{ "id": "5e73cdd3-65b5-4e85-8ec1-b762738c3b77", "created_at": "2026-04-06T00:21:40.488558Z", "updated_at": "2026-04-10T03:34:22.63264Z", "deleted_at": null, "sha1_hash": "d2750382053af98fc40d15d1412c50e4cace8591", "title": "Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey – ClearSky Cyber Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3448578, "plain_text": "Iranian APT MuddyWater Attack Infrastructure Targeting\r\nKurdish Political Groups and Organizations in Turkey – ClearSky\r\nCyber Security\r\nPublished: 2019-04-15 · Archived: 2026-04-02 10:37:37 UTC\r\nIn our ongoing investigations of Iranian APTs, we recently detected additional documents related to previously\r\nattack infrastructures used by the Iranian APT – “MuddyWater”, which we reported on in late November 2018.\r\nAs a reminder, we identified two domains, that were hacked by the group and used to host the code of\r\nPOWERSTATS; a malware associated to the group. For additional information on the attack see item –\r\n“MuddyWater Operations in Lebanon and Oman”.\r\nHowever, unlike the previous vector, we did not identify this time any compromised servers used to host the\r\nmalware’s code. Instead, the lure document already contains the malicious code. We also detected five additional\r\nfiles that operate in a similar file to the aforementioned document; but unlike that file, these do not have any\r\ncontent.\r\nWe believe (with medium certainty) that this is due to the attackers testing the malicious document to see if it is\r\ndetected by various anti-virus engines.\r\nTargets\r\nMost of the targets in this wave of attacks are part of Kurdish groups (such as ” Komala” – a Kurdish-Iranian\r\nparty in Iraq), as well as various organizations in Turkey affiliated with the Turkish army and defense sector.\r\nAttack Vector\r\nThe initial infection vector is via emails attached with a malicious word document. Below are screen-captures of\r\nthe document sent to the Kurdish party:\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 1 of 10\n\nNote that the document is “blurred” and contains the official logo of the Kurdistan Regional Government:\r\nTechnical Analysis\r\nThe file used to target the Kurdish party\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 2 of 10\n\nAs seen, the lure document contains a blurred image that impersonates an official document of the Kurdistan\r\nRegional Government. The target is then prompted to Enable Editing or Enable Content, supposedly to view the\r\ncontent. However, this in fact executes an embedded malicious Macro command.\r\nThis Macro is named Gladiator_CRK. The attacker also used this handle for the Author name in the document’s\r\nOLE details:\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 3 of 10\n\nWhen investigating this name, we identified several documents that behave to the above document; however, most\r\nhave no content. It is likely that these files were uploaded to VirusTotal with minor changes to test whether they\r\nare detected by the various anti-virus engines.\r\nIt should be noted that all of the content-less files were uploaded from Germany, while the malicious lure\r\ndocument was uploaded from Iraq. This further corroborates our assessment that the content-less files were\r\nuploaded for test purposes.\r\nSimilarly to previous attacks by the group, this Macro uses embedded com object that runs Microsoft Excel and\r\nconcurrently executes various commands. Post execution, the malicious Macro edits certain Registry values in\r\norder for the malicious code continues operation even after the compromised system is rebooted, thus insuring\r\npersistency.\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 4 of 10\n\nMoreover, in a similar fashion to previous attacks, two files are created within the Temp folder.\r\nThese files contain segments of the malicious code used to extract the POWERSTATS malware.\r\nAs seen above, the PowerShell uses Windows Script Host (WScript executable) to decode VBE code from the first\r\nimage file (icon.ico). This code executes a JavaScript embedded in the second image file (picture.jpg), which is\r\nencoded in base64:\r\nThis method is different from previous attacks, in which that malware was downloaded a C2 server. But, in this\r\nattack we did not detect any such request, and the malware were was extracted from the dropper file.