{ "id": "3f8b948a-5f3b-49d6-9755-ebbad896fc14", "created_at": "2026-04-06T00:07:38.664687Z", "updated_at": "2026-04-10T03:34:22.611376Z", "deleted_at": null, "sha1_hash": "aa76e16211b2b60ca8e3c325cdc19cc6c011cc77", "title": "MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 291959, "plain_text": "MERCURY leveraging Log4j 2 vulnerabilities in unpatched\r\nsystems to target Israeli organizations | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-08-25 · Archived: 2026-04-05 16:21:06 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. MERCURY is now tracked as Mango Sandstorm.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nIn recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team\r\ndetected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid\r\napplications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s\r\nobserved activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).\r\nWhile MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen\r\nthis actor using SysAid apps as a vector for initial access until now. After gaining access, MERCURY establishes\r\npersistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.\r\nThis blog details Microsoft’s analysis of observed MERCURY activity and related tools used in targeted attacks.\r\nThis information is shared with our customers and industry partners to improve detection of these attacks, such as\r\nimplementing detections against MERCURY’s tools in both Microsoft Defender Antivirus and Microsoft\r\nDefender for Endpoint. As with any observed nation-state actor activity, Microsoft directly notifies customers that\r\nhave been targeted or compromised, providing them with the information needed to secure their accounts.\r\nMERCURY TTPs align with Iran-based nation-state actor\r\nMicrosoft assesses with moderate confidence that MERCURY exploited remote code execution vulnerabilities in\r\nApache Log4j 2 (also referred to as “Log4Shell”) in vulnerable SysAid Server instances the targets were running.\r\nMERCURY has used Log4j 2 exploits in past campaigns as well. \r\nMSTIC assesses with high confidence that MERCURY is coordinating its operations in affiliation with Iran’s\r\nMinistry of Intelligence and Security (MOIS). According to the US Cyber Command, MuddyWater, a group we\r\ntrack as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and Security.”\r\nThe following are common MERCURY techniques and tooling:\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 1 of 9\n\nAdversary-in-the-mailbox phishing: MERCURY has a long history of spear-phishing its targets.\r\nRecently, there has been an uptick in the volume of these phishing attacks. The source of the phishing\r\ncomes from compromised mailboxes and initiating previous email conversations with targets. MERCURY\r\noperators include links to or directly attach commercial remote access tools, such as ScreenConnect, in\r\nthese initial phishing mails.\r\nUse of cloud file-sharing services: MERCURY utilizes commercially available file-sharing services as\r\nwell as self-hosting resources for delivering payloads.\r\nUse of commercial remote access applications: The initial foothold on victims emerges via commercially\r\navailable remote access applications. This allows MERCURY to gain elevated privileges and be able to\r\ntransfer files, primarily PowerShell scripts, easily over to the victim’s environment.\r\nTooling: MERCURY’s tools of choice tend to be Venom proxy tool, Ligolo reverse tunneling, and home-grown PowerShell programs.\r\nTargeting: MERCURY targets a variety of Middle Eastern-geolocated organizations. Mailbox victims\r\ncorrelate directly with organizations that do business with the Middle Eastern victims.\r\nThis latest activity sheds light on behavior MERCURY isn’t widely known for: scanning and exploiting a\r\nvulnerable application on a target’s device. They have been observed performing this activity in the past, but it is\r\nnot very common. The exploits are derived from open source and sculpted to fit their needs. \r\nObserved actor activity\r\nInitial access\r\nOn July 23 and 25, 2022, MERCURY was observed using exploits against vulnerable SysAid Server instances as\r\nits initial access vector. Based on observations from past campaigns and vulnerabilities found in target\r\nenvironments, Microsoft assess that the exploits used were most likely related to Log4j 2. The threat actor\r\nleveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable\r\ninternet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target\r\nfor its presence in the targeted country.\r\nFigure 1. Observed MERCURY attack chain\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 2 of 9\n\nExploiting SysAid successfully enables the threat actor to drop and leverage web shells to execute several\r\ncommands, as listed below. Most commands are related to reconnaissance, with one encoded PowerShell that\r\ndownloads the actor’s tool for lateral movement and persistence.\r\nExecuted commands:\r\ncmd.exe /C whoami\r\ncmd.exe /C powershell -exec bypass -w 1 -enc UwB….\r\ncmd.exe /C hostname\r\ncmd.exe /C ipconfig /all\r\ncmd.exe /C net user\r\ncmd.exe /C net localgroup administrators\r\ncmd.exe /C net user admin * /add\r\ncmd.exe /C net localgroup Administrators admin /add\r\ncmd.exe /C quser\r\nPersistence\r\nOnce MERCURY has obtained access to the target organization, the threat actor establishes persistence using\r\nseveral methods, including:\r\nDropping a web shell, providing effective and continued access to the compromised device.