{
	"id": "93023605-7830-471e-971e-b29c94307235",
	"created_at": "2026-04-06T00:15:55.851262Z",
	"updated_at": "2026-04-10T03:34:22.469866Z",
	"deleted_at": null,
	"sha1_hash": "be779da4b4b92b7671afe5c8ac51066694615f21",
	"title": "A Quick Dip into MuddyWater's Recent Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 403775,
	"plain_text": "A Quick Dip into MuddyWater's Recent Activity\r\nBy Mo Bustami\r\nPublished: 2018-03-01 · Archived: 2026-04-05 23:21:06 UTC\r\nA Quick Dip into MuddyWater's Recent Activity\r\nINTRODUCTION\r\nSince my last blog-post on MuddyWater operations, they seem to have been continuing their activities and as\r\nexpected developing/changing some of their tactics and techniques. It is still apparent their heavy focus on layered\r\nobfuscation and preference for PowerShell. However, I will highlight what changed based on the sample that I\r\nwill be analyzing.\r\nThis started with the sample \"idrbt.doc\" -\r\n 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0 uploaded to VT on February 27,\r\n2017.\r\nIDRBT stands for Institute for Development and Research in Banking Technology which according to Wikipedia\r\nis an institution exclusively focused on Banking Technology. Established by the Reserve Bank of India (RBI) in\r\n1996, the Institution works at the intersection of Banking and Technology. It is located in Hyderabad, India. Right\r\nfrom carrying out cutting-edge Development and Research, enabling creation of technology infrastructure to\r\nmoulding the technology talent required for Banking Sector, the institution enables technology transformation of\r\nthe Indian Banking and Financial Sector.\r\nLooking at this lure document might give you an indication of potential targets that the group might be focusing in\r\nthis wave.\r\nIS THAT SCRIPTLET I SEE??\r\nMy focus in this blog is to look at what changed in terms of the techniques used by the group to achieve their\r\nobjective which can be summarized as the following:\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 1 of 28\n\n1. The lure document mentioned above is delivered as a password protected document. This is probably to try\r\nand evade some of the automated analysis tools that some of the target might have in place.\r\n2. Increase the level of obfuscation in the embedded macro as it now contains:\r\nBase64 encoding scattered across the macro code and in some cases double Base64 encoded is used.\r\nUse of XoR in the macro code to create the commands to be executed by running the macro.\r\nThe use of a publicly available code to potentially bypass AppLocker via the use of \"csmtp.exe\" or\r\nin this case using csmtp to execute scriptlet files which will in turn run a PowerShell code known as\r\nthe MuddyWater PowerShell payload (POWERSTATS). The POWERSTATS variant in this case is\r\noriginally Base64 encoded within the Macro.\r\nAdditional layering of obfuscated PowerShell to make analysis hard when looking at the\r\nPowerShell code. In this case the PowerShell script is heavily obfuscated with character\r\nreplacement functions (I counted 5 layers at least) with the layering of obfuscation being focused on\r\nthe PowerShell script portion related to the Proxy servers which has risen to over 900 servers\r\n(Provided at the bottom as part of the IoCs) - Please keep in mind that most of these might be\r\nrepresenting compromised sites.\r\nOBFUSCATE OBFUSCATE OBFUSCATE\r\nThe POWERSTATS payload that this group relies on is heavily obfuscated. The code is first embedded within the\r\nmacro code as a double Base64 encoded variable.\r\nOnce decoded you will be presented with the more familiar Invoke-Expression/Invoke/Obfuscation PowerShell\r\nscript that MuddyWater relies on.\r\nAs previous iterations of POWERSTATS, the script is split into three parts:\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 2 of 28\n\nScript responsible for the Proxy Server, IP Location of the victim, Filename Path, etc. Similar to the\r\nvariant used in the BurpSuite KeyGen, the variable responsible to store the proxy values is names \"Dragon\r\nMiddle\".\r\nScript that is the core code of the payload which contains the functions for multiple commands including:\r\nKill command (Reboot, Shutdown or Clean)\r\nMessage encryption function\r\nURL proxy function\r\nFunction that include command to take screenshots\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 3 of 28\n\nPersistence Function.\r\nWhat seems to be Lateral Movement functions leveraging either DDEInitiate on Excel,\r\nCreateObject on Outlook and ShellWindows “Document.Application.ShellExecute” all via DCOM.\r\nYou can find the methods used taken from this blog, this blog,  this script and this blog. - I could be\r\nwrong but I thing this is a new piece of code/function added compared to earlier samples I looked\r\nat.\r\nSleep and Anti Analysis functions\r\nUpload Function\r\nThe third script portion is focused on the encryption and decryption between the C\u0026C and the victim\r\nINTERESTING STRINGS\r\nAs part of analyzing the document, I came across some interesting strings. In particular, the document included\r\nthis string \"CMG = \"21238DCB91CB91CE96CE96\"\". Googling this string returns only 3 results directing to the\r\nfollowing sites:\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 4 of 28\n\nhxxp://www[.]hnydjz[.]com/module/download/downfile.jsp?\r\nclassid=0\u0026filename=139bf1d94eb646fcbd44de40ce2163d7.doc\r\nhxxp://www[.]liketoshow[.]com/module/download/downfile.jsp?\r\nclassid=0\u0026filename=139bf1d94eb646fcbd44de40ce2163d7.doc\r\nhxxp://www[.]cn93[.]org/xxgk/jcms_files/jcms1/web107/site/zfxxgk/download/downfile.jsp?\r\nfilename=171207081414203.doc\r\nAs of the writing of this blog, all three links seem to redirect to just a web page rather a DOC file. However,\r\nlooking at some cached results for the third link, The page looked interesting as it contained further interesting\r\nstrings within it:\r\n\"\\rjoawork.bak\" - this seems to be scattered within the results and further researching this string on Google,\r\nit yields about ~40 results which all seem to  be DOC related and with Chinese focus.\r\n\"Module=RJeGov\" - This is the same as the above however this returns further results of about ~240.\r\nI actually do not know if this is anything or if I stumbled upon anything related or not but it just\r\nseems interesting to me. One thing to notice that most of the returned results seems to be Chinese sites.\r\nFINAL THOUGHTS\r\nThis continues to shows that MuddyWater group are continuously evolving their techniques. Again, the different\r\nlures and methods used by this group continue to show that they might have a wide focus on multiple verticals and\r\nindustries.\r\nBelow you will find a list of IoCs from my analysis and I am sure others will be able to dig deeper into this an\r\nuncover further details. Hope this is of help and benefit.