{
	"id": "8132af1f-2188-4bbe-b569-94e573a2c324",
	"created_at": "2026-04-06T00:13:16.297398Z",
	"updated_at": "2026-04-10T03:34:22.685072Z",
	"deleted_at": null,
	"sha1_hash": "ce73f52df8f33bf83063f204fb7ac940c551b569",
	"title": "Signs of MuddyWater Developments Found in the DNS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 826141,
	"plain_text": "Signs of MuddyWater Developments Found in the DNS\r\nBy By WhoisXML API  (Sponsored Post)\r\nArchived: 2026-04-02 12:06:30 UTC\r\nCyber espionage group MuddyWater’s or Mercury’s first major campaign was seen as early as 2012. But as things\r\nalways go in the cybersecurity realm, threat groups, especially those that gain infamy, don’t necessarily just come\r\nand go.\r\nSuch is MuddyWater’s case in that instead of disappearing, it resurfaces bigger and better each time. PhonyC2—\r\nthe threat group’s latest addition to its framework—is proof of that. Deep Instinct recently shone the spotlight on\r\nPhonyC2’s underbelly by publishing an in-depth investigation on the matter.\r\nWhoisXML API used the 27 IP addresses and 12 domains identified as PhonyC2 IoCs as jump-off points for a\r\nDNS deep dive, which led to the discovery of:\r\nThree additional unique IP addresses to which some of the domains identified as IoCs resolved\r\nThree domains that shared the dedicated IP hosts of the domains identified as IoCs\r\n152 domains that contained strings found among the domains identified as IoCs\r\n22 domains that contained the same strings as the IP-connected domains, two of which were classified as\r\nmalicious by a bulk malware check\r\nIn addition, we analyzed the budding MuddyWater-DEV-1084 partnership that aimed to mask the former’s\r\ninvolvement in targeted attacks to shed more light on recent ransomware campaigns. We specifically expanded a\r\nlist of 14 IoCs published by Microsoft and uncovered:\r\nThree additional unique IP addresses to which some of the domains identified as IoCs resolved\r\n294 domains that shared the dedicated hosts of the domains identified as IoCs, one of which turned out to\r\nbe malicious based on a bulk malware check\r\nA sample of the additional artifacts obtained from our analysis is available for download from our website.\r\nPart 1: PhonyC2 Traces Found in the DNS\r\nWhat We Know about the PhonyC2 IoCs\r\nAs mentioned above, Deep Instinct publicized 39 PhonyC2 IoCs, all part of the new MuddyWater C\u0026C\r\nframework. We took a closer look at them using comprehensive DNS intelligence.\r\nWe subjected the IP addresses identified as IoCs to a bulk IP geolocation lookup and found that:\r\nFrance, Australia, and the Netherlands topped the list of geolocation countries, accounting for 10, five, and\r\nthree IP addresses, respectively. The remaining nine IP addresses were scattered across seven other nations.\r\nhttps://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns\r\nPage 1 of 5\n\nOVH SAS, meanwhile, topped the list of ISPs, accounting for 10 of the IoCs. HostHatch and Hetzner\r\nOnline GmbH completed the top 3, accounting for six and three IP addresses, respectively.\r\nWhat We Learned about the PhonyC2 IoCs\r\nWe began our in-depth look at PhonyC2—the latest addition to the MuddyWater C\u0026C framework—with Domains\r\n\u0026 Subdomains Discovery searches for strings found among the domains identified as IoCs, namely:\r\nedc1.\r\npru2.\r\nnno1.\r\nnno3.\r\nkwd1.\r\nkwd2.\r\nkwd3.\r\nqjk1.\r\nqjk2.\r\nhttps://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns\r\nPage 2 of 5\n\nqjk3.\r\ntes2.\r\npru1.\r\nWe uncovered 152 domains that started with the strings above. See how many we found for each in the table\r\nbelow.\r\nSTRING VOLUME\r\nedc1. 19\r\npru2. 10\r\nnno1. 13\r\nnno3. 9\r\nkwd1. 11\r\nkwd2. 7\r\nkwd3. 14\r\nqjk1. 11\r\nqjk2. 13\r\nqjk3. 14\r\ntes2. 20\r\npru1. 11\r\nWhile none of them were detected as malicious, some contained strings commonly found in web properties used\r\nor abused in nefarious campaigns, such as:\r\nAdobe: Seen in edc1[.]adobeaemcloud[.]com, which could figure in a cyber attack targeting the software\r\ndeveloper or its product users.\r\nClouDNS: Seen in edc1[.]cloudns[.]info, which couldn’t be publicly attributed to ClouDNS and could be\r\nused in attacks trailing its sights on the DNS hosting service provider or its customers.\r\nYandex: Seen in kwd3[.]storage[.]yandexcloud[.]net, which threat actors could utilize in malicious\r\nactivities centered on the cloud platform or its users should it fall into the cracks and be forgotten by its\r\nowner.\r\nNext, we subjected the 27 IP addresses identified as IoCs to reverse IP lookups. Three of them turned out to be\r\ndedicated hosts. In total, they hosted three domains that weren’t part of the current IoC list—rare-upload[.]top,\r\nurbancritters[.]org[.]uk, and s2-store[.]com.