{ "id": "5ac55e04-4d6e-441a-be38-067e4ba1ba6d", "created_at": "2026-04-06T00:13:49.736174Z", "updated_at": "2026-04-10T03:34:22.597509Z", "deleted_at": null, "sha1_hash": "a61fa9c8e9449f790e961a6aa7fa5ee85e2e926d", "title": "New MuddyWater Threat: Old Kitten; New Tricks | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1849334, "plain_text": "New MuddyWater Threat: Old Kitten; New Tricks | Deep Instinct\r\nBy Simon KeninThreat Intelligence ResearcherDeep Instinct Threat Lab\r\nPublished: 2022-12-08 · Archived: 2026-04-05 12:48:52 UTC\r\nMuddyWater, also known as Static Kitten and Mercury, is a cyber espionage group that’s most likely a subordinate\r\nelement within Iran's Ministry of Intelligence and Security (MOIS).\r\nSince at least 2017 MuddyWater has targeted a range of government and private organizations across sectors,\r\nincluding telecommunications, local government, defense, and oil and natural gas organizations, in the Middle\r\nEast, Asia, Africa, Europe, and North America.\r\nMuddyWater has various campaigns that are entirely different from each other. In this post we will focus on the\r\nmost recent changes and observations of their campaign which utilizes spearphishing with legitimate remote\r\nadministration tools.\r\nExecutive summary:\r\nDeep Instinct’s Threat Research team has identified a new campaign of the MuddyWater group.\r\nThe campaign has been observed targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar,\r\nTajikistan, and United Arab Emirates.\r\nThe campaign exhibits updated TTPs to previously reported MuddyWater activity.\r\nFigure 1: Campaign overview\r\nMuddyWater Exploiting Legitimate Tools\r\nPrevious research has shown that in 2020 MuddyWater sent spearphishing emails with direct links as well as PDF\r\nand RTF attachments containing links to archives hosted at “ws.onehub.com.”\r\nThose archives contained the installer for “RemoteUtilities,” a legitimate remote administration tool.\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 1 of 11\n\nSince the beginning of 2021, MuddyWater has been observed sending spearphishing emails containing either\r\ndirect links or Word documents with links to archives hosted at “ws.onehub.com.”\r\nThe archives from 2021 contained installers for ScreenConnect, another legitimate remote administration tool.\r\nThis activity was observed intermittently through the end of 2021 and until July 2022.\r\nIn July 2022 a potential file related to this campaign was observed, but it contained Atera Agent instead of the\r\nusual ScreenConnect, potentially signaling the threat actor switched to another remote administration tool to avoid\r\ndetection of their long running campaign.\r\nA new discovery: The current MuddyWater campaign\r\nThe most recent MuddyWater campaign was observed by Deep Instinct in the beginning of October and possibly\r\nstarted in the September timeframe.\r\nWhat makes this campaign different from previous waves is the use of a new remote administration tool named\r\n“Syncro.”\r\nA new lure in the form of an HTML attachment was observed, along with the addition of other providers for\r\nhosting the archives containing the installers of the remote administration tool.\r\nThe previous July sample with ScreenConnect mentioned earlier, was named “promotion.msi.”\r\nIn the current campaign there was a sample that had few names; one of them was also “promotion.msi.”\r\nThe above ScreenConnect sample was communicating with “instance-q927ui-relay.screenconnect.com.” This\r\ninstance was communicating with another MuddyWater MSI installer named “Ertiqa.msi” which is a name of a\r\nSaudi organization.\r\nIn the current wave, MuddyWater used the same name “Ertiqa.msi,” but with Syncro installer.\r\nThe target geolocations and sectors also align with previous targets of MuddyWater. Combined, these indicators\r\nprovide us with enough proof to confirm that this is the MuddyWater threat group.\r\nEXAMPLE #1: Egyptian Hosting Company\r\nDirect links to Dropbox:\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 2 of 11\n\nFigure 2: Email containing direct link to Dropbox\r\nThis mail was sent from an Egyptian data hosting company, unlike previous campaigns using OneHub. This time\r\nMuddyWater used Dropbox to host the archive with the Syncro installer:\r\nFigure 3: Zip archive hosted on Dropbox containing MSI installer for Syncro\r\nHTML attachment leading to OneDrive:\r\nFigure 4: Email containing HTML attachment\r\nOn the same date the email with the Dropbox link was sent, MuddyWater sent another email from the same\r\naddress of an Egyptian hosting company to another Egyptian hosting company.