\r\nINDICATORS OF COMPROMISE\r\nHASHES\r\n009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0\r\n288afbe21d69e79a1cff44e2db7f491af10381bcc54436a8f900bcbd2a752a6f\r\nc87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9\r\nPROXY LIST\r\nhxxp://alessandrofoglino[.]com//db_template.php\r\nhxxp://www.easy-home-sales.co.za//db_template.php\r\nhxxp://www.almaarefut[.]com/admin/db_template.php\r\nhxxp://chinamall.co.za//db_template.php\r\nhxxp://amesoulcoaching[.]com//db_template.php\r\nhxxp://www.antigonisworld[.]com/wp-includes/db_template.php\r\nhxxps://anbinni.ba/wp-admin/db_template.php\r\nhxxp://arctistrade.de/wp/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 5 of 28\n\nhxxp://aianalytics.ie//db_template.php\r\nhxxp://www.gilforsenate[.]com//db_template.php\r\nhxxp://mgamule.co.za/oldweb/db_template.php\r\nhxxp://chrisdejager-attorneys.co.za//db_template.php\r\nhxxp://alfredocifuentes[.]com//db_template.php\r\nhxxp://alxcorp[.]com//db_template.php\r\nhxxps://www.aircafe24[.]com//db_template.php\r\nhxxp://agencereferencement.be/wp-admin/db_template.php\r\nhxxp://americanlegacies.org/webthed_ftw/db_template.php\r\nhxxps://aloefly.net//db_template.php\r\nhxxp://www.duotonedigital.co.za//db_template.php\r\nhxxp://architectsinc.net//db_template.php\r\nhxxp://www.tanati.co.za//db_template.php\r\nhxxp://emware.co.za//db_template.php\r\nhxxp://breastfeedingbra.co.za//db_template.php\r\nhxxp://alhidayahfoundation.co.uk/category/db_template.php\r\nhxxp://cashforyousa.co.za//db_template.php\r\nhxxps://www.airporttaxi-uk.co.uk/wp-includes/db_template.php\r\nhxxp://antjetaubert.de//db_template.php\r\nhxxp://hesterwebber.co.za//db_template.php\r\nhxxp://fickstarelectrical.co.za//db_template.php\r\nhxxp://alex-frost[.]com/assets/db_template.php\r\nhxxps://americanbrasil[.]com.br//db_template.php\r\nhxxps://aileeshop[.]com//db_template.php\r\nhxxps://annodle[.]com//db_template.php\r\nhxxp://goldeninstitute.co.za/contents/db_template.php\r\nhxxp://ednpk[.]com//db_template.php\r\nhxxp://www.arabiccasinochoice[.]com//db_template.php\r\nhxxp://proeventsports.co.za//db_template.php\r\nhxxp://glenbridge.co.za//db_template.php\r\nhxxp://berped.co.za//db_template.php\r\nhxxp://best-digital-slr-cameras[.]com//db_template.php\r\nhxxp://antonhirvonen[.]com/pengalandet.se/wp-includes/db_template.php\r\nhxxp://www.alpacal[.]com//db_template.php\r\nhxxps://www.alakml[.]com/wp-admin/db_template.php\r\nhxxp://ar-rihla[.]com//db_template.php\r\nhxxp://appsvoice.info//db_template.php\r\nhxxp://www.bashancorp.co.za//db_template.php\r\nhxxp://alexanderbecker.net/services/db_template.php\r\nhxxp://visionclinic.co.ls/visionclinic/db_template.php\r\nhxxps://www.angelesrevista[.]com//db_template.php\r\nhxxps://www.antojoentucocina[.]com//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 6 of 28\n\nhxxp://apollonweb[.]com//db_template.php\r\nhxxps://www.alphapixa[.]com//db_template.php\r\nhxxp://capitalradiopetition.co.za//db_template.php\r\nhxxp://www.generictoners.co.za//db_template.php\r\nhxxps://alnahdatraining[.]com//db_template.php\r\nhxxps://albousala[.]com//db_template.php\r\nhxxps://www.dopetroleum[.]com//db_template.php\r\nhxxp://bios-chip.co.za//db_template.php\r\nhxxp://www.crissamconsulting.co.za//db_template.php\r\nhxxp://capriflower.co.za//db_template.php\r\nhxxp://www.dingaanassociates.co.za//db_template.php\r\nhxxp://indiba-africa.co.za//db_template.php\r\nhxxp://verifiedseller.co.za/js/db_template.php\r\nhxxps://www.buraqlubricant[.]com//db_template.php\r\nhxxp://aqarco[.]com/wp-admin/db_template.php\r\nhxxp://allaboutblockchain.net//db_template.php\r\nhxxp://www.amexcars.info/tpl/db_template.php\r\nhxxp://clandecor.co.za/rvsUtf8Backup/db_template.php\r\nhxxp://bakron.co.za//db_template.php\r\nhxxp://gsnconsulting.co.za//db_template.php\r\nhxxp://vumavaluations.co.za//db_template.php\r\nhxxp://heritagetravelmw[.]com//db_template.php\r\nhxxp://ampvita[.]com//db_template.php\r\nhxxp://ahero-resource-center.org/administrator/db_template.php\r\nhxxps://arbulario[.]com//db_template.php\r\nhxxp://havilahglo.co.za/wpscripts/db_template.php\r\nhxxp://www.bestdecorativemirrors[.]com/More-Mirrors/db_template.php\r\nhxxp://delectronics[.]com.pk//db_template.php\r\nhxxp://antucomp[.]com//db_template.php\r\nhxxp://advocatetn[.]com/font-awesome/fonts/db_template.php\r\nhxxps://amooy[.]com/webservice/db_template.php\r\nhxxp://www.harmonyguesthouse.co.za//db_template.php\r\nhxxp://alanrori[.]com//db_template.php\r\nhxxp://algarvesup[.]com//db_template.php\r\nhxxp://desirablehair.co.za//db_template.php\r\nhxxp://comsip.org.mw//db_template.php\r\nhxxp://jdcorporate.co.za/catalog/db_template.php\r\nhxxp://andrewfinnburhoe[.]com//db_template.php\r\nhxxp://anyeva[.]com/wp-includes/db_template.php\r\nhxxp://www.agenceuhd[.]com//db_template.php\r\nhxxp://host4unix.net/host24new/db_template.php\r\nhxxp://www.altaica.ca/wordpress/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 7 of 28\n\nhxxp://www.allbuyer.co.uk//db_template.php\r\nhxxp://jvpsfunerals.co.za//db_template.php\r\nhxxp://immaculatepainters.co.za//db_template.php\r\nhxxp://tcpbereka.co.za/js/db_template.php\r\nhxxp://clientcare.co.ls//db_template.php\r\nhxxp://investaholdings.co.za/htc/db_template.php\r\nhxxp://www.amjobs.co.uk//db_template.php\r\nhxxp://www.agirlgonewine[.]com/store/db_template.php\r\nhxxp://findinfo-more[.]com//db_template.php\r\nhxxp://asgen.org//db_template.php\r\nhxxp://alphasalesrecruitment[.]com//db_template.php\r\nhxxp://irshadfoundation.co.za//db_template.php\r\nhxxp://analternatif[.]com/includes/db_template.php\r\nhxxp://arbruisseau[.]com/profiles/db_template.php\r\nhxxp://ladiescircle.co.za//db_template.php\r\nhxxp://all-reseller[.]com/zzz_backup/db_template.php\r\nhxxp://alcatrazmoon[.]com/images/db_template.php\r\nhxxp://www.alcalumni[.]com/wp-includes/db_template.php\r\nhxxp://aniljoseph[.]com/servermon/db_template.php\r\nhxxp://alwake3press[.]com/wp-includes/db_template.php\r\nhxxp://www.hfhl.org.ls/habitat/db_template.php\r\nhxxp://alcafricanos[.]com/slsmonographs/db_template.php\r\nhxxps://agapeencounter.org//db_template.php\r\nhxxp://apobiomedix.ca//db_template.php\r\nhxxp://anythinglah.info//db_template.php\r\nhxxp://aniroleplay.net//db_template.php\r\nhxxp://www.allcopytoners[.]com//db_template.php\r\nhxxp://alphaobring[.]com//db_template.php\r\nhxxp://www.galwayprimary.co.za//db_template.php\r\nhxxp://alnuzha.org/en/db_template.php\r\nhxxps://ancient-wisdoms[.]com//db_template.php\r\nhxxp://amazingenergysavings.net//db_template.php\r\nhxxp://gvs[.]com.pk/font-awesome/db_template.php\r\nhxxp://geetransfers.co.za/font-awesome/db_template.php\r\nhxxp://carlagrobler.co.za/components/db_template.php\r\nhxxp://amazingashwini[.]com//db_template.php\r\nhxxp://aminearserver.es//db_template.php\r\nhxxp://lensofafrica.co.za//db_template.php\r\nhxxp://greenacrestf.co.za/video/db_template.php\r\nhxxp://www.tonaro.co.za//db_template.php\r\nhxxp://alephit2.biz/kitzz/db_template.php\r\nhxxp://lppaportal.org.ls//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 8 of 