{ "id": "88e618fd-d234-4648-b485-3815ddb44506", "created_at": "2026-04-29T02:20:58.500986Z", "updated_at": "2026-04-29T08:21:24.661118Z", "deleted_at": null, "sha1_hash": "ba6dab9f5b6059cacb528dd039f4c1ae06a6b031", "title": "Latest Cyber Threat Intelligence \u0026 Security Insights", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1399107, "plain_text": "Latest Cyber Threat Intelligence \u0026 Security Insights\r\nArchived: 2026-04-29 02:11:53 UTC\r\nMuddyWater (XTA-GTP2UWKVBL5CFID4), one of Iran's most persistently active and operationally significant\r\nstate-linked cyber threat actors. This blog integrates live FalconFeeds IOC telemetry with campaign-level\r\nanalysis, TTP profiling, and full MITRE ATT\u0026CK v14 mapping to provide defenders with the most actionable\r\nintelligence picture available on this threat actor as of March 2026.\r\nMuddyWater has undergone a substantial capability evolution over the past 24 months. What was once a noisy,\r\nscript-heavy intrusion set known for commodity phishing and blunt PowerShell tooling has matured into a\r\nsophisticated multi-stage operation deploying memory-resident implants written in Rust (RustyWater), advanced\r\ncustom backdoors (MuddyViper), and a hardened operational infrastructure designed to survive blue team tuning\r\nand infrastructure takedowns. FalconFeeds telemetry confirms MuddyWater activity indicators clustering tightly\r\naround key Iran–Israel and Iran–GCC escalation windows throughout 2024–2026.\r\nCritical Assessment: MuddyWater is not merely a persistent nuisance actor. It functions as Iran's initial-access\r\nbroker of choice, systematically harvesting credentials and network footholds across Israeli, GCC, and Western\r\ntargets before handing off to higher-tier IRGC operators — including OilRig/APT34 clusters — for espionage and\r\npotentially destructive follow-on operations.\r\nActor Profile \u0026 Attribution\r\nIdentity \u0026 Affiliation\r\nMuddyWater is tracked under multiple aliases across the industry:\r\nState Affiliation: MuddyWater is formally assessed by CISA, NCSC (UK), and multiple Western intelligence\r\nagencies as operating under the direction of Iran's Ministry of Intelligence and Security (MOIS). This\r\ndistinguishes MuddyWater from IRGC-aligned actors (APT33, APT34) which operate under separate command\r\nauthority, though coordination and target sharing between these groups is extensively documented.\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 1 of 15\n\nActive Since: 2017\r\nLast Confirmed Activity: March 2026\r\nFalconFeeds Profile: https://dash.falconfeeds.io/threat-actor/TA-DDA9B80C3E54FE14\r\nActive Infrastructure Channels: Open Web\r\nTargeting Profile\r\nMuddyWater has established a broad and persistent targeting footprint spanning 40+ countries. Primary affected\r\nnations include:\r\nTier 1 (Highest Targeting Intensity): Israel, Saudi Arabia, Turkey, Pakistan, Iran (domestic dissidents)\r\nTier 2 (Sustained Targeting): Albania, Azerbaijan, Bangladesh, Brazil, Bulgaria, Canada, China, Estonia,\r\nFinland, France, Germany, Ireland, Italy, Japan, Latvia, Lithuania, Moldova, Netherlands, Norway, Philippines,\r\nPoland, Portugal, Romania, Russia, Singapore, Slovakia, South Africa, Sweden, Taiwan, UK, USA, Uzbekistan\r\nPrimary Sectors Targeted:\r\nGovernment ministries and defence-adjacent entities\r\nTelecommunications providers (STC, Turkcell, Bezeq)\r\nCritical infrastructure (energy, aviation, maritime)\r\nFinancial institutions\r\nTechnology and engineering firms\r\nEducation and research institutions\r\nGeopolitical \u0026 Strategic Context\r\nMuddyWater as an Iranian Cyber Weapon in the Iran–Israel Conflict\r\nThe Iran–Israel conflict has evolved significantly beyond kinetic exchanges of missiles and drones. MuddyWater\r\nhas become one of Tehran's most important and flexible cyber assets in this confrontation, operating across the\r\nfull spectrum of pre-conflict reconnaissance through active intrusion and potential pre-positioning for destructive\r\noperations.\r\nFalconFeeds telemetry spanning January 2024 through March 2026 demonstrates a consistent and statistically\r\nsignificant correlation: MuddyWater IOC detection rates spike during periods of documented Iran–Israel\r\nkinetic or diplomatic escalation.