{ "id": "d6d1764c-ea0d-438d-b0fa-fcf292f56947", "created_at": "2026-04-06T00:06:38.265019Z", "updated_at": "2026-04-10T13:11:19.17975Z", "deleted_at": null, "sha1_hash": "bfbd5e895ba954740642786811d9184617c3c828", "title": "Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020 | NTT Security Holdings", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 889018, "plain_text": "Analysis of an Iranian APTs “E400” PowGoop variant reveals\r\ndozens of control servers dating back to 2020 | NTT Security\r\nHoldings\r\nPublished: 2022-05-11 · Archived: 2026-04-05 22:25:29 UTC\r\nExecutive Summary\r\nOn January 12th, 2022, the U.S. Cyber Command’s Cyber National Mission Force (CNMF) released a report\r\nexposing malicious samples related to the offensive toolset of the Iranian APT group tracked by NTT Security\r\nHoldings (NTTSH) as ENT-11.\r\nMultiple samples of ENT-11s malware known as PowGoop were released, including samples for all three of the\r\nmain components that make up the PowGoop infection chain.\r\nInsights gained from technical analysis of the final backdoor component of the PowGoop malware has allowed\r\nNTTSH analysts the ability to identify dozens of PowGoop command and control servers dating back to October\r\n2020. These control servers are related to a PowGoop variant dubbed “E400” by the NTTSH analyst team.\r\nUtilizing proprietary internet backbone data available to NTTSH shows three clusters of victims can be observed\r\nsince the beginning of 2022.\r\nTracking efforts by NTTSH analysts show ENT-11 is almost certainly winding down operations for the E400-\r\nPowGoop variant, as no new control servers for this variant have been observed since the end of 2021, and only\r\none server is still active at the time of writing.\r\nENT-11\r\nENT-11, tracked publicly as MuddyWater, Seedworm, Static Kitten, and MERCURY, is primarily an espionage\r\nand geopolitically motivated adversary that is attributed by the US Cyber Command as being a subordinate\r\nelement within the Iranian Ministry of Intelligence (MOIS).\r\nThe adversary’s recent toolset has been well-documented, and leaks over the past few years have proven useful for\r\ncontinued research into how the group has probably operated The threat actor is known to target foreign\r\ngovernments, as well as organizations from the private sector in areas such as telecommunications and energy. In\r\nrecent investigations NTTSH analysts have also identified victims from within intergovernmental economic\r\ncooperation organizations, and the banking sector.\r\nThe actor is publicly reported to primarily target geographic neighbours in the Middle East, but wide-ranging\r\nglobal targeting has also been reported. This is not unexpected given targeting orders are believed to come directly\r\nfrom MOIS, and hence follow the everchanging geopolitical landscape.\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 1 of 13\n\nENT-11 seeks to maintain stealth in their operations by using techniques such as DLL sideloading to disguise\r\ncommand and control traffic as legitimate activity. Additionally, the adversary is often observed using custom\r\nlightweight encoding and obfuscation schemes to bypass detection.\r\nAlthough portions of the adversary’s toolset and infrastructure have recently been exposed publicly, the actor has\r\nshown the ability to adapt by modifying tools, and creating new variants. NTTSH analysts believe that it is almost\r\ncertain that the actor will continue to do this throughout 2022.\r\nHigh-level Overview of PowGoop\r\nPowGoop is a foundational part of ENT-11s offensive toolset and has been used against high-level targets since\r\n2020.\r\nThe first known variant of PowGoop was reported on in September 2020 by the Unit42 team at Palo Alto where a\r\npossible (but still unproven) connection was made to intrusions involving the destructive use of Thanos\r\nransomware against state-run organizations in the Middle East and North Africa in July of the same year.\r\nA report called “Operation Quicksand” by ClearSky Cyber Security followed shortly thereafter outlining an\r\noffensive campaign they observed against Israeli organizations in September 2020 where a new harder to detect\r\nPowGoop variant was being deployed.\r\nThe new variant of PowGoop highlighted by the ClearSky report is the probable precursor to the pervasive\r\n“E400” PowGoop variant observed to be used since October 2020 by NTTSH analysts.\r\nPowGoop has a multistage infection chain that employs techniques such as DLL sideloading and obfuscation to\r\nbypass detection.\r\nScheduled tasks have been reported to be used for maintaining persistence with PowGoop.\r\nDue to the DLL side-loading method employed, PowGoop command and control traffic stealthily runs under a\r\nlegitimate process such as Google Update Service, and as such can further hinder analysis.