\r\nhttps://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns\r\nPage 3 of 5\n\nWe searched for other domains containing the strings rare-upload, urbancritters, and s2-store. That allowed us\r\nto uncover 22 domains for two out of the three strings (urbancritters, and s2-store). Two of them turned out to be\r\nmalicious based on a bulk malware check.\r\nBoth malicious domains were already unreachable at the time of writing. It was, however, interesting to note that\r\none of them—refund-orderdc50kfcs2-store-apple[.]cf—alluded to Apple ownership. Its WHOIS record begged to\r\ndiffer, though. The malicious domain wasn’t publicly attributable to the tech giant.\r\nPart 2: MuddyWater-DEV-1084 Partnership DNS Footprints\r\nMuddyWater-DEV-1084 IoC Facts\r\nAnother recent MuddyWater-related development worthy of a closer look would be the group’s collaboration with\r\nanother threat group known as “DEV-1084.”\r\nIn recent attacks believed to be spearheaded by MuddyWater, DEV-1084 took on the DarkBit persona to mask the\r\nformer’s involvement. Microsoft researchers, however, brought the partnership to light and publicized four\r\ndomains and 10 IP addresses as IoCs.\r\nMuddyWater-DEV-1084 IoC List Expansion Findings\r\nTo find artifacts connected to the MuddyWater-DEV-1084 attacks, we subjected the domains identified as IoCs to\r\nDNS lookups that revealed that three of them—pairing[.]rport[.]io, vatacloud[.]com, and ehorus[.]com—resolved\r\nto four unique IP addresses. While one of the resolving IP addresses was already identified as an IoC, the other\r\nthree—49[.]12[.]228[.]207, 172[.]67[.]181[.]250, and 104[.]21[.]80[.]130—weren’t.\r\nAdding the three yet-unpublished IP hosts to those already identified as IoCs gave us a total of 13 IP addresses.\r\nReverse IP lookups for them showed that three were dedicated hosts that were shared by 294 other domains, one\r\nof which—sdtvcs[.]ru—turned out to be a malware host.\r\nA bulk WHOIS lookup result comparison, meanwhile, for the domains identified as IoCs and the 294 dedicated\r\nIP-connected domains revealed that:\r\n36 of the IP-connected domains shared rport[.]io’s registrar, four others shared that of ehorus[.]com, and 50\r\nshared that of vatacloud[.]com\r\n18 of the IP-connected domains shared rport[.]io’s creation year, seven others shared that of ehorus[.]com,\r\nand 60 shared that of vatacloud[.]com\r\n105 of the IP-connected domains shared rport[.]io’s registrant country, one shared that of ehorus[.]com, and\r\n44 shared that of vatacloud[.]com\r\nOur MuddyWater investigation allowed us to identify 477 closely connected web properties that could be\r\nconsidered PhonyC2 and Mercury-DEV-1084 attack artifacts. It also led to the discovery of three malicious\r\ndomains worth taking note of.\r\nhttps://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns\r\nPage 4 of 5\n\nIf you wish to perform a similar investigation or learn more about the products used in this research, please\r\ndon’t hesitate to contact us.\r\nDisclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to\r\nhelp protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or\r\n“malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly\r\nrecommend conducting supplementary investigations to corroborate the information provided herein.\r\nNORDVPN DISCOUNT - CircleID x NordVPN\r\nGet NordVPN  [74% +3 extra months, from $2.99/month]\r\nSource: https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns\r\nhttps://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns"
	],
	"report_names": [
		"20230824-signs-of-muddywater-developments-found-in-the-dns"
	],
	"threat_actors": [
		{
			"id": "640fc3dc-433d-4244-a85a-21d5135498b2",
			"created_at": "2025-08-07T02:03:24.71289Z",
			"updated_at": "2026-04-10T02:00:03.688893Z",
			"deleted_at": null,
			"main_name": "COBALT AZTEC",
			"aliases": [
				"DEV-1084 ",
				"GOLD AZTEC",
				"Storm-1084 "
			],
			"source_name": "Secureworks:COBALT AZTEC",
			"tools": [
				"DarkBit ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0321f048-2313-42dd-b10c-08a99ae98f2a",
			"created_at": "2024-02-02T02:00:04.06752Z",
			"updated_at": "2026-04-10T02:00:03.54849Z",
			"deleted_at": null,
			"main_name": "Storm-1084",
			"aliases": [
				"DEV-1084"
			],
			"source_name": "MISPGALAXY:Storm-1084",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce73f52df8f33bf83063f204fb7ac940c551b569.pdf",
		"text": "https://archive.orkl.eu/ce73f52df8f33bf83063f204fb7ac940c551b569.txt",
		"img": "https://archive.orkl.eu/ce73f52df8f33bf83063f204fb7ac940c551b569.jpg"
	}
}