\r\nActivity peaks were recorded in alignment with:\r\nThe October 2023–April 2024 escalation following the Gaza conflict outbreak\r\nThe April 2024 direct Iranian ballistic missile and drone strikes on Israeli territory\r\nThe October 2024 Israeli strike on Iranian air defence systems\r\nThe November 2024–January 2025 Houthi-Israel shipping conflict intensification\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 2 of 15\n\nThe March 2026 Iran-Gulf escalation cycle (concurrent with Saudi Arabia IOC clusters)\r\nThis pattern is consistent with a threat actor operating under strategic direction — campaign tempo adjusts to\r\ngeopolitical conditions, indicating MuddyWater's operations are coordinated with, or in direct support of, broader\r\nIranian strategic objectives rather than being conducted opportunistically.\r\nThe Iran Cyber Ecosystem: MuddyWater's Position\r\nMuddyWater occupies a specific and critical node in Iran's layered cyber ecosystem:\r\nMOIS Direction: MuddyWater receives tasking from Iran's Ministry of Intelligence and Security, the civilian\r\nintelligence agency. This contrasts with IRGC-directed actors (APT33 Elfin, APT34 OilRig) who operate under\r\nmilitary-intelligence authority.\r\nInitial Access Broker Function: MuddyWater systematically maps target networks, harvests credentials, and\r\nestablishes persistent footholds. Access is then shared with or sold to other Iran-aligned operators.\r\nIntelligence Sharing: Analysis confirms target and intelligence sharing between MuddyWater and the\r\nfollowing groups:\r\nOilRig / APT34 — receives high-quality network access from MuddyWater for espionage operations\r\nLyceum / HEXANE — documented recipient of credentials and footholds from MuddyWater intrusions,\r\nparticularly in Saudi and Israeli manufacturing targets\r\nAgrius — destructive actor that has operated within Israeli networks first accessed by MuddyWater\r\nCharming Kitten / APT35 — shares targeting intelligence on Israeli academic and government targets\r\nTortoiseshell / Imperial Kitten — coordinates on technology-sector targeting\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 3 of 15\n\nCapability Evolution: From PowerShell to Rust\r\nHistorical TTP Baseline (2017–2023)\r\nIn its initial operational years, MuddyWater was characterised by high operational tempo and low technical\r\nsophistication. The hallmarks of this period included:\r\nMalicious Microsoft Office documents with embedded VBA macros delivered via spear-phishing\r\nHeavy reliance on PowerShell for initial execution, lateral movement, and persistence\r\nUse of legitimate Remote Monitoring and Management (RMM) tools (SimpleHelp, AnyDesk, Atera,\r\nSyncro) to blend with normal IT operations and avoid EDR detection\r\nPOWERSTATS — a multi-stage PowerShell backdoor — as the primary implant, delivered via document\r\nmacros\r\nNoisy brute-force credential access against VPN portals and Outlook Web Access (OWA) endpoints\r\nShort infrastructure rotation cycles using commodity VPS providers\r\nThe group's early-phase operations were characterised by their investigators as \"blunt instrument\" intrusions —\r\neffective due to volume and persistence rather than technical elegance.\r\nIntermediate Phase: Hardened PowerShell \u0026 RMM Abuse (2022–2024)\r\nBetween 2022 and early 2024, MuddyWater upgraded its PowerShell-based tooling significantly:\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 4 of 15\n\nDynamic string encryption implemented in PowerShell backdoors, replacing static strings that were\r\ntrivially detected by AV signatures\r\nRuntime code generation — PowerShell payloads that generate and execute subsequent stage code at\r\nruntime, defeating static sandbox analysis\r\nCloud-hosted multi-stage payloads — initial lure documents contact cloud storage (OneDrive, Dropbox,\r\nlegitimate business file shares) to retrieve second-stage payloads, exploiting implicit trust in major cloud\r\nprovider domains\r\nExpanded RMM toolkit abuse — documented use of SimpleHelp, ScreenConnect (ConnectWise), and\r\nEgnyte file-sharing platforms for C2 communication, blending into legitimate enterprise traffic\r\nWMI Event Subscription persistence — MuddyWater adopted WMI-based persistence mechanisms,\r\ncreating event subscriptions that survive reboots without writing traditional autorun registry keys\r\nFalconFeeds IOC telemetry from this period includes confirmed C2 endpoints using Egnyte-hosted relay\r\ninfrastructure:\r\nkinneretacil.egnyte.com (IOC-TRQOWANS8RARX98Z) — Botnet C2\r\nfbcsoft.egnyte.com (IOC-C7T69ZSR5Z3ZRWKN) — Botnet C2\r\ncnsmportal.egnyte.com (IOC-8WU7DZ4GVCHUXF2Q) — Botnet C2\r\ninstance-n3e3x9-relay.screenconnect.com (IOC-SXWUCGFTXPE5X3MO) — Botnet C2\r\nThe use of legitimate, enterprise-trusted cloud relay infrastructure represents a significant defensive evasion\r\nadvancement — proxy-aware firewalls and web gateways that permit traffic to Egnyte or ConnectWise domains\r\nare effectively blind to this C2 channel.