\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 3 of 11\n\nInstead of embedding a direct link in the email message, an HTML attachment was sent. This is a well-known\r\ntechnique to build trust. The receiving end knows the company who sent the mail. The attachment is not an\r\narchive or an executable which doesn’t raise end-user suspicion because HTML is mostly overlooked in phishing\r\nawareness trainings and simulations.\r\nHTML is considered “safer,” at least from an anti-virus (AV) and email security solutions point of view. Although\r\nthose solutions have the ability to scan HTML, they are often still delivered to the recipients and not blocked.\r\nThe HTML itself is very small; its main function is most likely to bypass email solutions that replace any link with\r\n“safe” link.\r\nFigure 5: HTML attachment containing link to OneDrive\r\nThe link inside the HTML file leads to OneDrive this time, hosting an archive containing Syncro MSI installer.\r\nEXAMPLE #2: Israeli Hospitality Industry\r\nIn another example from early November, MuddyWater sent an email from a company in the Israeli hospitality\r\nindustry to a wide number of contacts across different Israeli insurance companies:\r\nFigure 6: Email containing HTML attachment\r\nIn this mail the company from the hospitality industry is looking for insurance.\r\nThe text is written in Hebrew, but a native speaker will find it suspicious due to a poor choice of words.\r\nOnce again, the link leads to an archive hosted on OneDrive which contain Syncro MSI installer:\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 4 of 11\n\nFigure 7: HTML attachment containing link to OneDrive\r\nDespite those new TTPs, most of the Syncro installers are still hosted in OneHub:\r\nFigure 8: Archive hosted on OneHub containing Syncro MSI installer\r\nWhat is unclear is whether or not MuddyWater gained full access to the email server or only the credentials to one\r\nemail box. The emails are sent from legitimate corporate accounts. We see that in spite of the low level of\r\nsophistication that this tactic can be effective.\r\nSyncro: A tool used by multiple threat actors\r\nMuddyWater is not the only actor abusing Syncro. It has also been observed recently in BatLoader and Luna Moth\r\ncampaigns.\r\nSyncro is a fully-featured platform for Managed Service Provider’s (MSPs) to run their business.\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 5 of 11\n\nFigure 9: Sycnro Installer inside the MSI\r\nSyncro provides an agent for MSPs to manage any device that has Syncro installed with the custom-made\r\nprovided MSI file that includes the customerID.\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 6 of 11\n\nFigure 10: Syncro installation process with the customerID and ApiKey\r\nSyncro has a 21-day trial offer. You choose the subdomain to be used by your MSP:\r\nFigure 11: Syncro trial sign-up screen with choice of syncromsp.com subdomain\r\nWhile investigating some of the installers that MuddyWater used, we see that for each unique mail a new MSI was\r\nused. In most cases MuddyWater used a single subdomain with a single MSI installer.\r\nIt seems that most of the subdomains don’t have any useful meaning, although a few are clear:\r\nmohammadosman6060 and osmandembele4040 are football players\r\nnetanyahu8585 and benet5050 are the current and former prime ministers of Israel\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 7 of 11\n\nCham Wings is the name of a Syrian airline\r\nThe trial version contains the fully featured web GUI which allows complete control over a computer with the\r\nSyncro agent installed:\r\nFigure 12: Web GUI of Syncro with available remote administration features\r\nThose features are standard for remote administration tools, such as terminal with SYSTEM privileges, remote\r\ndesktop access, full file system access, tasks, and services manager.\r\nAll those features combined with a signed MSI installer creates the perfect weapon for a threat actor to gain initial\r\naccess and start performing recon on the target. Later, they enable the threat actors to deploy additional backdoors,\r\nexfiltrate files, or hand-off access to other threat actors. A threat actor that has access to a corporate machine via\r\nsuch capabilities has nearly limitless options.\r\nRecommendations:\r\nWe have recently described other dual-use tools that are being abused for malicious purposes. We recommend that\r\nsecurity teams monitor for remote desktop solutions that are not common in the organization as they have a higher\r\nchance of being abused.