28\n\nhxxp://alkousy[.]com//db_template.php\r\nhxxp://ambulatorioveterinariocalusco[.]com/img/common/db_template.php\r\nhxxp://fragranceoil.co.za//db_template.php\r\nhxxp://www.eloquent.co.za/nweb2/db_template.php\r\nhxxp://chrishanicdc.org/wpimages/db_template.php\r\nhxxp://ahc.me.uk//db_template.php\r\nhxxp://www.britishasia-equip.co.uk//db_template.php\r\nhxxp://always-beauty.ch//db_template.php\r\nhxxps://www.ancamamara[.]com/wp-admin/db_template.php\r\nhxxp://entracorntrading.co.za//db_template.php\r\nhxxp://www.alexjeffersonconsulting[.]com/wp-includes/db_template.php\r\nhxxp://americabr[.]com.br//db_template.php\r\nhxxp://andrew-snyder.net/bootstrap/db_template.php\r\nhxxp://signsoftime.co.za//db_template.php\r\nhxxp://aperta-armis.org//db_template.php\r\nhxxp://absfinancialplanning.co.za/images/db_template.php\r\nhxxp://charispaarl.co.za//db_template.php\r\nhxxp://indlovusecurity.co.za//db_template.php\r\nhxxp://alcafricandatalab[.]com//db_template.php\r\nhxxp://amor-clubhotels[.]com//db_template.php\r\nhxxp://mokorotlocorporate[.]com//db_template.php\r\nhxxp://apppriori[.]com//db_template.php\r\nhxxp://luxconprojects.co.za//db_template.php\r\nhxxp://androidphonetips[.]com/wp-includes/db_template.php\r\nhxxp://angel-seeds[.]com.ua/catalog/db_template.php\r\nhxxp://alissanicolai[.]com/assets/db_template.php\r\nhxxps://www.amateurastronomy.org//db_template.php\r\nhxxp://aiofotoevideo[.]com//db_template.php\r\nhxxp://www.amika.hr//db_template.php\r\nhxxp://comfortex.co.za/php/db_template.php\r\nhxxp://deepgraphics.co.za//db_template.php\r\nhxxps://agiledepot[.]com//db_template.php\r\nhxxp://almatours.gr//db_template.php\r\nhxxp://analystcnwang[.]com//db_template.php\r\nhxxp://www.malboer.co.za/trendy1/db_template.php\r\nhxxp://sefikengfarm.co.ls//db_template.php\r\nhxxp://www.antirughenaturale[.]com/wp-admin/db_template.php\r\nhxxp://passright.co.za//db_template.php\r\nhxxp://seismicfactory.co.za//db_template.php\r\nhxxp://alessandroalessandrini.it//db_template.php\r\nhxxps://aquabsafe[.]com//db_template.php\r\nhxxp://amatikulutours[.]com/tmp/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 9 of 28\n\nhxxp://ganitis.gr//db_template.php\r\nhxxp://aleenasgiftbox[.]com/admin/db_template.php\r\nhxxps://allusdoctors[.]com/themes/db_template.php\r\nhxxp://alainsaffel[.]com//db_template.php\r\nhxxp://www.ariehandomri[.]com//db_template.php\r\nhxxp://aquaneeka.co.uk/wp-includes/db_template.php\r\nhxxp://itengineering.co.za/gatewaydiamond/db_template.php\r\nhxxp://alldomains-crm[.]com/bubblegumpopcorn[.]com/wp-admin/db_template.php\r\nhxxp://www.albertamechanical.ca//db_template.php\r\nhxxp://alchamel.info//db_template.php\r\nhxxps://almokan.net/wp-includes/db_template.php\r\nhxxp://jakobieducation.co.za//db_template.php\r\nhxxps://arc-sec.net//db_template.php\r\nhxxp://ldams.org.ls/supplies/db_template.php\r\nhxxp://menaboracks.co.za/tmp/db_template.php\r\nhxxp://www.getcord.co.za//db_template.php\r\nhxxp://boardaffairs[.]com//db_template.php\r\nhxxp://capetownway.co.za//db_template.php\r\nhxxp://cloudhostdesign[.]com//db_template.php\r\nhxxp://hartenboswaterpark.co.za/templates/db_template.php\r\nhxxp://fccorp.co.za/php/db_template.php\r\nhxxp://angar68[.]com//db_template.php\r\nhxxp://www.dws-gov.co.za//db_template.php\r\nhxxp://alwahahweb[.]com//db_template.php\r\nhxxp://anuragcreatives[.]com//db_template.php\r\nhxxp://embali.co.za//db_template.php\r\nhxxp://albertaedmonton[.]com/widgetstyles/db_template.php\r\nhxxp://altosdefontana[.]com//db_template.php\r\nhxxp://airfanhydro.net//db_template.php\r\nhxxps://www.alexponcet[.]com/wp-includes/db_template.php\r\nhxxp://agropecuariavilarica[.]com.br//db_template.php\r\nhxxps://www.amazingbuyrd[.]com/admin/db_template.php\r\nhxxp://cdxtrading.co.za//db_template.php\r\nhxxp://interafricaconsulting[.]com/wpimages/db_template.php\r\nhxxp://glgroup.co.za/images/db_template.php\r\nhxxp://hisandherskennels.co.za/php/db_template.php\r\nhxxp://alemaohost[.]com/lotosorg[.]com/db_template.php\r\nhxxp://isibaniedu.co.za/admin/db_template.php\r\nhxxp://dianakleyn.co.za/layouts/db_template.php\r\nhxxp://themotoringcalendar.co.za//db_template.php\r\nhxxp://www.loansonhomes.co.za//db_template.php\r\nhxxp://edgesecurity.co.za/js/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 10 of 28\n\nhxxp://highschoolsuperstar.co.za/files/db_template.php\r\nhxxp://www.ambientproperty[.]com//db_template.php\r\nhxxp://animationshowreel.co.il//db_template.php\r\nhxxp://cafawelding.co.za/font-awesome/db_template.php\r\nhxxp://apalawyers.pt//db_template.php\r\nhxxp://www.edesignz.co.za//db_template.php\r\nhxxp://centuryacademy.co.za/css/db_template.php\r\nhxxps://ambyenta.hr//db_template.php\r\nhxxp://ceramica.co.za//db_template.php\r\nhxxp://www.alfredoposada[.]com//db_template.php\r\nhxxp://anastasovsworkshop[.]com/wp-includes/db_template.php\r\nhxxp://allisonplumbing[.]com/wp-includes/db_template.php\r\nhxxp://eastrandmotorlab.co.za/fleet/db_template.php\r\nhxxp://angelsongroup[.]com/wp-includes/db_template.php\r\nhxxp://www.mikimaths[.]com//db_template.php\r\nhxxp://hjb-racing.co.za/htdocs/db_template.php\r\nhxxp://anotherpartofme[.]com/wp-includes/db_template.php\r\nhxxp://www.andreabelfi[.]com//db_template.php\r\nhxxp://www.iancullen.co.za//db_template.php\r\nhxxp://alaskamaterials[.]com//db_template.php\r\nhxxp://jeanetteproperties.co.za//db_template.php\r\nhxxp://www.digitalmedia.co.za//db_template.php\r\nhxxp://www.rejoicetheatre[.]com//db_template.php\r\nhxxps://alterwebhost[.]com//db_template.php\r\nhxxp://bc-u.co.uk//db_template.php\r\nhxxp://dpscdgkhan.edu.pk/shopping/db_template.php\r\nhxxp://edgeforensic.co.za//db_template.php\r\nhxxp://willpowerpos.co.za//db_template.php\r\nhxxp://antrismode[.]com/wp-includes/db_template.php\r\nhxxp://colenesphotography.co.za/modules/db_template.php\r\nhxxp://anthaigroup.vn//db_template.php\r\nhxxps://alphainvestors[.]com.au//db_template.php\r\nhxxps://aliart.nl//db_template.php\r\nhxxps://allmantravel[.]com/thumbs/db_template.php\r\nhxxp://fbrvolume.co.za//db_template.php\r\nhxxp://amordegato.es/storefront/db_template.php\r\nhxxp://agylub[.]com//db_template.php\r\nhxxp://www.khotsonglodge.co.ls//db_template.php\r\nhxxp://ampli5yd[.]com//db_template.php\r\nhxxps://animeok.co.il//db_template.php\r\nhxxps://arbeidsrechtcentrum.nl//db_template.php\r\nhxxp://erniecommunications.co.za/js/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 11 of 