\r\nCurrent Generation: Memory-Resident Implants (2024–2026)\r\nMuddyWater's most recent capability generation represents a step change in technical maturity that brings the\r\ngroup's tradecraft closer to the standards of Tier-1 advanced persistent threat actors.\r\nMuddyViper \u0026 Fooder (September 2024 – March 2025)\r\nBetween September 30, 2024 and March 18, 2025, ESET and FalconFeeds documented a major campaign wave\r\ntargeting Israeli critical infrastructure across technology, engineering, manufacturing, local government, and\r\neducation sectors, with confirmed victim impact in Egypt.\r\nFooder — The Loader: Fooder is a custom loader delivered as an innocuous-looking executable, frequently\r\ndisguised as entertainment applications (e.g., Snake_Game.exe). Its primary function is to reflectively load\r\nMuddyViper directly into process memory without writing the payload to disk, defeating file-based detection\r\nand most EDR solutions that rely on on-disk signature scanning.\r\nKey technical characteristics of Fooder:\r\nIcon and metadata spoofing to impersonate legitimate Windows applications\r\nIn-memory payload injection via reflective DLL loading techniques\r\nNo disk-resident payload stage — the final implant never touches the filesystem in a detectable form\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 5 of 15\n\nAnti-analysis: checks for debugging environments and terminates if detected\r\nMuddyViper — The Backdoor: MuddyViper is MuddyWater's most sophisticated implant to date as of the\r\n2024–2025 campaign wave. Its capabilities include:\r\nFull system reconnaissance: hardware enumeration, OS version, running processes, network configuration\r\nCredential harvesting: browser-stored passwords, Windows Credential Manager, cached domain credentials\r\nBrowser data exfiltration: cookies, browsing history, saved form data\r\nArbitrary command execution via interactive shell\r\nFile operations: upload, download, move, delete, compress\r\nPersistence maintenance via registry-based autostart mechanisms\r\nC2 communication over encrypted channels (HTTPS)\r\nIn at least one confirmed manufacturing-sector intrusion, MuddyWater deployed Fooder/MuddyViper alongside a\r\ncustom Mimikatz credential-harvesting loader, with the harvested credentials subsequently used by Lyceum\r\nfor deeper lateral movement into the victim network — directly confirming the initial-access broker dynamic.\r\nRustyWater — Rust-Based RAT (2026)\r\nIn early 2026, CloudSEK, CSO Online, and FalconFeeds independently documented a new MuddyWater\r\ncapability: RustyWater, a Remote Access Trojan written entirely in the Rust programming language.\r\nThe adoption of Rust represents a deliberate and significant capability investment by MuddyWater:\r\nRust's memory safety model eliminates entire classes of memory corruption vulnerabilities that could\r\nexpose operator infrastructure or destabilise the implant during operation\r\nRust binaries are significantly harder to reverse engineer than equivalent C or C++ code — Rust's\r\ncompilation model produces complex binary layouts that confound standard reverse engineering workflows\r\nRust's ecosystem produces smaller, self-contained binaries with fewer detectable library dependencies\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 6 of 15\n\nRust is not commonly associated with malware in AV/EDR training datasets, resulting in lower signature\r\ndetection rates compared to equivalent C-based implants\r\nDelivery Mechanism: RustyWater is delivered via targeted spear-phishing emails themed around:\r\nCybersecurity advisories and threat alerts (luring security teams)\r\nOfficial government or regulatory notices\r\nDiplomatic correspondence and maritime/shipping operations\r\nFinancial sector compliance requirements\r\nLure documents are either malicious Word files with embedded macros or icon-spoofed executables designed to\r\nappear as legitimate documents.