{ "id": "45c1b545-4839-46f8-b7b0-300797c97a79", "created_at": "2026-04-06T00:06:51.617624Z", "updated_at": "2026-04-10T03:34:22.504025Z", "deleted_at": null, "sha1_hash": "9c5645505004dc6a1526db0701194180cf14033b", "title": "MuddyWater targets Middle Eastern and Asian countries in phishing attacks - TechRepublic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 827714, "plain_text": "MuddyWater targets Middle Eastern and Asian countries in\r\nphishing attacks - TechRepublic\r\nBy Brian Stone\r\nPublished: 2022-03-10 · Archived: 2026-04-05 16:09:02 UTC\r\nCisco Talos has illustrated the ways in which the Iranian backed hacker group has attempted countries for\r\ncyberattacks.\r\nAdobe\r\nIranian APT Supergroup MuddyWater has been identified as the hackers linked to attempted phishing attacks\r\nagainst Turkey and other Asian countries according to findings published by Cisco Talos. The conglomerate,\r\nwhich has been linked to Iran’s Ministry of Intelligence and Security by the U.S. Cyber Command, has been now\r\nidentified as multiple different subgroups acting under the name of MuddyWater rather than one unified threat\r\nactor.\r\nHow and when the cyberattacks happened\r\nThe hacker group has reportedly been targeting these countries using a Windows script file (WSF) based remote\r\naccess trojan (RAT) deemed “SloughRAT” by Cisco Talos. Using this form of malware, MuddyWater has\r\nattempted to conduct espionage, steal intellectual property and commit ransomware attacks against countries in\r\nthe Arabian Peninsula the group has zeroed in on. The malicious actors attempted two campaigns against Turkey\r\nhttps://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/\r\nPage 1 of 4\n\nin November 2021, and targeted Armenia in June of the same year using the same types of Windows executable\r\nfiles.\r\nIn April 2021, Cisco Talos observed that this group also launched an attack against Pakistan via two different\r\ndelivery systems – one employing a PowerShell-based downloader to accept and execute additional PS1\r\ncommands from the C2 server and another using malware document infection point that claimed to be part of a\r\ncourt case in Pakistan.\r\nThe group, also known as “MERCURY” or “Static Kitten”, has been active since at least 2017, and is known for\r\nutilizing ransomware in their previously attempted attacks. According to the cybersecurity firm, the threat group\r\nhas been known to use domain name system (DNS) attacks on its intended victims by using “PowerShell, Visual\r\nBasic and JavaScript scripting along with living-off-the-land binaries (LoLBins) and remote connection utilities to\r\nassist in the initial stages of the infection.”\r\nSEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)\r\nMuddyWater as a collection of groups\r\nCredit: Cisco Talos\r\nhttps://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/\r\nPage 2 of 4\n\nAccording to Cisco Talos’ findings, the hacking group’s “Variety of lures and payloads — along with the targeting\r\nof several different geographic regions — strengthens our growing hypothesis that MuddyWater is a conglomerate\r\nof sub-groups rather than a single actor.”\r\nThe cybersecurity firm believes that the hacking group is a combination of smaller teams, targeting specific\r\nregions such as the Arabian Peninsula and Asia utilizing the different types of attacking techniques above. While\r\nMuddyWater is incorporated by smaller sub-groups, Cisco Talos believes that some of these teams are contracted\r\nout for attacks by the leaders and organizers of MuddyWater. One reason for this belief is that there have been\r\nunique strings and watermarks identified as being shared between MuddyWater and the Phosphorus/Charming\r\nKitten APT groups.\r\nThese shared techniques among these smaller teams are seemingly preferred by threat actors in certain regions,\r\nmaking them identifiable as not belonging to the same areas as other attacks by the collective. The two preferred\r\nmethods of attacks highlighted by the cybersecurity firm were the SloughRAT Windows executable file, and the\r\nLigolo reverse tunneling tool which was used against Middle Eastern countries in March 2021.\r\nSEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)\r\nHow to secure yourself and your business\r\nWhile this hacker group has been specifically targeting regions and countries throughout the world, cyber threats\r\nremain an important thing to keep in mind for both individuals and organizations. With this in mind, it is\r\nimportant to be ready with both antivirus software and extremely thorough training to make sure that systems have\r\nnot been compromised and employees are aware of the online risks to avoid being victimized.\r\nShare Article\r\nAlso Read\r\nHow to become a cybersecurity pro: A cheat sheet\r\nNIST Cybersecurity Framework: A cheat sheet for professionals (free PDF)\r\nWhat are mobile VPN apps and why you should be using them\r\nCybersecurity and cyberwar: More must-read coverage\r\nBrian Stone\r\nhttps://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/\r\nPage 3 of 4\n\nBrian is an award-winning journalist covering technology and the news behind it, having written for both print\r\nand online outlets in his previous stops as a writer.\r\nSource: https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/\r\nhttps://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/" ], "report_names": [ "muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c5645505004dc6a1526db0701194180cf14033b.pdf", "text": "https://archive.orkl.eu/9c5645505004dc6a1526db0701194180cf14033b.txt", "img": "https://archive.orkl.eu/9c5645505004dc6a1526db0701194180cf14033b.jpg" } }