28\n\nhxxp://promechtransport.co.za/scripts/db_template.php\r\nhxxp://centuriongsd.co.za//db_template.php\r\nhxxp://www.agencesylvieleclerc[.]com//db_template.php\r\nhxxp://delcom.co.za//db_template.php\r\nhxxps://aleoestudio[.]com/gallonature/db_template.php\r\nhxxp://oftheearthphotography[.]com/www/db_template.php\r\nhxxp://h-dubepromotions.co.za//db_template.php\r\nhxxp://www.alessioborzuola[.]com/downloads/db_template.php\r\nhxxp://crystaltidings.co.za//db_template.php\r\nhxxp://funeralbusinesssolution[.]com/email_template/db_template.php\r\nhxxp://funisalodge.co.za/data1/db_template.php\r\nhxxp://experttutors.co.za//db_template.php\r\nhxxps://www.cartridgecave.co.za//db_template.php\r\nhxxp://ecs-consult[.]com//db_template.php\r\nhxxp://www.animationinisrael.org/tmp_images/db_template.php\r\nhxxp://gideonitesprojects[.]com//db_template.php\r\nhxxp://hybridauto.co.za/photography/db_template.php\r\nhxxp://africanpixels.zar.cc//db_template.php\r\nhxxp://ryanchristiefurniture.co.za//db_template.php\r\nhxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/db_template.php\r\nhxxp://almeriahotelja[.]com/dk/db_template.php\r\nhxxp://al3abflash.biz//db_template.php\r\nhxxp://www.fun4kidz.co.za//db_template.php\r\nhxxp://alsharhanstore[.]com//db_template.php\r\nhxxp://www.infratechconsulting[.]com//db_template.php\r\nhxxp://algihad[.]com/assets/db_template.php\r\nhxxp://americanwestmedia[.]com//db_template.php\r\nhxxp://charliewestsecurity.co.za//db_template.php\r\nhxxp://beehiveholdingszar.co.za//db_template.php\r\nhxxp://analyticalfootball[.]com//db_template.php\r\nhxxp://apiiination[.]com/leadership/db_template.php\r\nhxxps://ahelicoptermom[.]com/wp-includes/db_template.php\r\nhxxp://servicebox.co.za//db_template.php\r\nhxxp://globalelectricalandconstruction.co.za/wpscripts/db_template.php\r\nhxxps://aquo.in//db_template.php\r\nhxxps://www.alfransia[.]com/wp-admin/db_template.php\r\nhxxp://www.icsswaziland[.]com//db_template.php\r\nhxxp://aiko.pro//db_template.php\r\nhxxps://alceharfield[.]com//db_template.php\r\nhxxp://indocraft.co.za/test/db_template.php\r\nhxxp://allegiancesecurity.org//db_template.php\r\nhxxp://sullivanprimary.co.za//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 12 of 28\n\nhxxp://www.apmequestrian[.]com//db_template.php\r\nhxxps://alphawaves.org/wp-admin/db_template.php\r\nhxxp://www.alexandrasternin[.]com/illustration/db_template.php\r\nhxxp://www.daleth.co.za//db_template.php\r\nhxxp://jwseshowe.co.za/assets/db_template.php\r\nhxxp://winagainstebola[.]com//db_template.php\r\nhxxp://anubandh.in//db_template.php\r\nhxxp://www.alexanderhomestead[.]com//db_template.php\r\nhxxp://alfatek-intelligence[.]com//db_template.php\r\nhxxp://www.aprendiendoencasa[.]com/wp-includes/db_template.php\r\nhxxp://alorabrownies[.]com/wp-admin/db_template.php\r\nhxxp://andrasadam[.]com/tothildiko/wp-includes/db_template.php\r\nhxxp://cazochem.co.za/cazochem/db_template.php\r\nhxxp://debnoch[.]com/image/db_template.php\r\nhxxp://hmholdings360.co.za//db_template.php\r\nhxxp://iinvest4u.co.za//db_template.php\r\nhxxp://burgercoetzeeattorneys.co.za//db_template.php\r\nhxxp://anngrigphoto[.]com//db_template.php\r\nhxxp://alchemistasonida[.]com//db_template.php\r\nhxxp://anahera.biz/admin/db_template.php\r\nhxxp://h-u-i.co.za/heiren/db_template.php\r\nhxxp://insta-art.co.za//db_template.php\r\nhxxp://muallematsela[.]com//db_template.php\r\nhxxp://aguasdecastilla[.]com/uploads/db_template.php\r\nhxxp://www.arabgamenetwork[.]com//db_template.php\r\nhxxps://arhiepiscopiabucurestilor.ro/templates/db_template.php\r\nhxxp://amruthavana[.]com/blog/db_template.php\r\nhxxp://digitalblue.co.za//db_template.php\r\nhxxps://www.alvarezarquitectos[.]com//db_template.php\r\nhxxp://buboobioinnovations.co.za/wpimages/db_template.php\r\nhxxp://andrewsbisom[.]com//db_template.php\r\nhxxp://www.m-3.co.za//db_template.php\r\nhxxp://beesrenovations.co.za/images/db_template.php\r\nhxxps://www.apliety.co.il/wp-includes/db_template.php\r\nhxxp://alchamelup.org/htdocs/db_template.php\r\nhxxp://benonicoc.co.za/resources/db_template.php\r\nhxxps://al-mostakbl[.]com//db_template.php\r\nhxxp://alchimiegrafiche.net/bbdelteatro/db_template.php\r\nhxxp://andrespazsoldan[.]com//db_template.php\r\nhxxp://in2accounting.co.za//db_template.php\r\nhxxp://aipa.ca//db_template.php\r\nhxxp://alphabee.fund/PHPMailer_5.2.0/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 13 of 28\n\nhxxp://arabsdeals[.]com//db_template.php\r\nhxxps://archiotronic[.]com/wp-includes/db_template.php\r\nhxxp://capewindstrading.co.za//db_template.php\r\nhxxps://althurayaa[.]com//db_template.php\r\nhxxp://jhphotoedits.co.za//db_template.php\r\nhxxp://cloudhub.co.ls/modules/db_template.php\r\nhxxp://apironco[.]com/wp-includes/db_template.php\r\nhxxp://digital-cameras-south-africa.co.za/script/db_template.php\r\nhxxp://ahmadhasanat[.]com//db_template.php\r\nhxxp://alexrocchi[.]com//db_template.php\r\nhxxp://aljaadi[.]com//db_template.php\r\nhxxps://www.engeltjieakademie.co.za//db_template.php\r\nhxxp://annabelle.nl/next/db_template.php\r\nhxxp://juniorad.co.za/vendor/db_template.php\r\nhxxp://animationpulse.net//db_template.php\r\nhxxp://angloglot[.]com//db_template.php\r\nhxxp://agricolavicuna.cl//db_template.php\r\nhxxp://alexelgy[.]com/allaccess/db_template.php\r\nhxxp://www.centreforgovernance.uk//db_template.php\r\nhxxp://www.aliandconsulting[.]com//db_template.php\r\nhxxp://balaateen.co.za/less/db_template.php\r\nhxxp://aleksicdunja[.]com//db_template.php\r\nhxxp://arestihome[.]com//db_template.php\r\nhxxp://am1int.fcomet[.]com/wp1/db_template.php\r\nhxxp://anet-international-group[.]com/shop/db_template.php\r\nhxxp://courtesydriving.co.za/js/db_template.php\r\nhxxp://annaplebanek[.]com//db_template.php\r\nhxxp://agencijazemil[.]com//db_template.php\r\nhxxp://airminumtiro[.]com//db_template.php\r\nhxxp://www.androidwikihow[.]com//db_template.php\r\nhxxp://alisabyfinna[.]com//db_template.php\r\nhxxp://rma-law.co.za//db_template.php\r\nhxxp://amari.ro/components/db_template.php\r\nhxxp://anxiousandunstoppable[.]com//db_template.php\r\nhxxp://www.buhlebayoacademy[.]com//db_template.php\r\nhxxp://arabellajo[.]com/wp/wp-includes/db_template.php\r\nhxxp://blackthorn.co.za//db_template.php\r\nhxxp://alaqaba[.]com/dnsarabia[.]com/db_template.php\r\nhxxp://airesis.blog/wp-admin/db_template.php\r\nhxxp://www.aptibet.org//db_template.php\r\nhxxp://alecattic[.]com/wp-includes/db_template.php\r\nhxxp://anglero[.]com//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 14 of 28\n\nhxxp://getabletravel.co.za/wpscripts/db_template.php\r\nhxxp://www.allwestdental[.]com/wp-includes/db_template.php\r\nhxxp://printernet.co.za//db_template.php\r\nhxxp://genesisbs.co.za//db_template.php\r\nhxxp://allsporthealthandfitness[.]com//db_template.php\r\nhxxp://www.humorcarbons[.]com//db_template.php\r\nhxxp://intelligentprotection.co.za//db_template.php\r\nhxxp://amazethings[.]com//db_template.php\r\nhxxp://incoso.co.za/images/db_template.php\r\nhxxp://www.antoanetapalikarska[.]com//db_template.php\r\nhxxps://www.alteaparadise[.]com/wp-includes/db_template.php\r\nhxxp://amirmenahem[.]com//db_template.php\r\nhxxp://isound.co.za//db_template.php\r\nhxxp://www.alestilorachel[.]com//db_template.php\r\nhxxp://alcfm.net/wp-admin/db_template.php\r\nhxxp://www.acer-parts.co.za//db_template.php\r\nhxxp://www.gsmmid[.]com//db_template.php\r\nhxxp://skhaleni.co.za//db_template.php\r\nhxxps://amiici.vision//db_template.php\r\nhxxps://andihaas.at/wp-includes/db_template.php\r\nhxxp://www.albertaprimebeef[.]com//db_template.php\r\nhxxps://www.appster.it/wp-includes/db_template.php\r\nhxxp://amofoundation.org/wp-includes/db_template.php\r\nhxxp://iqra.co.za/pub/db_template.php\r\nhxxp://thecompasssolutions.co.za//db_template.php\r\nhxxp://archwaycarpetscrm.co.uk//db_template.php\r\nhxxp://iggleconsulting[.]com//db_template.php\r\nhxxps://angel-blanco.net/wp-includes/db_template.php\r\nhxxps://anotherdayinparadise.ca//db_template.php\r\nhxxp://www.bitp.co.za//db_template.php\r\nhxxp://cupboardcure.co.za/vendor/db_template.php\r\nhxxp://all2wedding[.]com/wp-includes/db_template.php\r\nhxxp://allianz[.]com.pe/wp-admin/db_template.php\r\nhxxp://amiehepperlin[.]com//db_template.php\r\nhxxps://www.amighini.it/webservice/db_template.php\r\nhxxp://broken-arrow.co.za//db_template.php\r\nhxxp://www.ihlosiqs-pm.co.za//db_template.php\r\nhxxp://alisimple.si/wp-includes/db_template.php\r\nhxxp://allthat.social//db_template.php\r\nhxxp://www.amphibiblechurch[.]com//db_template.php\r\nhxxp://bestencouragementwords[.]com//db_template.php\r\nhxxp://alayhamtechnologies[.]com//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 