\r\nRustyWater Technical Profile:\r\nC2: Encrypted HTTPS-based communication with custom URI paths and headers to mimic legitimate web traffic\r\nPersistence: Registry-based autostart entries (Run/RunOnce keys with system-mimicking names)\r\nAnti-Analysis:\r\nAnti-debugging routines (checks for debugger presence via API timing and exception handling)\r\nAnti-VM checks (CPUID enumeration, registry key checks, hardware fingerprinting)\r\nPosition-independent XOR string encryption (strings are decrypted at runtime, not stored in plaintext)\r\nRandomised sleep intervals between C2 callbacks (defeating sandbox timeout-based detection)\r\nPost-Compromise Capabilities: Modular architecture allowing dynamic capability extension based on target\r\nenvironment\r\nLive IOC Intelligence — FalconFeeds Telemetry\r\nAll indicators below are sourced from the FalconFeeds platform and attributed to MuddyWater (XTA-GTP2UWKVBL5CFID4).\r\nHigh-Confidence IP Indicators (100% Confidence)\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 7 of 15\n\nInfrastructure Note: The 45.150.64.x/24 subnet cluster (nodes .23, .39, .239) represents a dedicated MuddyWater\r\ninfrastructure block. Defenders should apply enhanced monitoring across the full /24 rather than blocking\r\nindividual IPs only, as MuddyWater rotates within known subnets.\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 8 of 15\n\nActive Botnet C2 IP:Port Indicators\r\nAnalyst Note: Port 8043 and 8848 are non-standard ports used to evade port-based firewall rules blocking\r\ncommon C2 ports. Outbound connections to these port/IP combinations from any internal host should be treated as\r\nconfirmed compromise indicators.\r\nBotnet C2 Domain Indicators\r\nThe following domains have been confirmed as MuddyWater C2 infrastructure:\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 9 of 15\n\nPattern Note: MuddyWater consistently registers domains that impersonate Microsoft services (microsoftofice,\r\nmirosoftcloud), security protocols (protocol-security.in, logincheck.in), and cloud services (vatacloud.com,\r\nwebftpcloud.com). Defenders should build regex-based detection rules for this naming convention pattern in\r\naddition to blocking known indicators.\r\nFull MITRE ATT\u0026CK v14 Mapping\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 10 of 15\n\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 11 of 15\n\nCampaign Intelligence: Recent Waves\r\nMuddyViper / Fooder Campaign (Sept 2024 – March 2025)\r\nTargets: Israeli technology, engineering, manufacturing, local government, education organisations; one\r\nconfirmed Egyptian critical-infrastructure victim\r\nDelivery: Fooder loader disguised as Snake_Game.exe and similar executables\r\nImplant: MuddyViper reflectively loaded into memory\r\nObjective: Credential harvesting, network mapping, initial-access brokering for Lyceum\r\nNotable TTP: Mimikatz loader variant deployed for LSASS credential harvesting\r\nRustyWater Campaign (2026 — Ongoing)\r\nTargets: Diplomatic, maritime, financial, and telecom entities across the Middle East; Israel primary focus;\r\nSaudi Arabia and GCC secondary\r\nDelivery: Spear-phishing attachments themed around diplomacy, maritime, financial compliance, and\r\ncybersecurity alerts\r\nImplant: RustyWater Rust-based RAT with encrypted HTTP C2\r\nEvasion: Anti-debugging, anti-VM, position-independent XOR encryption, randomised sleep intervals\r\nConcurrent Activity: Overlaps with CAMPAIGN-2026-GULF-01 IOC cluster activity targeting Saudi\r\nArabia (see FF-IW-20260304-SA)\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 12 of 15\n\nBotnet Infrastructure Campaign (Jan 2025 — Ongoing)\r\nInfrastructure: Large-scale botnet C2 network confirmed across multiple ASNs\r\nNotable Nodes: 154.90.32.88:8043 and 8.217.47.190:8848 (confirmed botnet C2 at non-standard ports)\r\nScale: 100+ confirmed IOCs across IP, domain, and URL indicator types in FalconFeeds telemetry\r\nPattern: MuddyWater maintains a persistent, redundant C2 infrastructure pool, rotating IPs within known\r\n/24 subnets\r\nSector Impact Assessment\r\nIsrael — Primary Target Landscape\r\nIsraeli organisations face the highest MuddyWater threat concentration. The combination of RustyWater delivery\r\nvia diplomatic and cybersecurity-themed lures, the Fooder/MuddyViper campaign against critical infrastructure,\r\nand MuddyWater's documented role as an initial-access broker for Agrius (a destructive wiper operator targeting\r\nIsrael) creates a multi-stage escalation risk. Any Israeli organisation in technology, engineering, defence-adjacent\r\nsectors, local government, or telecommunications should treat this threat profile as directly relevant to their\r\nenvironment.