{
	"id": "961a2a4a-0ac0-4f35-a56b-e6c1de0c0773",
	"created_at": "2026-04-06T00:08:25.308519Z",
	"updated_at": "2026-04-10T03:34:22.698165Z",
	"deleted_at": null,
	"sha1_hash": "b1af1f7452016917a87994bc7fd8261952324084",
	"title": "Iranian APT: New Methods to Target Turkey, Arabian Peninsula",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 235656,
	"plain_text": "Iranian APT: New Methods to Target Turkey, Arabian Peninsula\r\nBy Prajeet Nair\r\nArchived: 2026-04-05 15:13:06 UTC\r\nCybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks\r\nAPT MuddyWater Uses Malicious Documents to Deploy RATs (@prajeetspeaks) • March 12, 2022    \r\nThe obfuscated Trojan seeks to execute arbitrary code and commands received from its C\u0026C\r\nservers.\r\nHacking group MuddyWater, which has been linked to the Iranian Ministry of Intelligence and Security, is\r\ntargeting Turkey and other Asian countries to conduct espionage and intellectual property theft and to deploy\r\nransomware and destructive malware.\r\nSee Also: AI Pushes Cyberattacks to New Speed Levels\r\nThe campaign primarily uses malicious documents to deploy remote access Trojans on compromised systems,\r\naccording to researchers at Cisco Talos. The sectors targeted by this advanced persistent threat actor include\r\nnational and local governments and ministries, universities and private entities such as telecommunication\r\nproviders.\r\nTalos researchers observed several instances of maldocs, specifically XLS files, distributed by the APT\r\nMuddyWater. These XLS files were observed targeting the Arabian Peninsula through a recent phishing campaign.\r\nThe documents consist of a malicious macro that, when triggered, drops two WSF files on the endpoint.\r\nhttps://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706\r\nPage 1 of 4\n\n\"One of these scripts is the instrumentor script meant to execute the next stage. This instrumentor script is placed\r\nin the current user's Startup folder by the VBA macro to establish persistence across reboots,\" the researchers say.\r\n\"The second script is a WSF-based RAT we call \"SloughRAT\" that can execute arbitrary commands on the\r\ninfected endpoint. This RAT consists of obfuscated code from interweaved Visual Basic and JavaScript.\"\r\nMuddyWater has been active since at least 2017 and is also known as MERCURY or Static Kitten. U.S. Cyber\r\nCommand has attributed the APT group to Iran's Ministry of Intelligence and Security (see: MuddyWater Targets\r\nCritical Infrastructure in Asia, Europe).\r\nThe group is known for conducting espionage campaigns against high-value targets in North America, Europe and\r\nAsia.\r\nTechnical Details\r\nThe researchers found that the group is using maldocs to deliver a Windows script file-based remote access\r\nTrojan, which Cisco Talos researchers call \"SloughRAT,\" an implant known as \"Canopy\" in CISA's most recent\r\nalert from February 2022 about MuddyWater.\r\nThe obfuscated Trojan also attempts to execute arbitrary code and commands received from its command and\r\ncontrol servers. The researchers say that their investigation led to the discovery of the use of two additional script-based implants: one written in Visual Basic during 2021-2022 and one written in JavaScript in 2019-2020, which\r\nalso downloads and runs arbitrary commands on the victim's system.\r\nMuddyWater also relies heavily on the use of DNS to contact their C2 servers, while the initial contact with the\r\nhosting servers is conducted via HTTP.\r\n\"Their initial payloads usually use PowerShell, Visual Basic and JavaScript scripting along with living-off-the-land binaries (LoLBins) and remote connection utilities to assist in the initial stages of the infection,\" the\r\nresearchers say. \"The attackers attempted to deploy the Connectwise Remote Access client on the target's\r\nendpoints, a tactic commonly used by MuddyWater to gain an initial foothold on targets' endpoints.\"\r\nCisco Talos researchers say that the attackers deployed a RAT in April 2021 and the EXE-based infection vector\r\nfrom August 2021; the maldocs and decoy documents reached out to a common server to download a common\r\nimage file that links them.\r\n\"These campaigns used a homemade implementation of signaling tokens. In this case, the maldocs have an\r\nexternal entity downloaded from an attacker-controller server. This entity consists in a simple image which has no\r\nmalicious content,\" say Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec.\r\nThey say this may be a way for the attackers to track the initial infection vectors and identify which is more\r\nsuccessful. The researchers say it is likely that the attackers used this server as a token tracker to keep track of\r\nsuccessful infections in this campaign.\r\n\"This token-tracking system was then migrated to CanaryTokens in September 2021 in the attacks targeting\r\nTurkey using the malicious Excel documents,\" the researchers say.\r\nhttps://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706\r\nPage 2 of 4\n\nIn addition, during the tracing of MuddyWater's activity over the past year, the researchers say that they saw some\r\nof the shared techniques are refined from one region to the other, suggesting the teams use their preferred flavors\r\nof tools of choice, including final payloads.\r\nEarlier, the researchers disclosed two campaigns using the same types of Windows executables targeting Turkey in\r\nNovember 2021 and Armenia in June 2021.\r\n\"Another campaign illustrated previously used similar executables, this time to target Pakistan. This campaign\r\ndeployed a PowerShell-based downloader on the endpoint to accept and execute additional PS1 commands from\r\nthe C2 server. Going further back, in April 2021, we observed another instance of Muddywater targeting entities in\r\nPakistan, this time with a maldoc-based infection vector. The lure document claimed to be part of a court case,\"\r\nthe researchers say.\r\nIs MuddyWater a Conglomerate?\r\nThe Cisco Talos report says MuddyWater's variety of lures and payloads and its targeting of several different\r\ngeographic regions strengthens the growing hypothesis that MuddyWater is a conglomerate of subgroups rather\r\nthan a single actor.\r\n\"These sub-groups have conducted campaigns against a variety of industries. While these teams seem to operate\r\nindependently, they are all motivated by the same factors that align with Iranian national security objectives,\r\nincluding espionage, intellectual theft, and destructive or disruptive operations based on the victims they target,\"\r\nthe researchers say.\r\nhttps://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706\r\nPage 3 of 4\n\nMuddyWater teams appear to share TTPs\r\nCisco Talos researchers analyzed a variety of campaigns that are marked by the development and use of distinct\r\ninfection vectors and tools to gain entry, establish long-term access, siphon valuable information and monitor their\r\ntargets. But the MuddyWater teams appear to share TTPs, as evidenced by the incremental adoption of various\r\ntechniques over time in different MuddyWater campaigns.\r\n\"We believe there are links between these different campaigns, including the migration of techniques from region\r\nto region, along with their evolution into more advanced versions. Overall, the campaigns we describe cover\r\nTurkey, Pakistan, Armenia and countries from the Arabian Peninsula,\" researchers say.\r\nSource: https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706\r\nhttps://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706"
	],
	"report_names": [
		"iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434105,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1af1f7452016917a87994bc7fd8261952324084.pdf",
		"text": "https://archive.orkl.eu/b1af1f7452016917a87994bc7fd8261952324084.txt",
		"img": "https://archive.orkl.eu/b1af1f7452016917a87994bc7fd8261952324084.jpg"
	}
}