15 of 28\n\nhxxps://alaskanharvestseafood[.]com/backup/db_template.php\r\nhxxps://www.air-mag.ro//db_template.php\r\nhxxp://get-paid-for-online-survey[.]com//db_template.php\r\nhxxp://www.antc.ch/wp-includes/db_template.php\r\nhxxp://firstchoiceproperties.co.za//db_template.php\r\nhxxp://habibtextiles.pk//db_template.php\r\nhxxp://fsproperties.co.za/engine1/db_template.php\r\nhxxp://diegemmerkat.co.za//db_template.php\r\nhxxp://molepetravel.co.ls//db_template.php\r\nhxxp://mmetl.co.za//db_template.php\r\nhxxp://altrablog[.]com//db_template.php\r\nhxxp://abrahamseed.co.za//db_template.php\r\nhxxp://www.amerindgen[.]com/author/admin1/db_template.php\r\nhxxp://altcoinaddict[.]com//db_template.php\r\nhxxp://iiee.edu.pk//db_template.php\r\nhxxp://cmhts.co.za/resources/db_template.php\r\nhxxp://domesticguardians.co.za/Banner/db_template.php\r\nhxxps://amishcountryfurnishings[.]com//db_template.php\r\nhxxps://allday.gr//db_template.php\r\nhxxp://www.alinn-u-yin[.]com//db_template.php\r\nhxxps://www.allin-chain[.]com//db_template.php\r\nhxxps://www.anatapackaging[.]com/vendors/db_template.php\r\nhxxp://alexcelts[.]com/wp/db_template.php\r\nhxxp://www.allstylus[.]com.br//db_template.php\r\nhxxp://www.algom-law[.]com//db_template.php\r\nhxxp://ambiances-toiles.fr//db_template.php\r\nhxxp://alessandrofoglino[.]com//db_template.php\r\nhxxp://www.easy-home-sales.co.za//db_template.php\r\nhxxp://www.almaarefut[.]com/admin/db_template.php\r\nhxxp://chinamall.co.za//db_template.php\r\nhxxp://amesoulcoaching[.]com//db_template.php\r\nhxxp://www.antigonisworld[.]com/wp-includes/db_template.php\r\nhxxps://anbinni.ba/wp-admin/db_template.php\r\nhxxp://arctistrade.de/wp/db_template.php\r\nhxxp://aianalytics.ie//db_template.php\r\nhxxp://www.gilforsenate[.]com//db_template.php\r\nhxxp://mgamule.co.za/oldweb/db_template.php\r\nhxxp://chrisdejager-attorneys.co.za//db_template.php\r\nhxxp://alfredocifuentes[.]com//db_template.php\r\nhxxp://alxcorp[.]com//db_template.php\r\nhxxps://www.aircafe24[.]com//db_template.php\r\nhxxp://agencereferencement.be/wp-admin/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 16 of 28\n\nhxxp://americanlegacies.org/webthed_ftw/db_template.php\r\nhxxps://aloefly.net//db_template.php\r\nhxxp://www.duotonedigital.co.za//db_template.php\r\nhxxp://architectsinc.net//db_template.php\r\nhxxp://www.tanati.co.za//db_template.php\r\nhxxp://emware.co.za//db_template.php\r\nhxxp://breastfeedingbra.co.za//db_template.php\r\nhxxp://alhidayahfoundation.co.uk/category/db_template.php\r\nhxxp://cashforyousa.co.za//db_template.php\r\nhxxps://www.airporttaxi-uk.co.uk/wp-includes/db_template.php\r\nhxxp://antjetaubert.de//db_template.php\r\nhxxp://hesterwebber.co.za//db_template.php\r\nhxxp://fickstarelectrical.co.za//db_template.php\r\nhxxp://alex-frost[.]com/assets/db_template.php\r\nhxxps://americanbrasil[.]com.br//db_template.php\r\nhxxps://aileeshop[.]com//db_template.php\r\nhxxps://annodle[.]com//db_template.php\r\nhxxp://goldeninstitute.co.za/contents/db_template.php\r\nhxxp://ednpk[.]com//db_template.php\r\nhxxp://www.arabiccasinochoice[.]com//db_template.php\r\nhxxp://proeventsports.co.za//db_template.php\r\nhxxp://glenbridge.co.za//db_template.php\r\nhxxp://berped.co.za//db_template.php\r\nhxxp://best-digital-slr-cameras[.]com//db_template.php\r\nhxxp://antonhirvonen[.]com/pengalandet.se/wp-includes/db_template.php\r\nhxxp://www.alpacal[.]com//db_template.php\r\nhxxps://www.alakml[.]com/wp-admin/db_template.php\r\nhxxp://ar-rihla[.]com//db_template.php\r\nhxxp://appsvoice.info//db_template.php\r\nhxxp://www.bashancorp.co.za//db_template.php\r\nhxxp://alexanderbecker.net/services/db_template.php\r\nhxxp://visionclinic.co.ls/visionclinic/db_template.php\r\nhxxps://www.angelesrevista[.]com//db_template.php\r\nhxxps://www.antojoentucocina[.]com//db_template.php\r\nhxxp://apollonweb[.]com//db_template.php\r\nhxxps://www.alphapixa[.]com//db_template.php\r\nhxxp://capitalradiopetition.co.za//db_template.php\r\nhxxp://www.generictoners.co.za//db_template.php\r\nhxxps://alnahdatraining[.]com//db_template.php\r\nhxxps://albousala[.]com//db_template.php\r\nhxxps://www.dopetroleum[.]com//db_template.php\r\nhxxp://bios-chip.co.za//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 17 of 28\n\nhxxp://www.crissamconsulting.co.za//db_template.php\r\nhxxp://capriflower.co.za//db_template.php\r\nhxxp://www.dingaanassociates.co.za//db_template.php\r\nhxxp://indiba-africa.co.za//db_template.php\r\nhxxp://verifiedseller.co.za/js/db_template.php\r\nhxxps://www.buraqlubricant[.]com//db_template.php\r\nhxxp://aqarco[.]com/wp-admin/db_template.php\r\nhxxp://allaboutblockchain.net//db_template.php\r\nhxxp://www.amexcars.info/tpl/db_template.php\r\nhxxp://clandecor.co.za/rvsUtf8Backup/db_template.php\r\nhxxp://bakron.co.za//db_template.php\r\nhxxp://gsnconsulting.co.za//db_template.php\r\nhxxp://vumavaluations.co.za//db_template.php\r\nhxxp://heritagetravelmw[.]com//db_template.php\r\nhxxp://ampvita[.]com//db_template.php\r\nhxxp://ahero-resource-center.org/administrator/db_template.php\r\nhxxps://arbulario[.]com//db_template.php\r\nhxxp://havilahglo.co.za/wpscripts/db_template.php\r\nhxxp://www.bestdecorativemirrors[.]com/More-Mirrors/db_template.php\r\nhxxp://delectronics[.]com.pk//db_template.php\r\nhxxp://antucomp[.]com//db_template.php\r\nhxxp://advocatetn[.]com/font-awesome/fonts/db_template.php\r\nhxxps://amooy[.]com/webservice/db_template.php\r\nhxxp://www.harmonyguesthouse.co.za//db_template.php\r\nhxxp://alanrori[.]com//db_template.php\r\nhxxp://algarvesup[.]com//db_template.php\r\nhxxp://desirablehair.co.za//db_template.php\r\nhxxp://comsip.org.mw//db_template.php\r\nhxxp://jdcorporate.co.za/catalog/db_template.php\r\nhxxp://andrewfinnburhoe[.]com//db_template.php\r\nhxxp://anyeva[.]com/wp-includes/db_template.php\r\nhxxp://www.agenceuhd[.]com//db_template.php\r\nhxxp://host4unix.net/host24new/db_template.php\r\nhxxp://www.altaica.ca/wordpress/db_template.php\r\nhxxp://www.allbuyer.co.uk//db_template.php\r\nhxxp://jvpsfunerals.co.za//db_template.php\r\nhxxp://immaculatepainters.co.za//db_template.php\r\nhxxp://tcpbereka.co.za/js/db_template.php\r\nhxxp://clientcare.co.ls//db_template.php\r\nhxxp://investaholdings.co.za/htc/db_template.php\r\nhxxp://www.amjobs.co.uk//db_template.php\r\nhxxp://www.agirlgonewine[.]com/store/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 