\r\nThe PowGoop malware set itself can be divided logically into three parts :\r\nDLL loader\r\nPowerShell script that acts as a decrypter and a loader\r\nPowerShell backdoor that offers code execution and downloader capabilities while maintaining command\r\nand control over the victim\r\nSome reports have observed that PowGoop may be deployed via the remote execution tool Remadmin, but others\r\nsuch as ClearSky have reported on downloads being observed from control servers after initial access has been\r\nmade.\r\nIt is reported that PowGoop arrives on a victim host in a zip file called “google.zip” which contains the necessary\r\nmalicious components\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 2 of 13\n\nFigure 2. High-level overview of a PowGoop infection chain\r\nAs multiple reports have been released recently that have done an excellent job of summarizing the PowGoop\r\ninfection chain, we choose to focus our attention on a technical deep dive of the final payload - the PowerShell\r\nbackdoor.\r\nTechnical Analysis of the PowerShell Backdoor Component\r\nThe final payload of the PowGoop infection chain is the PowerShell script that contains the command and control\r\nfunctionality of the malware.\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 3 of 13\n\nAnalysis of a mostly decrypted and deobfuscated sample uploaded by the U.S. Cyber Command shows the script\r\nis built to be proxy aware, and contains a hard-coded user-agent, and control server to contact.\r\nFigure 3. Proxy aware with hardcoded user-agent and control server\r\nA hard-coded GUID is also observed.\r\nFigure 4. Hard-coded GUID\r\nThe script contains four functions (encode, c, decode, GET) along with a while loop that is used to maintain\r\ncommand and control.\r\nWhen the script is executed the while loop begins.\r\nFigure 5. The first part of the while loop is for initiating the victim check-in\r\nAn initial request is initiated towards the hard-coded control server using the hard-coded GUID as the $id input\r\n(and nothing for $ct) of the call to the GET function.\r\nFigure 6. The GET function contains the web request and response functionality\r\nA custom header “Authorization” is added to the request with the hard-coded GUID as the value. This request\r\nserves as the initial check-in and identification of the victim host.\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 4 of 13\n\nFigure 7. Initial victim check-in using the hard-coded user-agent and control server. A custom Authorization\r\nheader with hard-coded GUID as the value is also added.\r\nWhen the control server receives the request, it will either respond with an encoded and obfuscated command to\r\nbe executed by the victim, or “ERROR 400” will be given.\r\nFigure 8. The response from the control server to the victim check-in is either command(s) to be executed on the\r\nvictim host, or “ERROR 400”\r\nThe response from the control server is returned by the GET function as a string and dictates the execution path\r\nthe malware takes.\r\nAs only a single parameter was passed to the GET function for this first request, the part of the code in the GET\r\nfunction affecting the second parameter is reserved for later requests.\r\nThe next part of the while loop initiates another request towards the control server, but this time the response\r\nreceived from the first request is now added as the value of the Authorization header.\r\nFigure 9. Second request initiated in the while loop towards the control server\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 5 of 13\n\nFigure 10. The second request towards the control server contains the response from the first request as the value\r\nin the Authorization header\r\nA check is then made in the while loop specifically if the response of “ERROR 400” was received in the response\r\nbody.\r\nIf the “ERROR 400” response body was received, the malware then enters an infinite loop and keeps trying to\r\ncheck-in to the control server until a command is received.\r\nFigure 11. Checking for “ERROR 400”\r\nIf the response served by the control server to the check-in requests is not “ERROR 400”, then it is a command to\r\nbe executed on the victim host.\r\nThe command received is first run through a decode function:\r\nFigure 12. Call to the decode function\r\nThe decode function is as follow:\r\nFigure 13. Function to decode the response served by the control server\r\nThe function decodes a response by first taking every 2nd character starting from the 1st (so 1,3,5 …) to form a\r\nnew string. That string is then base64 decoded.\r\nAs an example, the response “dQ2rhlvYYnWO1ap” would first be reduced to “d2hvYW1p”, which would then be\r\nbase64 decoded to the command “whoami”.