\r\nMITRE ATT\u0026CK:\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 8 of 11\n\nTactic Technique Description Observable\r\nInitial Access\r\nT1566.001\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\nMuddyWater has\r\ncompromised third\r\nparties and used\r\ncompromised accounts\r\nto send spearphishing\r\nemails with targeted\r\nattachments to\r\nrecipients.\r\naaa9db79b5d6ba319e24e6180a7935d6\r\nInitial Access\r\nT1566.002\r\nPhishing:\r\nSpearphishing Link\r\nMuddyWater has\r\ncompromised third\r\nparties and used\r\ncompromised accounts\r\nto send spearphishing\r\nemails containing links\r\nto legitimate domains\r\nhosting archives with\r\nremote management\r\nsoftware.\r\nd1b4ca2933f49494b4400d5bf5ab502e\r\nCommand\r\nand Control\r\nT1219 Remote\r\nAccess Software\r\nMuddyWater has used\r\na legitimate\r\napplication, Syncro, to\r\nmanage systems\r\nremotely and move\r\nlaterally.\r\n2ed6ebaa28a9bfccc59c6e89a8990631\r\nResource\r\nDevelopment\r\nT1588.002 Obtain\r\nCapabilities: Tool\r\nMuddyWater has used\r\na legitimate\r\napplication, Syncro, to\r\nmanage systems\r\nremotely and move\r\nlaterally.\r\n2ed6ebaa28a9bfccc59c6e89a8990631\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 9 of 11\n\nTactic Technique Description Observable\r\nResource\r\nDevelopment\r\nT1583.006Acquire\r\nInfrastructure: Web\r\nServices\r\nMuddyWater has used\r\nfile sharing services\r\nincluding OneHub,\r\nDropbox, and\r\nOneDrive to distribute\r\ntools.\r\nhttps://urlscan.io/result/c6f46810-ee19-\r\n47b4-8717-40dc09b4ea09/\r\n- archived scan of a Dropbox URL\r\ncontaining an archive with Syncro\r\ninstaller.\r\nIOC:\r\nf511bdd471096fc81dc8dad6806624a73837710f99b76b69c6501cb90e37c311\r\nefd5271bdb57f52b4852bfda05122b9ff85991c0600befcbd045f81d7a78eac5\r\nd65d80ab0ccdc7ff0a72e71104de2b4c289c02348816dce9996ba3e2a4c1dd62\r\n1670a59f573037142f417fb8c448a9022c8d31a6b2bf93ad77a9db2924b502af\r\ndedc593acc72c352feef4cc2b051001bfe22a79a3a7852f0daf95e2d10e58b84\r\neae0acba9c9e6a93ce2d5b30a5f21515e8ccca0975fbd0e7d8862964fdfa1468\r\n7e7292b5029882602fe31f15e25b5c59e01277abaab86b29843ded4aa0dcbdd1\r\nc7a2a9e020b4bcbfa53b37dea7ebf6943af203b94c24a35c098b774f79d532ac\r\n887c09e24923258e2e2c28f369fba3e44e52ce8a603fa3aee8c3fb0f1ca660e1\r\n01dfa94e11b60f92449445a9660843f7bea0d6aad62f1c339e88252008e3b494\r\nd550f0f9c4554e63b6e6d0a95a20a16abe44fa6f0de62b6615b5fdcdb82fe8e1\r\n61dcf1eeb616104742dd892b89365751df9bb8c5b6a2b4080ac7cf34294d7675\r\nc6cfd23282c9ff9d0d4c72ee13797a898b01cd5fd256d347e399e7528dad3bfd\r\n5578b7d126ebae78635613685d0cd07f4fb86f2e5b08e799bdc67d6d6053ede2\r\n32339f7ac043042e6361225b594047dd4398da489a2af17a9f74a51593b14951\r\ndab77aea8bf4f78628dcf45be6e2e79440c38a86e830846ec2bddc74ff0a36e4\r\nb5c7acf08d3fd68ddc92169d23709e36e45cb65689880e30cb8f376b5c91be57\r\n2a5f74e8268ad2d38c18f57a19d723b72b2dadd11b3ab993507dd2863d18008d\r\ne87fe81352ebda0cfc0ae785ebfc51a8965917235ee5d6dc6ca6b730eda494cf\r\naa282daa9da3d6fc2dc6d54d453f4c23b746ada5b295472e7883ee6e6353b671\r\n4e80bd62d02f312b06a0c96e1b5d1c6fd5a8af4e051f3f7f90e2976580842515\r\n697580cf4266fa7d50fd5f690eee1f3033d3a706eb61fc1fca25471dbc36e684\r\ndc7e102a2c68f7e3e15908eb6174548ce3d13a94caadf76e1a4ee834dc17a271\r\nf24ce8e6679893049ce4e5a03bc2d8c7e44bf5b918bf8bf1c2e45c5de4d11e56\r\n433b47f40f47bea0889423ab96deb1776f47e9faa946e7c5089494ed00c6cc29\r\n011cb37733cdf01c689d12fedc4a3eda8b0f6c4dcdeef1719004c32ee331198e\r\ne217c48c435a04855cf0c439259a95392122064002d4881cf093cc59f813aba8\r\n331b513cf17568329c7d5f1bac1d14f38c77f8d4adba40c48dab6baf98854f92\r\n4d24b326d0335e122c7f6adaa22e8237895bdf4c6d85863cf8e84cfcc0503e69\r\na35a1c92c001b59605efd318655d912f2bcd4e745da2b4a1e385d289e12ee905\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 10 of 11\n\n4550b4fa89ff70d8ea59d350ad8fc537ceaad13779877f2761d91d69a2c445b2\r\n653046fa62d3c9325dbff5cb7961965a8bf5f96fa4e815b494c8d3e165b9c94a\r\n76ab046de18e20fd5cddbb90678389001361a430a0dc6297363ff10efbcb0fa8\r\nSource: https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nhttps://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks" ], "report_names": [ "new-muddywater-threat-old-kitten-new-tricks" ], "threat_actors": [ { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-10T02:00:03.881295Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434429, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a61fa9c8e9449f790e961a6aa7fa5ee85e2e926d.pdf", "text": "https://archive.orkl.eu/a61fa9c8e9449f790e961a6aa7fa5ee85e2e926d.txt", "img": "https://archive.orkl.eu/a61fa9c8e9449f790e961a6aa7fa5ee85e2e926d.jpg" } }