18 of 28\n\nhxxp://findinfo-more[.]com//db_template.php\r\nhxxp://asgen.org//db_template.php\r\nhxxp://alphasalesrecruitment[.]com//db_template.php\r\nhxxp://irshadfoundation.co.za//db_template.php\r\nhxxp://analternatif[.]com/includes/db_template.php\r\nhxxp://arbruisseau[.]com/profiles/db_template.php\r\nhxxp://ladiescircle.co.za//db_template.php\r\nhxxp://all-reseller[.]com/zzz_backup/db_template.php\r\nhxxp://alcatrazmoon[.]com/images/db_template.php\r\nhxxp://www.alcalumni[.]com/wp-includes/db_template.php\r\nhxxp://aniljoseph[.]com/servermon/db_template.php\r\nhxxp://alwake3press[.]com/wp-includes/db_template.php\r\nhxxp://www.hfhl.org.ls/habitat/db_template.php\r\nhxxp://alcafricanos[.]com/slsmonographs/db_template.php\r\nhxxps://agapeencounter.org//db_template.php\r\nhxxp://apobiomedix.ca//db_template.php\r\nhxxp://anythinglah.info//db_template.php\r\nhxxp://aniroleplay.net//db_template.php\r\nhxxp://www.allcopytoners[.]com//db_template.php\r\nhxxp://alphaobring[.]com//db_template.php\r\nhxxp://www.galwayprimary.co.za//db_template.php\r\nhxxp://alnuzha.org/en/db_template.php\r\nhxxps://ancient-wisdoms[.]com//db_template.php\r\nhxxp://amazingenergysavings.net//db_template.php\r\nhxxp://gvs[.]com.pk/font-awesome/db_template.php\r\nhxxp://geetransfers.co.za/font-awesome/db_template.php\r\nhxxp://carlagrobler.co.za/components/db_template.php\r\nhxxp://amazingashwini[.]com//db_template.php\r\nhxxp://aminearserver.es//db_template.php\r\nhxxp://lensofafrica.co.za//db_template.php\r\nhxxp://greenacrestf.co.za/video/db_template.php\r\nhxxp://www.tonaro.co.za//db_template.php\r\nhxxp://alephit2.biz/kitzz/db_template.php\r\nhxxp://lppaportal.org.ls//db_template.php\r\nhxxp://alkousy[.]com//db_template.php\r\nhxxp://ambulatorioveterinariocalusco[.]com/img/common/db_template.php\r\nhxxp://fragranceoil.co.za//db_template.php\r\nhxxp://www.eloquent.co.za/nweb2/db_template.php\r\nhxxp://chrishanicdc.org/wpimages/db_template.php\r\nhxxp://ahc.me.uk//db_template.php\r\nhxxp://www.britishasia-equip.co.uk//db_template.php\r\nhxxp://always-beauty.ch//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 19 of 28\n\nhxxps://www.ancamamara[.]com/wp-admin/db_template.php\r\nhxxp://entracorntrading.co.za//db_template.php\r\nhxxp://www.alexjeffersonconsulting[.]com/wp-includes/db_template.php\r\nhxxp://americabr[.]com.br//db_template.php\r\nhxxp://andrew-snyder.net/bootstrap/db_template.php\r\nhxxp://signsoftime.co.za//db_template.php\r\nhxxp://aperta-armis.org//db_template.php\r\nhxxp://absfinancialplanning.co.za/images/db_template.php\r\nhxxp://charispaarl.co.za//db_template.php\r\nhxxp://indlovusecurity.co.za//db_template.php\r\nhxxp://alcafricandatalab[.]com//db_template.php\r\nhxxp://amor-clubhotels[.]com//db_template.php\r\nhxxp://mokorotlocorporate[.]com//db_template.php\r\nhxxp://apppriori[.]com//db_template.php\r\nhxxp://luxconprojects.co.za//db_template.php\r\nhxxp://androidphonetips[.]com/wp-includes/db_template.php\r\nhxxp://angel-seeds[.]com.ua/catalog/db_template.php\r\nhxxp://alissanicolai[.]com/assets/db_template.php\r\nhxxps://www.amateurastronomy.org//db_template.php\r\nhxxp://aiofotoevideo[.]com//db_template.php\r\nhxxp://www.amika.hr//db_template.php\r\nhxxp://comfortex.co.za/php/db_template.php\r\nhxxp://deepgraphics.co.za//db_template.php\r\nhxxps://agiledepot[.]com//db_template.php\r\nhxxp://almatours.gr//db_template.php\r\nhxxp://analystcnwang[.]com//db_template.php\r\nhxxp://www.malboer.co.za/trendy1/db_template.php\r\nhxxp://sefikengfarm.co.ls//db_template.php\r\nhxxp://www.antirughenaturale[.]com/wp-admin/db_template.php\r\nhxxp://passright.co.za//db_template.php\r\nhxxp://seismicfactory.co.za//db_template.php\r\nhxxp://alessandroalessandrini.it//db_template.php\r\nhxxps://aquabsafe[.]com//db_template.php\r\nhxxp://amatikulutours[.]com/tmp/db_template.php\r\nhxxp://ganitis.gr//db_template.php\r\nhxxp://aleenasgiftbox[.]com/admin/db_template.php\r\nhxxps://allusdoctors[.]com/themes/db_template.php\r\nhxxp://alainsaffel[.]com//db_template.php\r\nhxxp://www.ariehandomri[.]com//db_template.php\r\nhxxp://aquaneeka.co.uk/wp-includes/db_template.php\r\nhxxp://itengineering.co.za/gatewaydiamond/db_template.php\r\nhxxp://alldomains-crm[.]com/bubblegumpopcorn[.]com/wp-admin/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 20 of 28\n\nhxxp://www.albertamechanical.ca//db_template.php\r\nhxxp://alchamel.info//db_template.php\r\nhxxps://almokan.net/wp-includes/db_template.php\r\nhxxp://jakobieducation.co.za//db_template.php\r\nhxxps://arc-sec.net//db_template.php\r\nhxxp://ldams.org.ls/supplies/db_template.php\r\nhxxp://menaboracks.co.za/tmp/db_template.php\r\nhxxp://www.getcord.co.za//db_template.php\r\nhxxp://boardaffairs[.]com//db_template.php\r\nhxxp://capetownway.co.za//db_template.php\r\nhxxp://cloudhostdesign[.]com//db_template.php\r\nhxxp://hartenboswaterpark.co.za/templates/db_template.php\r\nhxxp://fccorp.co.za/php/db_template.php\r\nhxxp://angar68[.]com//db_template.php\r\nhxxp://www.dws-gov.co.za//db_template.php\r\nhxxp://alwahahweb[.]com//db_template.php\r\nhxxp://anuragcreatives[.]com//db_template.php\r\nhxxp://embali.co.za//db_template.php\r\nhxxp://albertaedmonton[.]com/widgetstyles/db_template.php\r\nhxxp://altosdefontana[.]com//db_template.php\r\nhxxp://airfanhydro.net//db_template.php\r\nhxxps://www.alexponcet[.]com/wp-includes/db_template.php\r\nhxxp://agropecuariavilarica[.]com.br//db_template.php\r\nhxxps://www.amazingbuyrd[.]com/admin/db_template.php\r\nhxxp://cdxtrading.co.za//db_template.php\r\nhxxp://interafricaconsulting[.]com/wpimages/db_template.php\r\nhxxp://glgroup.co.za/images/db_template.php\r\nhxxp://hisandherskennels.co.za/php/db_template.php\r\nhxxp://alemaohost[.]com/lotosorg[.]com/db_template.php\r\nhxxp://isibaniedu.co.za/admin/db_template.php\r\nhxxp://dianakleyn.co.za/layouts/db_template.php\r\nhxxp://themotoringcalendar.co.za//db_template.php\r\nhxxp://www.loansonhomes.co.za//db_template.php\r\nhxxp://edgesecurity.co.za/js/db_template.php\r\nhxxp://highschoolsuperstar.co.za/files/db_template.php\r\nhxxp://www.ambientproperty[.]com//db_template.php\r\nhxxp://animationshowreel.co.il//db_template.php\r\nhxxp://cafawelding.co.za/font-awesome/db_template.php\r\nhxxp://apalawyers.pt//db_template.php\r\nhxxp://www.edesignz.co.za//db_template.php\r\nhxxp://centuryacademy.co.za/css/db_template.php\r\nhxxps://ambyenta.hr//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 21 of 