{ "id": "b0d767a5-6b90-4faf-a1c4-7f089b7c8bd8", "created_at": "2026-04-06T00:11:08.306425Z", "updated_at": "2026-04-10T03:34:22.643881Z", "deleted_at": null, "sha1_hash": "d9b406b39487be2476de4e3c51dc0831808ce03b", "title": "Potential MuddyWater Campaign uses PRB-Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72689, "plain_text": "Potential MuddyWater Campaign uses PRB-Backdoor\r\nBy By: Michael Villanueva, Martin Co Jun 14, 2018 Read time: 4 min (1058 words)\r\nPublished: 2018-06-14 · Archived: 2026-04-05 14:06:55 UTC\r\nThe MuddyWater campaignopen on a new tab was first sighted in 2017 when it targeted the Saudi government\r\nusing an attack involving PowerShell scripts deployed via Microsoft Office Word macro. In March 2018, we\r\nprovided a detailed analysis of another campaign that bore the hallmarks of MuddyWater.\r\nIn May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this\r\ncampaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with\r\na malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload. One\r\nnotable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and\r\nPowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be\r\ndecoded and dropped to execute the payload without needing to download the component files.\r\nAs mentioned earlier, our analysis of the sample revealed characteristics that likely connect it to the MuddyWater\r\ncampaign, in particular:\r\nThe delivery method, which involves the use of a malicious document with an embedded macro as a lure\r\nfor potential victims\r\nThe obfuscation method for the macro scripts, which will result in an intended backdoor payload. This\r\nmethod is commonly used in samples that were used in the MuddyWater campaign\r\nInfection chain\r\nintel\r\nFigure 1. Comparison of the infection chains used in the previous and current campaigns\r\nTechnical details\r\nThe sample we analyzed was a Word document used as a lure for unsuspecting victims. However, unlike the\r\nsamples from the previous campaigns, the lure document deals with a different subject matter. Instead of using\r\ngovernment or telecommunications-related documents, the new lure document presents itself as a reward or\r\npromotion, which could indicate that the targets are no longer limited to specific industries or organizations.\r\nintel\r\nFigure 2. Sample lure document used in the new campaign\r\nThe document is designed to trick users into enabling the macro to view its full content. However, the macro's true\r\npurpose is to allow it to execute malicious routines without the user’s knowledge.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/\r\nPage 1 of 4\n\nOnce the macro is enabled, it will use the Document_Open() event to automatically execute the malicious routine\r\nif either a new document using the same template is opened or when the template itself is opened as a document0.\r\nintel\r\nFigure 3. Executing the malicious routine via Document_Open()\r\nThe malicious macro's code snippet uses three main functions, specifically:\r\nThe function contained in the RED box is the Document_Open() event, where all the sub-functions will be\r\nexecuted/called.\r\nThe code inside the GREEN box manipulates the images shown in the document's body.\r\nThe code inside the BLUE box constructs the main Powershell commands and scripts. These will be\r\nexecuted to perform the main routine.\r\nintel\r\nFigure 4. A snippet of the malicious macro’s code, marked with colored boxes to show the different functions\r\nDecoding and deobfuscation\r\nAnalysis of the code revealed a PowerShell script capable of decoding the contents of the malicious document,\r\nwhich results in the execution of yet another encoded PowerShell script.\r\nintel\r\nFigure 5. The Powershell script contained in the sample's code\r\nintel\r\nFigure 6. The second encoded PowerShell script, which is executed after the first script is decoded\r\nThis will then result in more readable PowerShell scripts capable of dropping various components in the\r\n%Application Data%\\Microsoft\\CLR\\* directory. The main PowerShell file invoker.ps1 uses these components to\r\nrun the final payload, PRB-Backdoor, previously analyzed by other security researchers in May 2018open on a\r\nnew tab.\r\nintel\r\nFigure 7: The components dropped in the %Application Data%\\Microsoft\\CLR\\* directory\r\nPRB-Backdoor is a backdoor that takes its name from the function used in the final PowerShell script payload, as\r\nseen in the figure below.\r\nintel\r\nFigure 8. The PS function from which PRB-Backdoor takes its name\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/\r\nPage 2 of 4\n\nThe backdoor communicates with its Command-and-Control (C\u0026C server), hxxp://outl00k[.]net, to send and\r\nreceive the following commands:  \r\nCommand Details\r\n  PRB-CREATEALIVE Initializes connection with the C\u0026C Server\r\nPRB-CREATEINTRODUCE\r\nRegisters/introduces the affected machine to the C\u0026C server\r\nPRB-History\r\nGather browsing histories from different browsers and send it to the C\u0026C\r\nserver using the \"sendfile\" function\r\nPRB-PASSWORD Steals passwords listed or found in the browser histories\r\nPRB-READFILE Reads files\r\nPRB-WRITEFILE Writes files\r\nPRB-Shell Executes shell commands\r\nPRB-Logger Calls the \"Logger\" function, used to record keyboard strokes\r\nPRB-Shot Triggers the SNAP function, used to capture  screenshots\r\nPRB-funcupdate Updates functions\r\nsysinfo Gathers system information\r\nStart_Dns Initializes DNS Session/Connection\r\nIf these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are\r\ncontinuously evolving their tools and techniques to make them more effective and persistent.\r\nCountermeasures and Trend Micro Solutions\r\nGiven the use of lure documents designed with social engineering in mind, it is likely that the attackers use\r\nphishing or spam to target users who are unaware of these documents' malicious nature. Awareness can effectively\r\nmitigate or stop these kinds of attacks from being successful. The first step is to be able to identify phishing\r\nattacksopen on a new tab and distinguish legitimate emailsopen on a new tab from malicious ones. Telltale signs\r\nof social engineering include “too-good-to-be-true” offers and messages that lack context. In general, users should\r\nalways practice caution when it comes to email. This includes avoiding clicking on links or downloading any\r\ndocuments unless certain that these are legitimate.\r\nTrend Micro™ Deep Discovery™products provides detection, in-depth analysis, and proactive response to today’s\r\nstealthy malware, and targeted attacks in real time. It provides a comprehensive defense tailored to protect\r\norganizations against targeted attacks and advanced threats through specialized engines, custom sandboxingopen\r\non a new tab, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without\r\nany engine or pattern update.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/\r\nPage 3 of 4\n\nTrend Micro™ Hosted Email Securityproducts is a no-maintenance cloud solution that delivers continuously\r\nupdated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they\r\nreach the network.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts and InterScan™ Web Securityproducts prevent\r\nmalware from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection\r\nSuitesproducts deliver several capabilities that minimize the impact of these attacks.\r\nThese solutions are powered by the Trend Micro XGen™ securityproducts, which provides a cross-generational\r\nblend of threat defense techniques against a full range of threats for data centersproducts, cloud\r\nenvironmentsproducts, networksproducts, and endpointsproducts. It features high-fidelity machine learning to\r\nsecure the gatewayproducts and endpointproducts data and applications, and protects physical, virtual, and cloud\r\nworkloads.\r\nIndicators of Compromise (IoCs)\r\nDetected as W2KM_DLOADR.UHAOEEN -\r\n 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backd\r\noor/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" ], "report_names": [ "another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d9b406b39487be2476de4e3c51dc0831808ce03b.pdf", "text": "https://archive.orkl.eu/d9b406b39487be2476de4e3c51dc0831808ce03b.txt", "img": "https://archive.orkl.eu/d9b406b39487be2476de4e3c51dc0831808ce03b.jpg" } }