\r\nSaudi Arabia \u0026 GCC\r\nSaudi Arabia, and broader GCC organisations face MuddyWater activity in coordination with larger Iranian APT\r\ncampaigns. The concurrent CAMPAIGN-2026-GULF-01 cluster (FF-IW-20260304-SA) demonstrates that\r\nMuddyWater-style credential-access and initial-access-brokering activity supports larger OilRig/APT34 operations\r\ntargeting Saudi energy, financial, and government infrastructure.\r\nTelecommunications\r\nTelecom providers across the Middle East, Europe, and Asia face sustained targeting. MuddyWater's interest in\r\ntelecommunications spans both intelligence collection (call records, subscriber data) and infrastructure disruption\r\npotential. The group's use of RMM tools that telecom IT teams routinely whitelist (SimpleHelp, ScreenConnect)\r\ncreates elevated risk that intrusion activity will not trigger standard detection rules.\r\nGovernment \u0026 Defence\r\nGovernment ministries across all affected regions face spear-phishing risk from MuddyWater's \"cybersecurity\r\nguidelines\" and \"official notice\" lure themes — themes specifically calibrated to be convincing to security-aware\r\ngovernment employees. The group's WMI-based persistence and memory-resident implant execution are\r\nspecifically designed to evade the host-based detection tools most commonly deployed in government\r\nenvironments.\r\nRecommended Immediate Actions\r\nPriority Actions — Complete Within 2 Hours:\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 13 of 15\n\n1. Ingest all IOC tables into SIEM, EDR, and firewall block lists\r\n2. Query 72-hour log window for outbound connections to all listed IPs and domains\r\n3. Immediate hunt for connections to 154.90.32.88:8043 and 8.217.47.190:8848 — treat any match as\r\nconfirmed compromise\r\n4. Alert on outbound connections to Egnyte and ScreenConnect relay domains if not in approved software\r\ninventory\r\nNetwork-Layer Controls (24 Hours):\r\n5. Block all IP indicators in both inbound and outbound directions at edge firewalls, WAF, and EDR network\r\npolicies\r\n6. Implement enhanced scrutiny on traffic to/from AS ranges heavily represented in IOC list (Hetzner AS24940,\r\nOVH AS16276, DigitalOcean AS14061)\r\n7. Review DNS logs for queries to any MuddyWater-attributed domains\r\n8. Enable SSL/TLS inspection on outbound HTTPS to cloud-hosted IPs with no associated domain name — this\r\ncovers RustyWater and POWERSTATS C2 traffic\r\nEndpoint \u0026 Identity Controls (24 Hours):\r\n9. Hunt for PowerShell Event ID 4104 entries with Base64-encoded strings longer than 500 characters spawned\r\nfrom WINWORD.EXE, EXCEL.EXE, or OUTLOOK.EXE\r\n10. Hunt for WMI Event Subscription creation (Event IDs 19, 20, 21) by non-administrative processes\r\n11. Review scheduled tasks for system-mimicking names ('WindowsUpdate', 'AdobeFlash', 'SystemCertificate')\r\ncreated within the last 30 days\r\n12. Enforce MFA on all internet-facing remote access (VPN, OWA, RDP gateways) — MuddyWater credential-stuffing activity is significantly degraded against MFA-protected endpoints\r\n13. Hunt for processes executing from %APPDATA%\\Microsoft\\Windows\\Themes\\ or\r\n%APPDATA%\\Roaming\\Microsoft\\ with non-Microsoft digital signatures\r\nThreat Hunting Queries (Ongoing):\r\n14. Endpoint hunt: Rust-compiled binaries (identifiable by Rust-specific panicking strings in binary metadata)\r\nexecuting from user-writable directories\r\n15. Network hunt: HTTP POST requests to cloud-hosted IPs (no associated domain) with fixed Content-Length\r\nvalues of 256, 512, or 1024 bytes at regular intervals\r\n16. Email gateway: Filter attachments with .docx/.xlsm/.exe extensions from external senders with diplomatic,\r\nmaritime, or cybersecurity-themed subjects\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 14 of 15\n\n17. DNS hunt: High-entropy subdomain queries (\u003e20 random characters) suggesting DNS exfiltration activity\r\nconsistent with documented MuddyWater/APT34 tooling\r\nFalconFeeds Ongoing Monitoring\r\nFalconFeeds maintains active 24/7 tracking of MuddyWater (XTA-GTP2UWKVBL5CFID4) under elevated\r\npriority status. Clients subscribed to FalconFeeds IOC watch will receive automated push notifications within\r\nminutes of new IOC detections, infrastructure changes, new malware family identifications, and campaign-level\r\nescalation events.