28\n\nhxxp://ceramica.co.za//db_template.php\r\nhxxp://www.alfredoposada[.]com//db_template.php\r\nhxxp://anastasovsworkshop[.]com/wp-includes/db_template.php\r\nhxxp://allisonplumbing[.]com/wp-includes/db_template.php\r\nhxxp://eastrandmotorlab.co.za/fleet/db_template.php\r\nhxxp://angelsongroup[.]com/wp-includes/db_template.php\r\nhxxp://www.mikimaths[.]com//db_template.php\r\nhxxp://hjb-racing.co.za/htdocs/db_template.php\r\nhxxp://anotherpartofme[.]com/wp-includes/db_template.php\r\nhxxp://www.andreabelfi[.]com//db_template.php\r\nhxxp://www.iancullen.co.za//db_template.php\r\nhxxp://alaskamaterials[.]com//db_template.php\r\nhxxp://jeanetteproperties.co.za//db_template.php\r\nhxxp://www.digitalmedia.co.za//db_template.php\r\nhxxp://www.rejoicetheatre[.]com//db_template.php\r\nhxxps://alterwebhost[.]com//db_template.php\r\nhxxp://bc-u.co.uk//db_template.php\r\nhxxp://dpscdgkhan.edu.pk/shopping/db_template.php\r\nhxxp://edgeforensic.co.za//db_template.php\r\nhxxp://willpowerpos.co.za//db_template.php\r\nhxxp://antrismode[.]com/wp-includes/db_template.php\r\nhxxp://colenesphotography.co.za/modules/db_template.php\r\nhxxp://anthaigroup.vn//db_template.php\r\nhxxps://alphainvestors[.]com.au//db_template.php\r\nhxxps://aliart.nl//db_template.php\r\nhxxps://allmantravel[.]com/thumbs/db_template.php\r\nhxxp://fbrvolume.co.za//db_template.php\r\nhxxp://amordegato.es/storefront/db_template.php\r\nhxxp://agylub[.]com//db_template.php\r\nhxxp://www.khotsonglodge.co.ls//db_template.php\r\nhxxp://ampli5yd[.]com//db_template.php\r\nhxxps://animeok.co.il//db_template.php\r\nhxxps://arbeidsrechtcentrum.nl//db_template.php\r\nhxxp://erniecommunications.co.za/js/db_template.php\r\nhxxp://promechtransport.co.za/scripts/db_template.php\r\nhxxp://centuriongsd.co.za//db_template.php\r\nhxxp://www.agencesylvieleclerc[.]com//db_template.php\r\nhxxp://delcom.co.za//db_template.php\r\nhxxps://aleoestudio[.]com/gallonature/db_template.php\r\nhxxp://oftheearthphotography[.]com/www/db_template.php\r\nhxxp://h-dubepromotions.co.za//db_template.php\r\nhxxp://www.alessioborzuola[.]com/downloads/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 22 of 28\n\nhxxp://crystaltidings.co.za//db_template.php\r\nhxxp://funeralbusinesssolution[.]com/email_template/db_template.php\r\nhxxp://funisalodge.co.za/data1/db_template.php\r\nhxxp://experttutors.co.za//db_template.php\r\nhxxps://www.cartridgecave.co.za//db_template.php\r\nhxxp://ecs-consult[.]com//db_template.php\r\nhxxp://www.animationinisrael.org/tmp_images/db_template.php\r\nhxxp://gideonitesprojects[.]com//db_template.php\r\nhxxp://hybridauto.co.za/photography/db_template.php\r\nhxxp://africanpixels.zar.cc//db_template.php\r\nhxxp://ryanchristiefurniture.co.za//db_template.php\r\nhxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/db_template.php\r\nhxxp://almeriahotelja[.]com/dk/db_template.php\r\nhxxp://al3abflash.biz//db_template.php\r\nhxxp://www.fun4kidz.co.za//db_template.php\r\nhxxp://alsharhanstore[.]com//db_template.php\r\nhxxp://www.infratechconsulting[.]com//db_template.php\r\nhxxp://algihad[.]com/assets/db_template.php\r\nhxxp://americanwestmedia[.]com//db_template.php\r\nhxxp://charliewestsecurity.co.za//db_template.php\r\nhxxp://beehiveholdingszar.co.za//db_template.php\r\nhxxp://analyticalfootball[.]com//db_template.php\r\nhxxp://apiiination[.]com/leadership/db_template.php\r\nhxxps://ahelicoptermom[.]com/wp-includes/db_template.php\r\nhxxp://servicebox.co.za//db_template.php\r\nhxxp://globalelectricalandconstruction.co.za/wpscripts/db_template.php\r\nhxxps://aquo.in//db_template.php\r\nhxxps://www.alfransia[.]com/wp-admin/db_template.php\r\nhxxp://www.icsswaziland[.]com//db_template.php\r\nhxxp://aiko.pro//db_template.php\r\nhxxps://alceharfield[.]com//db_template.php\r\nhxxp://indocraft.co.za/test/db_template.php\r\nhxxp://allegiancesecurity.org//db_template.php\r\nhxxp://sullivanprimary.co.za//db_template.php\r\nhxxp://www.apmequestrian[.]com//db_template.php\r\nhxxps://alphawaves.org/wp-admin/db_template.php\r\nhxxp://www.alexandrasternin[.]com/illustration/db_template.php\r\nhxxp://www.daleth.co.za//db_template.php\r\nhxxp://jwseshowe.co.za/assets/db_template.php\r\nhxxp://winagainstebola[.]com//db_template.php\r\nhxxp://anubandh.in//db_template.php\r\nhxxp://www.alexanderhomestead[.]com//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 23 of 28\n\nhxxp://alfatek-intelligence[.]com//db_template.php\r\nhxxp://www.aprendiendoencasa[.]com/wp-includes/db_template.php\r\nhxxp://alorabrownies[.]com/wp-admin/db_template.php\r\nhxxp://andrasadam[.]com/tothildiko/wp-includes/db_template.php\r\nhxxp://cazochem.co.za/cazochem/db_template.php\r\nhxxp://debnoch[.]com/image/db_template.php\r\nhxxp://hmholdings360.co.za//db_template.php\r\nhxxp://iinvest4u.co.za//db_template.php\r\nhxxp://burgercoetzeeattorneys.co.za//db_template.php\r\nhxxp://anngrigphoto[.]com//db_template.php\r\nhxxp://alchemistasonida[.]com//db_template.php\r\nhxxp://anahera.biz/admin/db_template.php\r\nhxxp://h-u-i.co.za/heiren/db_template.php\r\nhxxp://insta-art.co.za//db_template.php\r\nhxxp://muallematsela[.]com//db_template.php\r\nhxxp://aguasdecastilla[.]com/uploads/db_template.php\r\nhxxp://www.arabgamenetwork[.]com//db_template.php\r\nhxxps://arhiepiscopiabucurestilor.ro/templates/db_template.php\r\nhxxp://amruthavana[.]com/blog/db_template.php\r\nhxxp://digitalblue.co.za//db_template.php\r\nhxxps://www.alvarezarquitectos[.]com//db_template.php\r\nhxxp://buboobioinnovations.co.za/wpimages/db_template.php\r\nhxxp://andrewsbisom[.]com//db_template.php\r\nhxxp://www.m-3.co.za//db_template.php\r\nhxxp://beesrenovations.co.za/images/db_template.php\r\nhxxps://www.apliety.co.il/wp-includes/db_template.php\r\nhxxp://alchamelup.org/htdocs/db_template.php\r\nhxxp://benonicoc.co.za/resources/db_template.php\r\nhxxps://al-mostakbl[.]com//db_template.php\r\nhxxp://alchimiegrafiche.net/bbdelteatro/db_template.php\r\nhxxp://andrespazsoldan[.]com//db_template.php\r\nhxxp://in2accounting.co.za//db_template.php\r\nhxxp://aipa.ca//db_template.php\r\nhxxp://alphabee.fund/PHPMailer_5.2.0/db_template.php\r\nhxxp://arabsdeals[.]com//db_template.php\r\nhxxps://archiotronic[.]com/wp-includes/db_template.php\r\nhxxp://capewindstrading.co.za//db_template.php\r\nhxxps://althurayaa[.]com//db_template.php\r\nhxxp://jhphotoedits.co.za//db_template.php\r\nhxxp://cloudhub.co.ls/modules/db_template.php\r\nhxxp://apironco[.]com/wp-includes/db_template.php\r\nhxxp://digital-cameras-south-africa.co.za/script/db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 24 of 