis is the first public report about MuddyWater utilizing this remote administration tool.\r\nThe Multi-stage Social Engineering Campaign\r\nWhile Deep Instinct could not verify the spreading mechanism of the new campaign, it most likely starts with a\r\nspear-phishing email, similar to previous campaigns.\r\nThe content of the email lures the victim into downloading an archive hosted at “a.storyblok[.]com”\r\nIn this analysis, we examine the “defense-video.zip” file.\r\nWhen the archive is extracted, several folders must be navigated until a LNK shortcut, which looks like another\r\nfolder named “Attachments,” is found:\r\nFigure 2: LNK Shortcut\r\nHowever, there are additional hidden folders and files extracted from the archive:\r\nFigure 3: Hidden folders\r\nWhen the victim opens the LNK file, the infection chain starts.\r\nBy examining the LNK file, we can see that it executes an executable from one of the hidden directories:\r\nFigure 4: LNK command line arguments\r\nThe file “Diagnostic.exe” has been used in both archives Deep Instinct observed. The purpose of this file is to\r\nexecute another executable called “Windows.Diagnostic.Document.EXE,” which is located in the hidden directory\r\nnamed “.end” under a “Windows.Diagnostic.Document” hidden directory.\r\nhttps://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps\r\nPage 2 of 6\n\nThe file named “Windows.Diagnostic.Document.EXE” is a signed, legitimate installer for “Advanced Monitoring\r\nAgent.”\r\nIn addition to executing the remote administration tool, “Diagnostic.exe” also opens a new Windows Explorer\r\nwindow of the hidden “Document” folder. This is done to fool the victim that opened the LNK file into thinking\r\nthat it was indeed a folder.\r\nThe decoy document is an official memo from the Israeli Civil Service Commission, which can be publicly\r\ndownloaded from their website.\r\nThe memo describes what to do in case a government worker expresses opinions against the Israeli state on social\r\nnetworks:\r\nFigure 5: Decoy document\r\nhttps://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps\r\nPage 3 of 6\n\nConclusion\r\nMuddyWater continues to attack Israeli targets in various ongoing campaigns.\r\nIn this campaign, MuddyWater employs updated TTPs. These include a new public hosting service, employing a\r\nLNK file to initiate the infection, and utilizing intermediate malware that mimics the opening of a directory while\r\nexecuting a new remote administration tool.\r\nAfter the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate\r\nremote administration tool and will start doing reconnaissance on the target.\r\nAfter the reconnaissance phase, the operator will likely execute PowerShell code which will cause the infected\r\nhost to beacon to a custom C2 server.\r\nMuddyWater has used PhonyC2 in the past. However, Deep Instinct recently observed MuddyWater using a new\r\nC2 framework named MuddyC2Go – a detailed blog will be published soon, stay tuned.\r\nIOCs:\r\nFile\r\nMD5 Description\r\n37c3f5b3c814e2c014abc1210e8e69a2 Archive containing Atera Agent\r\n16923d827a440161217fb66a04e8b40a Atera Agent Installer\r\n7568062ad4b22963f3930205d1a14df7 Archive containing Atera Agent\r\n39eea24572c14910b67242a16e24b768 Archive containing Atera Agent\r\n2e09e53135376258a03b7d793706b70f Atera Agent Installer\r\n1f0b9aed4b2c8d958a9b396852a62c9d Archive containing SimpleHelp\r\n065f0871b6025b8e61f35a188bca1d5c SimpleHelp Installer\r\nhttps://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps\r\nPage 4 of 6\n\nMD5 Description\r\n146cc3a1a68be349e70b79f9115c496b defense-video.zip\r\ndd247ccd7cc3a13e1c72bb01cf3a816d Attachments.lnk\r\n8d2199fa11c6a8d95c1c2b4add70373a Diagnostic.exe\r\n04afff1465a223a806774104b652a4f0 Advanced Monitoring Agent Installer\r\n6167f03c8b2734c20eb02d406d3ba651 Decoy Document (defense-video.zip)\r\ne8f3ecc0456fcbbb029b1c27dc1faad0 attachments.zip\r\n952cc4e278051e349e870aa80babc755 Decoy Document (attachments.zip)\r\nNetwork\r\nIP or URL Description\r\nws.onehub[.]com/files/7f9dxtt6 URL to Archive of Atera Agent\r\na.storyblok[.]com/f/253959/x/b92ea48421/form.zip URL to Archive of Atera Agent\r\na.storyblok[.]com/f/255988/x/5e0186f61d/questionnaire.zip URL to Archive of Atera Agent\r\na.storyblok[.]com/f/259791/x/94f59e378f/questionnaire.zip URL to Archive of SimpleHelp\r\n146.70.149[.]61 MuddyWater’s SimpleHelp server\r\nhttps://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps\r\nPage 5 of 6\n\nIP or URL Description\r\n146.70.124[.]102 Suspected MuddyWater’s SimpleHelp server\r\n37.120.237[.]204 Suspected MuddyWater’s SimpleHelp server\r\n37.120.237[.]248 Suspected MuddyWater’s SimpleHelp server\r\na.storyblok[.]com/f/259837/x/21e6a04837/defense-video.zipURL to Archive of Advanced Monitoring\r\nAgent\r\na.storyblok[.]com/f/259791/x/91e2f5fa2f/attachments.zip\r\nURL to Archive of Advanced Monitoring\r\nAgent\r\nAdditional IOCs regarding MuddyWater can be found in our GitHub page:\r\nhttps://github.com/deepinstinct/Israel-Cyber-Warfare-Threat-Actors\r\nSource: https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps\r\nhttps://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps" ], "report_names": [ "muddywater-en-able-spear-phishing-with-new-ttps" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434363, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ccce1d35f758f89e74c0c8142cb7fc33f955b37.pdf", "text": "https://archive.orkl.eu/8ccce1d35f758f89e74c0c8142cb7fc33f955b37.txt", "img": "https://archive.orkl.eu/8ccce1d35f758f89e74c0c8142cb7fc33f955b37.jpg" } }