\r\nKarthika Santhosh Kumar\r\nShare Article\r\nSource: https://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nhttps://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants\r\nPage 15 of 15\n\n https://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants \nInfrastructure Note: The 45.150.64.x/24 subnet cluster (nodes .23, .39, .239) represents a dedicated MuddyWater\ninfrastructure block. Defenders should apply enhanced monitoring across the full /24 rather than blocking\nindividual IPs only, as MuddyWater rotates within known subnets. \n Page 8 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://falconfeeds.io/blogs/muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants" ], "report_names": [ "muddywater-in-the-iran-israel-cyber-war-from-powershell-scripts-to-rust-implants" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-29T06:58:57.893292Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-29T06:58:57.892464Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-29T06:58:57.592535Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-29T06:58:56.316107Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision", "COBALT MIRAGE", "Agent Serpens" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-29T06:58:57.945122Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-29T06:58:56.681943Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "Smoke Sandstorm", "BOHRIUM", "IMPERIAL KITTEN" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-29T06:58:57.692044Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-29T06:58:56.416735Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Crimson Sandstorm", "CURIUM", "IMPERIAL KITTEN", "Imperial Kitten", "TA456", "DUSTYCAVE", "Cuboid Sandstorm", "Smoke Sandstorm", "Yellow Liderc" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-29T06:58:57.743375Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-29T06:58:57.731816Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-29T06:58:57.523553Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-29T06:58:56.187821Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Parastoo", "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-29T06:58:56.41469Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "COBALT LYCEUM", "UNC1530", "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-29T06:58:56.779252Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "UNC2428", "Black Shadow", "SPECTRAL KITTEN", "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-29T06:58:57.738664Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-29T06:58:57.849553Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-29T06:58:57.506187Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-29T06:58:57.822183Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-29T06:58:57.492935Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-29T06:58:57.538371Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-29T06:58:57.579232Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-29T06:58:56.188715Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT 33", "Elfin", "Refined Kitten", "HOLMIUM", "G0064", "Peach Sandstorm", "TA451", "MAGNALLIUM", "COBALT TRINITY", "ATK35" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-29T06:58:58.229959Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-29T06:58:56.229515Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Cobalt Gypsy", "Helix Kitten", "APT34", "ATK40", "G0049", "EUROPIUM", "TA452", "Earth Simnavaz", "Twisted Kitten", "Crambus", "APT 34", "IRN2", "Evasive Serpens", "Hazel Sandstorm" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-29T06:58:57.59961Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-29T06:58:57.766157Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-29T06:58:57.99378Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T06:58:58.033485Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429258, "ts_updated_at": 1777450884, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba6dab9f5b6059cacb528dd039f4c1ae06a6b031.pdf", "text": "https://archive.orkl.eu/ba6dab9f5b6059cacb528dd039f4c1ae06a6b031.txt", "img": "https://archive.orkl.eu/ba6dab9f5b6059cacb528dd039f4c1ae06a6b031.jpg" } }