28\n\nhxxp://ahmadhasanat[.]com//db_template.php\r\nhxxp://alexrocchi[.]com//db_template.php\r\nhxxp://aljaadi[.]com//db_template.php\r\nhxxps://www.engeltjieakademie.co.za//db_template.php\r\nhxxp://annabelle.nl/next/db_template.php\r\nhxxp://juniorad.co.za/vendor/db_template.php\r\nhxxp://animationpulse.net//db_template.php\r\nhxxp://angloglot[.]com//db_template.php\r\nhxxp://agricolavicuna.cl//db_template.php\r\nhxxp://alexelgy[.]com/allaccess/db_template.php\r\nhxxp://www.centreforgovernance.uk//db_template.php\r\nhxxp://www.aliandconsulting[.]com//db_template.php\r\nhxxp://balaateen.co.za/less/db_template.php\r\nhxxp://aleksicdunja[.]com//db_template.php\r\nhxxp://arestihome[.]com//db_template.php\r\nhxxp://am1int.fcomet[.]com/wp1/db_template.php\r\nhxxp://anet-international-group[.]com/shop/db_template.php\r\nhxxp://courtesydriving.co.za/js/db_template.php\r\nhxxp://annaplebanek[.]com//db_template.php\r\nhxxp://agencijazemil[.]com//db_template.php\r\nhxxp://airminumtiro[.]com//db_template.php\r\nhxxp://www.androidwikihow[.]com//db_template.php\r\nhxxp://alisabyfinna[.]com//db_template.php\r\nhxxp://rma-law.co.za//db_template.php\r\nhxxp://amari.ro/components/db_template.php\r\nhxxp://anxiousandunstoppable[.]com//db_template.php\r\nhxxp://www.buhlebayoacademy[.]com//db_template.php\r\nhxxp://arabellajo[.]com/wp/wp-includes/db_template.php\r\nhxxp://blackthorn.co.za//db_template.php\r\nhxxp://alaqaba[.]com/dnsarabia[.]com/db_template.php\r\nhxxp://airesis.blog/wp-admin/db_template.php\r\nhxxp://www.aptibet.org//db_template.php\r\nhxxp://alecattic[.]com/wp-includes/db_template.php\r\nhxxp://anglero[.]com//db_template.php\r\nhxxp://getabletravel.co.za/wpscripts/db_template.php\r\nhxxp://www.allwestdental[.]com/wp-includes/db_template.php\r\nhxxp://printernet.co.za//db_template.php\r\nhxxp://genesisbs.co.za//db_template.php\r\nhxxp://allsporthealthandfitness[.]com//db_template.php\r\nhxxp://www.humorcarbons[.]com//db_template.php\r\nhxxp://intelligentprotection.co.za//db_template.php\r\nhxxp://amazethings[.]com//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 25 of 28\n\nhxxp://incoso.co.za/images/db_template.php\r\nhxxp://www.antoanetapalikarska[.]com//db_template.php\r\nhxxps://www.alteaparadise[.]com/wp-includes/db_template.php\r\nhxxp://amirmenahem[.]com//db_template.php\r\nhxxp://isound.co.za//db_template.php\r\nhxxp://www.alestilorachel[.]com//db_template.php\r\nhxxp://alcfm.net/wp-admin/db_template.php\r\nhxxp://www.acer-parts.co.za//db_template.php\r\nhxxp://www.gsmmid[.]com//db_template.php\r\nhxxp://skhaleni.co.za//db_template.php\r\nhxxps://amiici.vision//db_template.php\r\nhxxps://andihaas.at/wp-includes/db_template.php\r\nhxxp://www.albertaprimebeef[.]com//db_template.php\r\nhxxps://www.appster.it/wp-includes/db_template.php\r\nhxxp://amofoundation.org/wp-includes/db_template.php\r\nhxxp://iqra.co.za/pub/db_template.php\r\nhxxp://thecompasssolutions.co.za//db_template.php\r\nhxxp://archwaycarpetscrm.co.uk//db_template.php\r\nhxxp://iggleconsulting[.]com//db_template.php\r\nhxxps://angel-blanco.net/wp-includes/db_template.php\r\nhxxps://anotherdayinparadise.ca//db_template.php\r\nhxxp://www.bitp.co.za//db_template.php\r\nhxxp://cupboardcure.co.za/vendor/db_template.php\r\nhxxp://all2wedding[.]com/wp-includes/db_template.php\r\nhxxp://allianz[.]com.pe/wp-admin/db_template.php\r\nhxxp://amiehepperlin[.]com//db_template.php\r\nhxxps://www.amighini.it/webservice/db_template.php\r\nhxxp://broken-arrow.co.za//db_template.php\r\nhxxp://www.ihlosiqs-pm.co.za//db_template.php\r\nhxxp://alisimple.si/wp-includes/db_template.php\r\nhxxp://allthat.social//db_template.php\r\nhxxp://www.amphibiblechurch[.]com//db_template.php\r\nhxxp://bestencouragementwords[.]com//db_template.php\r\nhxxp://alayhamtechnologies[.]com//db_template.php\r\nhxxps://alaskanharvestseafood[.]com/backup/db_template.php\r\nhxxps://www.air-mag.ro//db_template.php\r\nhxxp://get-paid-for-online-survey[.]com//db_template.php\r\nhxxp://www.antc.ch/wp-includes/db_template.php\r\nhxxp://firstchoiceproperties.co.za//db_template.php\r\nhxxp://habibtextiles.pk//db_template.php\r\nhxxp://fsproperties.co.za/engine1/db_template.php\r\nhxxp://diegemmerkat.co.za//db_template.php\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 26 of 28\n\nhxxp://molepetravel.co.ls//db_template.php\r\nhxxp://mmetl.co.za//db_template.php\r\nhxxp://altrablog[.]com//db_template.php\r\nhxxp://abrahamseed.co.za//db_template.php\r\nhxxp://www.amerindgen[.]com/author/admin1/db_template.php\r\nhxxp://altcoinaddict[.]com//db_template.php\r\nhxxp://iiee.edu.pk//db_template.php\r\nhxxp://cmhts.co.za/resources/db_template.php\r\nhxxp://domesticguardians.co.za/Banner/db_template.php\r\nhxxps://amishcountryfurnishings[.]com//db_template.php\r\nhxxps://allday.gr//db_template.php\r\nhxxp://www.alinn-u-yin[.]com//db_template.php\r\nhxxps://www.allin-chain[.]com//db_template.php\r\nhxxps://www.anatapackaging[.]com/vendors/db_template.php\r\nhxxp://alexcelts[.]com/wp/db_template.php\r\nhxxp://www.allstylus[.]com.br//db_template.php\r\nhxxp://www.algom-law[.]com//db_template.php\r\nhxxp://ambiances-toiles.fr//db_template.php\r\nPopular posts from this blog\r\nPOWERSING - FROM LNK FILES TO JANICAB THROUGH YOUTUBE \u0026 TWITTER\r\nINTRODUCTION This post will discuss an ongoing campaign that have been operational since at least August\r\n2017 . The post will look into the delivery of the malware, some analysis on the payload, and some additional\r\ninsights in relation to the campaign. It is by no means a full in depth analysis of the malware and all it's\r\nfunctionality.  LAWYER UP!! This all started with a tweet by the AWESOME Jacob Soo ( @_jsoo_ ) whom I\r\nrecommend you go and follow if you are interested in analyzing malware and tracking different threat actors. The\r\nsample is a ZIP file titled \"Dubai_Lawyers_update_2018.zip\" and the archive contains two LNK files that are\r\nperpetrating to be PDF files. The actors in this case borrowed couple of files from the British Embassy site and\r\nused them as decoy documents to lure victims into believing that these files are in fact legitimate.\r\nhttps://assets.publishing.service[.]gov.uk/government/uploads/system/uploads/attachment_da...\r\nHOW DO YOU LIKE DEM EGGS? I LIKE MINE SCRAMBLED, REALLY SCRAMBELED -\r\nA LOOK AT A RECENT more_eggs SAMPLES\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 27 of 28\n\nBACKGROUND The topic of discussion have been covered quite well in the past years. With some  analysis\r\nfocusing on the human element and actors behind the tools  and  other analysis attributing to different groups  and\r\nsome focusing on  the malware  and  final payload . This blog will just focus on some recent samples related to\r\nwhat i think is  more_eggs  and my attempt (successful or not, I will let you be the judge of that) at analyzing them\r\nand some questions I have. I won't be discussing any attribution or provide my thoughts on that in this blog. \r\nHIGH LEVEL ANALYSIS OF SAMPLES This all started with a tweet - \r\nhttps://twitter.com/jaydinbas/status/1633063201607675909?s=20 File Name : Axiance_Full_Reports[.]zip Hash\r\n: 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6 The file is a ZIP file that include an\r\nLNK file and a JPG. The LNK as you would expect includes an obfuscated code within it that is consis...\r\nSource: https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nhttps://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html\r\nPage 28 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html"
	],
	"report_names": [
		"a-quick-dip-into-muddywaters-recent.html"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434555,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be779da4b4b92b7671afe5c8ac51066694615f21.pdf",
		"text": "https://archive.orkl.eu/be779da4b4b92b7671afe5c8ac51066694615f21.txt",
		"img": "https://archive.orkl.eu/be779da4b4b92b7671afe5c8ac51066694615f21.jpg"
	}
}