{
	"id": "174eaf5e-6938-4a97-ae79-89668cabbda4",
	"created_at": "2026-04-06T00:15:12.412865Z",
	"updated_at": "2026-04-10T03:34:22.861255Z",
	"deleted_at": null,
	"sha1_hash": "98f60f7f8cae15d3d036cb55e751e2ef81913b02",
	"title": "APT groups muddying the waters for MSPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 595119,
	"plain_text": "APT groups muddying the waters for MSPs\r\nBy James Shepperd\r\nArchived: 2026-04-05 22:19:58 UTC\r\nDigital Security\r\nA quick dive into the murky world of cyberespionage and other growing threats facing managed service providers\r\n– and their customers\r\n02 May 2023  •  , 4 min. read\r\nESET telemetry from Q4 2022 saw the start of a new campaign by MuddyWater, a cyberespionage group linked to\r\nIran’s Ministry of Intelligence and Security (MOIS) and active since at least 2017. The group (primarily) targets\r\nvictims in the Middle East, Asia, Africa, Europe, and North America, focusing on telecommunications companies,\r\ngovernmental organizations, and the oil \u0026 gas and energy verticals.\r\nFor the MSP-interested reader, what stands out in their October 2022 campaign is that four victims, three in Egypt\r\nand one in Saudi Arabia, were compromised via the abuse of SimpleHelp, a legitimate remote access tool (RAT)\r\nand remote support software used by MSPs. This development signals the importance of visibility for MSPs. In\r\ndeploying hundreds or even thousands of software types have no choice but to employ automation and ensure that\r\nSOC teams, customer-facing security admins, and detection and response processes are mature and constantly\r\nimproving.\r\nhttps://www.welivesecurity.com/2023/05/02/apt-groups-muddying-waters-msps/\r\nPage 1 of 4\n\nGood tools for bad guys?\r\nESET Research discovered that when SimpleHelp was present on a victim’s disk, MuddyWater operators\r\ndeployed Ligolo, a reverse tunnel, to connect the victim’s system to their Command and Control (C\u0026C) servers.\r\nHow and when MuddyWater came into possession of the MSP’s tooling or entered the MSP’s environment is\r\nunknown. We have reached out to the MSP.\r\nWhile this campaign continues, MuddyWater’s use of SimpleHelp has, thus far, successfully obfuscated the\r\nMuddyWater C\u0026C servers – the commands to initiate Ligolo from SimpleHelp have not been captured.\r\nRegardless, we can already note that MuddyWater operators are also pushing MiniDump (an lsass.exe dumper),\r\nCredNinja, and a new version of the group’s password dumper MKL64.\r\nIn late October 2022, ESET detected MuddyWater deploying a custom reverse tunneling tool to the same victim in\r\nSaudi Arabia. While its purpose was not immediately apparent, the analysis continues, and progress can be tracked\r\nin our private APT Reports.\r\nAlongside using MiniDump to obtain credentials from Local Security Authority Subsystem Service (LSASS)\r\ndumps and leveraging the CredNinja penetration testing tool, MuddyWater sports other tactics and techniques, for\r\nexample, using popular MSP tools from ConnectWise to gain access to victims’ systems.\r\nESET has also tracked other techniques connected to the group, such as steganography, which obfuscates data in\r\ndigital media such as images, audio tracks, video clips, or text files. A 2018 report from ClearSky Cyber Security,\r\nMuddyWater Operations in Lebanon and Oman, also documents this usage, sharing hashes for malware hidden in\r\nseveral fake resumes – MyCV.doc. ESET detects the obfuscated malware as VBA/TrojanDownloader.Agent.\r\nWhile four years have passed since the publication of the ClearSky report, and the volume of ESET detections fell\r\nfrom seventh position (with 3.4%) in T3 2021 Threat Report to their most recent ranking in “last” position (with\r\n1.8%) in T3 2022 Threat Report, VBA/TrojanDownloader.Agent remained in our top 10 malware detections chart.\r\nhttps://www.welivesecurity.com/2023/05/02/apt-groups-muddying-waters-msps/\r\nPage 2 of 4\n\nDetections of VBA/TrojanDownloader.Agent in the ESET T3 2022 Threat Report. (Note: These detections regroup\r\nvarious malware families/scripts. As such, VBA/TrojanDownloader.Agent trojan percentage above is not an\r\nexclusive detection of MuddyWater’s use of this malware type.)\r\nVBA macros attacks leverage maliciously crafted Microsoft Office files and try to manipulate users (including\r\nMSP employees and clients) into enabling the execution of macros. If enabled, the enclosed malicious macro\r\ntypically downloads and executes additional malware. These malicious documents are usually sent as email\r\nattachments disguised as important information relevant to the recipient.\r\nA call to action for MSPs and enterprises\r\nMSP Admins, who configure leading productivity tools like Microsoft Word/Office 365/Outlook, run their hands\r\nover the very threat vectors carrying threats to the networks they manage. Simultaneously, SOC team members\r\nmay or may not have their own EDR/XDR tools well configured to identify whether APTs like MuddyWater or\r\ncriminal entities are attempting to leverage techniques, including steganography, to access their own or clients’\r\nsystems.\r\nMSPs require both trusted network connectivity and privileged access to customer systems in order to provide\r\nservices; this means they accumulate risk and responsibility for large numbers of clients. Importantly, clients can\r\nalso inherit risks from their chosen MSP’s activity and environment. This has shown XDR to be a critical tool in\r\nsupplying visibility into both their own environments and customer endpoints, devices, and networks to ensure\r\nthat emerging threats, risky employee behavior, and unwanted applications do not risk their profits or reputation.\r\nThe mature operation of XDR tools by MSPs also communicates their active role in providing a specific layer of\r\nsecurity for the privileged access granted to them by clients.\r\nWhen mature MSPs manage XDR, they are in a much better position to counter a diversity of threats, including\r\nAPT groups that might seek to leverage their clients’ position in both physical and digital supply chains. As\r\nhttps://www.welivesecurity.com/2023/05/02/apt-groups-muddying-waters-msps/\r\nPage 3 of 4\n\ndefenders, SOC teams and MSP admins carry a double burden, maintaining internal visibility and visibility into\r\nclients’ networks. Clients should be concerned about the security stance of their MSPs and understand the threats\r\nthey face, lest a compromise of their provider leads to a compromise of themselves.\r\nRELATED READING:\r\nChoosing your MSP: What the Kaseya incident tells us about third‑party cyber‑risk\r\nCriminal hacking hits Managed Service Providers: Reasons and responses\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2023/05/02/apt-groups-muddying-waters-msps/\r\nhttps://www.welivesecurity.com/2023/05/02/apt-groups-muddying-waters-msps/\r\nPage 4 of 4\n\nWhile four years from seventh have passed position (with since the publication 3.4%) in T3 2021 of the ClearSky Threat Report report, to their most recent and the volume ranking of ESET detections in “last” position fell (with\n1.8%) in T3 2022 Threat Report, VBA/TrojanDownloader.Agent  remained in our top 10 malware detections chart.\n   Page 2 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2023/05/02/apt-groups-muddying-waters-msps/"
	],
	"report_names": [
		"apt-groups-muddying-waters-msps"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98f60f7f8cae15d3d036cb55e751e2ef81913b02.pdf",
		"text": "https://archive.orkl.eu/98f60f7f8cae15d3d036cb55e751e2ef81913b02.txt",
		"img": "https://archive.orkl.eu/98f60f7f8cae15d3d036cb55e751e2ef81913b02.jpg"
	}
}