\r\nThe command will then be executed on the victim host using Invoke-Expression (IEX).\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 6 of 13\n\nThe results of the command execution will be passed back to the GET function along with the command that was\r\nexecuted (the command string passed back to GET is still in its encoded and obfuscated form).\r\nFigure 14. Logic to execute the command on the victim host with Invoke-Expression, and then initiate another\r\nrequest towards the control server with the results using the GET function\r\nAs values are now passed to the GET function for both parameters, the following logic will be used to encode the\r\nresults of the command execution on the victim host, and then the value will be added to a new “Cookie” header\r\nin the request.\r\nFigure 15. Encoding the result of the command executed and adding as a value to a new Cookie header\r\nThe encode functionality is simply the reverse of what was observed in the decode function.\r\nAs can be seen below, the result of the command execution is first base64 encoded, and then obfuscated by\r\ninserting a random upper or lowercase letter (generated through calls to the c function) after each character of the\r\nbase64 encoded string.\r\nFigure 16. Lightweight encoding and obfuscation routine\r\nAfter encoding and obfuscating the results, a request will then be made towards the control server such as the\r\nfollowing example which shows the results of executing “whoami” on a victim host with IEX.\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 7 of 13\n\nFigure 17. Request towards control server with results of the command execution added as a value of a new\r\nCookie header. The command executed is in the Authorization header still in its encoded and obfuscated form.\r\nThe backdoor then goes to sleep for a hard-coded number of minutes (50 minutes in this case) and then begins\r\nagain at the start of the while loop which maintains command and control.\r\nFigure 18. Hard-coded backdoor sleep time\r\nA more visual example of traffic starting with the initial victim check-in request at the top is:\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 8 of 13\n\nFigure 19. Overview of example network traffic based on execution paths of the PowGoop backdoor\r\nTracking ENT-11 “E400” PowGoop Infrastructure\r\nNTT Security Holdings through insights gained from NTT owning and operating one of the world’s largest ISP\r\nbackbones continuously maps threat actor infrastructure, both in realtime, and by using novel threat research as a\r\nstarting point to correlate in the historical data.\r\nUsing the knowledge gained from the technical deep-dive into the functionality of the PowGoop backdoor\r\ncomponent, NTTSH analysts were able to use both open-source and proprietary backbone data sources to pivot\r\non, and attribute dozens of previously unknown PowGoop control servers to ENT-11.\r\nThe following control servers have been found and are sorted on approximate dates of known activity (this\r\ninformation is also included in the IOC section at the end of the report):\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 9 of 13\n\nPowGoop Control Server\r\nFirst Observed\r\n(≈)\r\nLast Observed (≈)\r\n164.132.237[.]79 11/26/2021 1/15/2022\r\n178.32.30[.]1 11/25/2021 1/16/2022\r\n37.187.204[.]27 11/23/2021 1/14/2022\r\n51.255.19[.]178 11/22/2021 1/14/2022\r\n51.255.19[.]179 11/21/2021 1/17/2022\r\n164.132.237[.]65 11/18/2021 12/24/2021\r\n164.132.237[.]66 10/28/2021 1/9/2022\r\n185.141.27[.]143 10/18/2021 10/26/2021\r\n80.85.158[.]49 10/18/2021 10/18/2021\r\n185.141.27[.]248 10/15/2021 11/12/2021\r\n185.183.96[.]7 10/1/2021 11/13/2021\r\n185.183.96[.]44 10/1/2021 11/12/2021\r\n192.3.161[.]218 9/8/2021\r\nstill active as of\r\n4/6/2022\r\n23.94.7[.]9 8/31/2021 1/15/2022\r\n96.8.121[.]193 8/29/2021 3/3/2022\r\n23.94.24[.]78 7/23/2021 1/13/2022\r\n23.94.24[.]76 7/18/2021 2/9/2022\r\n185.45.192[.]228 7/11/2021 11/11/2021\r\n23.94.24[.]77 7/6/2021 8/18/2021\r\n107.172.165[.]182 6/17/2021 7/3/2021\r\n107.175.57[.]83 6/16/2021 1/14/2022\r\n107.172.165[.]17 6/16/2021 6/23/2021\r\n192.210.226[.]128 4/21/2021 11/5/2021\r\n107.175.95[.]102 11/23/2020 7/24/2021\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 10 of 13\n\nPowGoop Control Server\r\nFirst Observed\r\n(≈)\r\nLast Observed (≈)\r\n172.245.81[.]135 11/18/2020 6/12/2021\r\n104.168.98[.]148 11/12/2020 7/25/2021\r\n192.210.191[.]188 11/10/2020 7/24/2021\r\n198.144.190[.]132 11/4/2020 4/24/2021\r\n172.245.157[.]101 10/28/2020 10/28/2020\r\n23.94.7[.]134 10/26/2020 8/16/2021\r\n23.95.8[.]149 10/26/2020 1/26/2021\r\n96.8.121[.]101 10/14/2020 8/17/2021\r\n107.175.95[.]101 10/13/2020 10/13/2020\r\n192.3.161[.]182 10/10/2020 8/26/2021\r\nTable 1. Identified ENT-11 PowGoop control servers for the\r\n“E400” variant\r\nIt should be noted that the dates given above are approximate. As such, NTTSH analysts strongly urge additional\r\ninvestigation of any activity discovered around (but outside) the given timeframes.