{
	"id": "c2dad2ff-59bd-4350-87e7-9c85ecb28242",
	"created_at": "2026-04-08T02:21:55.660177Z",
	"updated_at": "2026-04-10T13:13:00.379083Z",
	"deleted_at": null,
	"sha1_hash": "c1c1c57c38154de1f978522203f93d2258c80aaa",
	"title": "MuddyWater Threat Group Deploys New BugSleep Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52774,
	"plain_text": "MuddyWater Threat Group Deploys New BugSleep Backdoor\r\nBy gmcdouga\r\nPublished: 2024-07-15 · Archived: 2026-04-08 02:16:52 UTC\r\nCheck Point Research (CPR) warns that Iranian threat group MuddyWater has significantly increased its activities\r\nagainst Israel and is deploying a new, previously undocumented backdoor campaign.\r\nKey Findings\r\nMuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has\r\nsignificantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023.\r\nThis parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal\r\nThe threat actors consistently use phishing campaigns sent from compromised organizational email\r\naccounts, leading to the deployment of legitimate Remote Management Tools such as Atera Agent and\r\nScreen Connect\r\nRecently, MuddyWater campaigns also led to the deployment of a new, previously undocumented tailor-made backdoor dubbed BugSleep, that is used to target organizations in Israel\r\nBugSleep is a backdoor designed to execute the threat actors’ commands and transfer files between the\r\ncompromised machine and the C\u0026C server. The backdoor is currently in development, with the threat\r\nactors continuously improving its functionality and addressing bugs\r\nOverview\r\nCPR has been tracking MuddyWater, the Iranian threat group affiliated with the country’s Ministry of Intelligence\r\nand Security (MOIS), since 2019. Now, the group has significantly increased its activities in Israel since the\r\nbeginning of the Israel-Hamas war in October 2023.\r\nIn addition to their usual phishing campaigns, with malicious deployment of legitimate Remote Management\r\nTools, MuddyWater has begun deploying a new, previously undocumented backdoor. This backdoor, which Check\r\nPoint Research has named BugSleep, is being specifically used to target organizations in Israel.\r\nBugSleep is a new malware used in phishing lures since May 2024. Check Point Research discovered several\r\nversions of this malware being distributed. The backdoor updates are typically around improvements and bug\r\nfixes within the malware itself.\r\nFor a deep dive analysis on the malware, and the latest malicious campaigns of MuddyWater visit the Check\r\nPoint Research blog.\r\nCampaign Targets\r\nThese campaigns are targeting a number of different sectors, from governments to travel agencies and journalists.\r\nMost of these emails are targeted at Israeli companies, although others were aimed toward organizations in\r\nTurkey, Saudi Arabia, India and Portugal.\r\nhttps://blog.checkpoint.com/research/muddywater-threat-group-deploys-new-bugsleep-backdoor/\r\nPage 1 of 3\n\nFigure 1 – Notable sectors targeted by MuddyWater phishing campaigns.\r\nThe usage of BugSleep marks a notable development in MuddyWater’s techniques, tactics and procedures (TTPs).\r\nBeginning in October 2023, the threat actors have been using phishing campaigns sent from compromised email\r\naccounts, leading to the deployment of legitimate Remote Management Tools (RMM) such as Atera Agent and\r\nScreen Connect. Since February 2024, CPR has identified over 50 spear phishing emails, targeting more than 10\r\nsectors, including municipalities, journalists and healthcare.\r\nMuddyWater continues to push the deployment of these tools. In fact, a recent phishing email was sent to a Saudi\r\nArabian company and an Israeli company. The payload for the Saudi Arabian company was an RMM; for the\r\nIsraeli company it was BugSleep.\r\nFigure 2 – Targeted countries for MuddyWater\r\nThese campaigns reflect MuddyWater’s interests, focusing on specific sectors like airlines and media outlets. The\r\nnature of the lures has become simpler over time, and have evolved to introduce custom malware like BugSleep.\r\nAdditionally, with a shift to generic lures and the increased use of English, the group can focus on higher volumes\r\nas opposed to specific targets.\r\nhttps://blog.checkpoint.com/research/muddywater-threat-group-deploys-new-bugsleep-backdoor/\r\nPage 2 of 3\n\nCheck Point Customers Remain Protected Against the Threats Described in this Report.\r\nHarmony Email and Collaboration provides comprehensive inline protection at the highest security level.\r\nThreatCloud AI’s Threat Emulation engine offers these protections:\r\nAPT.Wins.MuddyWater.ta.X\r\nAPT.Wins.MuddyWater.ta.Y\r\nHarmony Endpoint protections:\r\nAPT.Win.MuddyWater.U\r\nAPT.Win.MuddyWater.V\r\nAPT.Win.MuddyWater.W\r\nCheck Point Research will continue to monitor this group’s activities to ensure customers remain protected from\r\ntheir exploits.\r\nSource: https://blog.checkpoint.com/research/muddywater-threat-group-deploys-new-bugsleep-backdoor/\r\nhttps://blog.checkpoint.com/research/muddywater-threat-group-deploys-new-bugsleep-backdoor/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/muddywater-threat-group-deploys-new-bugsleep-backdoor/"
	],
	"report_names": [
		"muddywater-threat-group-deploys-new-bugsleep-backdoor"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775614915,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1c1c57c38154de1f978522203f93d2258c80aaa.pdf",
		"text": "https://archive.orkl.eu/c1c1c57c38154de1f978522203f93d2258c80aaa.txt",
		"img": "https://archive.orkl.eu/c1c1c57c38154de1f978522203f93d2258c80aaa.jpg"
	}
}