\r\nAdding a user and elevating their privileges to local administrator.\r\nAdding the leveraged tools in the startup folders and ASEP registry keys, ensuring their persistence upon\r\ndevice reboot.\r\nStealing credentials.\r\nThe actor leverages the new local administrator user to connect through remote desktop protocol (RDP). During\r\nthis session, the threat actor dumps credentials by leveraging the open-source application Mimikatz. We also\r\nobserved MERCURY later performing additional credential dumping in SQL servers to steal other high privileged\r\naccounts, like service accounts.\r\nLateral movement\r\nWe observed MERCURY further using its foothold to compromise other devices within the target organizations by\r\nleveraging several methods, such as:\r\nWindows Management Instrumentation (WMI) to launch commands on devices within organizations.\r\nRemote services (leveraging RemCom tool) to run encoded PowerShell commands within organizations.\r\nMost of the commands launched are meant to install tools on targets or perform reconnaissance to find domain\r\nadministrator accounts.\r\nCommunication\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 3 of 9\n\nThroughout the attack, the threat actor used different methods to communicate with their command-and-control\r\n(C2) server, including:\r\nBuilt-in operating system tools such as PowerShell\r\nTunneling tool called vpnui.exe, a unique version of the open-source tool Ligolo\r\nRemote monitoring and management software called eHorus\r\nMicrosoft will continue to monitor MERCURY activity and implement protections for our customers. The current\r\ndetections, advanced detections, and IOCs in place across our security products are detailed below. \r\nRecommended customer actions\r\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting\r\nthe security considerations provided below: \r\nCheck if you use SysAid in your network. If you do, apply security patches and update affected products\r\nand services as soon as possible. Refer to SysAid’s Important Update Regarding Apache Log4j for\r\ntechnical information about the vulnerabilities and mitigation recommendations.\r\nRefer to the detailed Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2\r\nvulnerability.\r\nUse the included indicators of compromise to investigate whether they exist in your environment and\r\nassess for potential intrusion. \r\nBlock in-bound traffic from IPs specified in the indicators of compromise table.  \r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts\r\nconfigured with single factor authentication, to confirm authenticity and investigate any anomalous\r\nactivity. \r\nEnable multi-factor authentication (MFA) to mitigate potentially compromised credentials and ensure that\r\nMFA is enforced for all remote connectivity. Note: Microsoft strongly encourages all customers download\r\nand use password-less solutions like Microsoft Authenticator to secure accounts. \r\nIndicators of compromise (IOCs)\r\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these\r\nindicators in their environments and implement detections and protections to identify past related activity and\r\nprevent future attacks against their systems.\r\nIndicator Type Description\r\nhxxp://sygateway[.]com Domain\r\nFirst seen:\r\nMay 16,\r\n2022\r\n91[.]121[.]240[.]104\r\nIP\r\naddress\r\nFirst seen:\r\nMay 17,\r\n2022\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 4 of 9\n\n164[.]132[.]237[.]64\r\nIP\r\naddress\r\nFirst seen:\r\nNovember\r\n26, 2021\r\n e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98\r\nSHA-256\r\nmimikatz.exe\r\n416e937fb467b7092b9f038c1f1ea5ca831dd19ed478cca444a656b5d9440bb4\r\nSHA-256vpnui.exe\r\nLigolo\r\n25325dc4b8dcf3711e628d08854e97c49cfb904c08f6129ed1d432c6bfff576b\r\nSHA-256\r\nVBScript\r\n3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71\r\nSHA-256\r\nRemcom\r\n3137413d086b188cd25ad5c6906fbb396554f36b41d5cff5a2176c28dd29fb0a\r\nSHA-256\r\nWeb shell\r\n87f317bbba0f50d033543e6ebab31665a74c206780798cef277781dfdd4c3f2f\r\nSHA-256\r\nWeb shell\r\ne4ca146095414dbe44d9ba2d702fd30d27214af5a0378351109d5f91bb69cdb6\r\nSHA-256\r\nWeb shell\r\nd2e2a0033157ff02d3668ef5cc56cb68c5540b97a359818c67bd3e37691b38c6\r\nSHA-256\r\nWeb shell\r\n3ca1778cd4c215f0f3bcfdd91186da116495f2d9c30ec22078eb4061ae4b5b1b\r\nSHA-256\r\nWeb shell\r\nbbfee9ef90814bf41e499d9608647a29d7451183e7fe25f472c56db9133f7e40\r\nSHA-256\r\nWeb shell\r\nb8206d45050df5f886afefa25f384bd517d5869ca37e08eba3500cda03bddfef\r\nSHA-256\r\nWeb shell\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nMicrosoft Defender Threat Intelligence\r\nCommunity members and customers can find summary information and all IOCs from this blog post in the linked\r\nMicrosoft Defender Threat Intelligence portal article.\r\nDetections\r\nMicrosoft Defender Antivirus\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 5 of 9\n\nMicrosoft Defender Antivirus detects attempted exploitation and post-exploitation activity and payloads. Turn on\r\ncloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning\r\nprotections block most new and unknown threats. Refer to the list of detection names related to exploitation of\r\nLog4j 2 vulnerabilities. Detections for the IOCs listed above are listed below:\r\nBackdoor:PHP/Remoteshell.V\r\nHackTool:Win32/LSADump\r\nVirTool:Win32/RemoteExec\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint customers should monitor the alert “Mercury Actor activity detected” for\r\npossible presence of the indicators of compromise listed above.