\r\nBelow is a screen-capture of files with different content.\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 5 of 10\n\nIn this attack vector we found that after the target enables the execution of the Macro, an encrypted txt file by the\r\nname Win32ApiSyncLog.txt is created. This file contains a base64 encoded Backdoor that downloads the malware\r\nfrom the following URL 94.23.148[.]194/serverscrpit/clientFroneLine/helloServer[.]php.  \r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 6 of 10\n\nFurthermore, a Batch file named Win32ApiSync.bat, which contains the script in charge of running the\r\naforementioned code is created.\r\nThis script creates a scheduled task (schtasks) that creates, reads and extracts the Win32ApiSync file every hour.  \r\nHowever, unlike the first document, despite the “enable content” prompt, this document does not contain any\r\nmalicious Macros.\r\nThis may explain way, unlike the other file, no PowerShell were installed on the computer via an Excel process.\r\nFrom the OLE details it seems that the file was recently edited by an individual named ” Babak Amiri”.\r\nWhen searching for additional files additional by this author we detected several documents, but they too did not\r\ncontain any Macros.\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 7 of 10\n\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 8 of 10\n\nIndicators\r\nIndicators of Compromise (IoC) are available for subscribers of ClearSky threat intelligence services in\r\nMISP events numbers – 1449, 1493\r\nd4de6b8ffcd878359315594515dd33c0\r\ncc183b583d24147766533876d9b9b54b6f1f4aaf\r\nd4de6b8ffcd878359315594515dd33c0\r\n21aebece73549b3c4355a6060df410e9\r\n2b938a9b20e7abcadd28a0f461a4e5d8\r\n062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717\r\n4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60\r\need599981c097944fa143e7d7f7e17b1\r\n7b4da8f9ffa435c689923b7245133ee032f99fcd841516f2e2275fb4b76d28f9\r\n78c1279f80c76d12debf9e875d14b4788bd88a39\r\nbef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6\r\nb604dd6517dfd0df72e52ebc3f92da699c1396cd\r\ndbab599d65a65976e68764b421320ab5af60236f\r\n0638adf8fb4095d60fbef190a759aa9e\r\n5c6148619abb10bb3789dcfb32f759a6\r\na3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981\r\n0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2\r\nc8b271efec98e83a343933a32eff30d5\r\n6d0050f16c61cf1584bdfd6ab891d5b9d4d6bbf3\r\n34bfdae99838f048d9950614d338ec06653eacee\r\n6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad\r\nc25eeac6044dbc87c37063a9c6ed80c73966e41d50fc96065c2793fbf841ef3c\r\n9732cf8c9e84e992d8856537dc5988371bb73f7c\r\nf12bab5541a7d8ef4bbca81f6fc835a3\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 9 of 10\n\na066f5b93f4ac85e9adfe5ff3b10bc28\r\n8a004e93d7ee3b26d94156768bc0839d\r\n09aabd2613d339d90ddbd4b7c09195a9\r\n8a7b2167c14a0158b3e9a43453a3e8f3\r\ncfa845995b851aacdf40b8e6a5b87ba7\r\n76f6c0bf075f9ae02a9a9e08cce1297d\r\n5c1af7d3dbb9bc455b793f1e3e0b2554\r\n51.255.219.222\r\n46.105.84.146\r\n185.247.137.89\r\n94.23.148.194\r\n46.105.84[.]146:443/WordOffice.jpg\r\nSource: https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nhttps://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/\r\nPage 10 of 10\n\n https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/ \nIn this attack vector we found that after the target enables the execution of the Macro, an encrypted txt file by the\nname Win32ApiSyncLog.txt is created. This file contains a base64 encoded Backdoor that downloads the malware\nfrom the following URL 94.23.148[.]194/serverscrpit/clientFroneLine/helloServer[.]php. \n Page 6 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/" ], "report_names": [ "muddywater-targets-kurdish-groups-turkish-orgs" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434900, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2750382053af98fc40d15d1412c50e4cace8591.pdf", "text": "https://archive.orkl.eu/d2750382053af98fc40d15d1412c50e4cace8591.txt", "img": "https://archive.orkl.eu/d2750382053af98fc40d15d1412c50e4cace8591.jpg" } }