\r\nAn interesting observation is that the date of the first actively observed control server on 2020-10-10 came\r\napproximately five weeks after the Unit 42 team at Palo Alto released the first public research on PowGoop, and\r\njust a few days before the ClearSky “Operation Quicksand” report was released.\r\nAn almost certain new variant such as “E400” being observed within this timeframe continues to lend evidence to\r\nthe groups willingness to adapt through the modification of their tools, and the creation of new variants as their\r\nactivities are investigated and reported on publicly.\r\nAnother interesting observation is the considerable number of control servers that appeared to go offline in the\r\ndays following the January 12th release by the U.S. Cyber Command team. No analytic judgements are made on\r\nthe reason for this due to the lack of any further evidence at this time to substantiate such a judgement.\r\nVictimology\r\nSearching the proprietary historical data available to NTTSH analysts for the identified control servers shows\r\nthree victim clusters can be observed since the beginning of 2022:\r\n1. Multiple victims from government ministries and municipal governments that overlaps with what was\r\nrecently reported by the Cisco Talos team\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 11 of 13\n\n2. An intergovernmental economic cooperation organization\r\n3. A large Central Asian bank\r\nPassive reconnaissance reveals multiple victims have exposed services for Fortinet FortiOS and/or Microsoft\r\nExchange. Although NTTSH analysts cannot say definitively at this time how initial access was gained, a joint\r\ncybersecurity advisory was recently released stating these services have been actively targeted in 2021 for initial\r\naccess by Iranian APT groups\r\nConclusion\r\nIn this report NTTSH analysts have provided a high-level overview of the threat actor ENT11 and the infection\r\nchain of their PowGoop malware. A technical deep dive was given for the PowerShell backdoor component of a\r\nPowGoop variant dubbed by NTTSH analysts as “E400”.\r\nInsights gained from the deep dive were used to identify dozens of previously unknown malicious control servers,\r\nand some interesting observations of the data was provided. A search was then conducted in the historical internet\r\nbackbone data available to NTTSH analysts, and observed victims were clustered.\r\nPassive reconnaissance of the victims provided possible further context.\r\nIOCS\r\nPowGoop Control Server First Observed (≈) Last Observed (≈)\r\n164.132.237[.]79 11/26/2021 1/15/2022\r\n178.32.30[.]1 11/25/2021 1/16/2022\r\n37.187.204[.]27 11/23/2021 1/14/2022\r\n51.255.19[.]178 11/22/2021 1/14/2022\r\n51.255.19[.]179 11/21/2021 1/17/2022\r\n164.132.237[.]65 11/18/2021 12/24/2021\r\n164.132.237[.]66 10/28/2021 1/9/2022\r\n185.141.27[.]143 10/18/2021 10/26/2021\r\n80.85.158[.]49 10/18/2021 10/18/2021\r\n185.141.27[.]248 10/15/2021 11/12/2021\r\n185.183.96[.]7 10/1/2021 11/13/2021\r\n185.183.96[.]44 10/1/2021 11/12/2021\r\n192.3.161[.]218 9/8/2021 still active as of 4/6/2022\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 12 of 13\n\nPowGoop Control Server First Observed (≈) Last Observed (≈)\r\n23.94.7[.]9 8/31/2021 1/15/2022\r\n96.8.121[.]193 8/29/2021 3/3/2022\r\n23.94.24[.]78 7/23/2021 1/13/2022\r\n23.94.24[.]76 7/18/2021 2/9/2022\r\n185.45.192[.]228 7/11/2021 11/11/2021\r\n23.94.24[.]77 7/6/2021 8/18/2021\r\n107.172.165[.]182 6/17/2021 7/3/2021\r\n107.175.57[.]83 6/16/2021 1/14/2022\r\n107.172.165[.]17 6/16/2021 6/23/2021\r\n192.210.226[.]128 4/21/2021 11/5/2021\r\n107.175.95[.]102 11/23/2020 7/24/2021\r\n172.245.81[.]135 11/18/2020 6/12/2021\r\n104.168.98[.]148 11/12/2020 7/25/2021\r\n192.210.191[.]188 11/10/2020 7/24/2021\r\n198.144.190[.]132 11/4/2020 4/24/2021\r\n172.245.157[.]101 10/28/2020 10/28/2020\r\n23.94.7[.]134 10/26/2020 8/16/2021\r\n23.95.8[.]149 10/26/2020 1/26/2021\r\n96.8.121[.]101 10/14/2020 8/17/2021\r\n107.175.95[.]101 10/13/2020 10/13/2020\r\n192.3.161[.]182 10/10/2020 8/26/2021\r\nSource: https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nhttps://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant" ], "report_names": [ "analysis-of-an-iranian-apts-e400-powgoop-variant" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433998, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bfbd5e895ba954740642786811d9184617c3c828.pdf", "text": "https://archive.orkl.eu/bfbd5e895ba954740642786811d9184617c3c828.txt", "img": "https://archive.orkl.eu/bfbd5e895ba954740642786811d9184617c3c828.jpg" } }