\r\nReducing the attack surface\r\nMicrosoft Defender for Endpoint customers can turn on the following attack surface reduction rule to block or\r\naudit some observed activity associated with this threat:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion.\r\nDetecting Log4j 2 exploitation\r\nAlerts that indicate threat activity related to the exploitation of the Log4j 2 exploitation should be immediately\r\ninvestigated and remediated. Refer to the list of Microsoft Defender for Endpoint alerts that can indicate\r\nexploitation and exploitation attempts.\r\nDetecting post-exploitation activity\r\nAlerts with the following titles may indicate post-exploitation threat activity related to MERCURY activity\r\ndescribed in this blog and should be immediately investigated and remediated. These alerts are supported on both\r\nWindows and Linux platforms:\r\nAny alert title related to web shell threats, for example:\r\nAn active ‘Remoteshell’ backdoor was blocked\r\nAny alert title that mentions PowerShell, for example:\r\nSuspicious process executed PowerShell command\r\nA malicious PowerShell Cmdlet was invoked on the machine\r\nSuspicious PowerShell command line\r\nSuspicious PowerShell download or encoded command execution\r\nSuspicious remote PowerShell execution\r\nAny alert title related to suspicious remote activity, for example:\r\nSuspicious RDP session\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 6 of 9\n\nAn active ‘RemoteExec’ malware was blocked\r\nSuspicious service registration\r\nAny alert related to persistence, for example:\r\nAnomaly detected in ASEP registry\r\nUser account created under suspicious circumstances\r\nAny alert title that mentions credential dumping activity or tools, for example:\r\nMalicious credential theft tool execution detected\r\nCredential dumping activity observed\r\nMimikatz credential theft tool\r\n‘DumpLsass’ malware was blocked on a Microsoft SQL server\r\nMicrosoft Defender Vulnerability Management\r\nMicrosoft 365 Defender customers can use threat and vulnerability management to identify and remediate devices\r\nthat are vulnerable to Log4j 2 exploitation. A more comprehensive guidance on this capability can be found on\r\nthis blog: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability.\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the following queries to look for the related malicious activity in their\r\nenvironments.\r\nIdentify MERCURY IOCs\r\nThe query below identifies matches based on IOCs shared in this post for the MERCURY actor across a range of\r\ncommon Microsoft Sentinel data sets:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Mercury_Log4j_August2022.yaml\r\nIdentify SysAid Server web shell creation\r\nThe query below looks for potential web shell creation by SysAid Server:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialMercury_Webshell.yaml\r\nIdentify MERCURY PowerShell commands\r\nThe query below identifies instances of PowerShell commands used by the threat actor in command line data:\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 7 of 9\n\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/powershell_mercury.yaml\r\n In addition to the above, Microsoft Sentinel users should also look for possible Log4j 2 vulnerabilities, the details\r\nof which were shared in a previous blog post.\r\nMicrosoft 365 Defender\r\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\r\nPotential WebShell creation by SysAisServer instance\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName in~ (\"java.exe\", \"javaw.exe\")\r\n| where InitiatingProcessCommandLine has \"SysAidServer\"\r\n| where FileName endswith \".jsp\"\r\nAbnormal process out of SysAidServer instance\r\nDeviceProcessEvents\r\n| where Timestamp \u003e ago(7d)\r\n| where InitiatingProcessFileName in~ (\"java.exe\", \"javaw.exe\")\r\n| where InitiatingProcessCommandLine has \"SysAidServer\"\r\n| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId\r\nPowerShell commands used by MERCURY\r\nDeviceProcessEvents\r\n| where FileName =~ \"powershell.exe\" and ProcessCommandLine has_cs \"-exec bypass -w 1 -enc\"\r\n| where ProcessCommandLine contains_cs\r\n\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\"\r\n| summarize makeset(ProcessCommandLine), makeset(InitiatingProcessCommandLine, 10),\r\nmakeset(DeviceId), min(Timestamp), max(Timestamp) by DeviceId\r\nVulnerable Log4j 2 devices\r\nUse this query to identify vulnerabilities in installed software on devices, surface file-level findings from the disk,\r\nand provide the ability to correlate them with additional context in advanced hunting.\r\nDeviceTvmSoftwareVulnerabilities\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 8 of 9\n\n| where CveId in (\"CVE-2021-44228\", \"CVE-2021-45046\")\r\nDeviceTvmSoftwareEvidenceBeta\r\n| mv-expand DiskPaths\r\n| where DiskPaths contains \"log4j\"\r\n| project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths\r\nSource: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israel\r\ni-organizations\r\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations" ], "report_names": [ "mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434058, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa76e16211b2b60ca8e3c325cdc19cc6c011cc77.pdf", "text": "https://archive.orkl.eu/aa76e16211b2b60ca8e3c325cdc19cc6c011cc77.txt", "img": "https://archive.orkl.eu/aa76e16211b2b60ca8e3c325cdc19cc6c011cc77.jpg" } }