{ "id": "cb7aeb6a-6e7d-4219-b8e6-fe09b87c4e12", "created_at": "2026-04-06T00:11:29.528143Z", "updated_at": "2026-04-10T13:11:25.667649Z", "deleted_at": null, "sha1_hash": "da3e566d2970f336b1991366f9f3bbcfac3913a8", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57985, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:43:19 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool BugSleep\n Tool: BugSleep\nNames\nBugSleep\nMuddyRot\nCategory Malware\nType Backdoor\nDescription\n(Check Point) BugSleep is a new tailor-made malware used in MuddyWater phishing lures\nsince May 2024, partially replacing their use of legitimate RMM tools. We discovered several\nversions of the malware being distributed, with differences between each version showing\nimprovements and bug fixes (and sometimes creating new bugs). These updates, occurring\nwithin short intervals between samples, suggest a trial-and-error approach.\nBugSleep main logic is similar in all versions, starting with many calls to the Sleep API to\nevade sandboxes and then it loads the APIs it needs to run properly. It then creates a mutex (we\nobserved “PackageManager” and “DocumentUpdater” in our samples) and decrypts its\nconfiguration which includes the C\u0026C IP address and port. All the configurations and strings\nare encrypted in the same way, where every byte is subtracted with the same hardcoded value.\nIn most BugSleep samples, the malware then creates a scheduled task with the same name as\nthe mutex and adds the comment 'sample comment' to it. The scheduled task, which ensures\npersistence for BugSleep, runs the malware and is triggered every 30 minutes on a daily basis.\nInformation\nMalpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool BugSleep\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd142e2a-1c90-4780-8eac-3319136a2f3f\nPage 1 of 2\n\nAPT groups\r\n  MuddyWater, Seedworm, TEMP.Zagros, Static Kitten 2017-Jul 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd142e2a-1c90-4780-8eac-3319136a2f3f\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd142e2a-1c90-4780-8eac-3319136a2f3f\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=fd142e2a-1c90-4780-8eac-3319136a2f3f" ], "report_names": [ "listgroups.cgi?u=fd142e2a-1c90-4780-8eac-3319136a2f3f" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434289, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da3e566d2970f336b1991366f9f3bbcfac3913a8.pdf", "text": "https://archive.orkl.eu/da3e566d2970f336b1991366f9f3bbcfac3913a8.txt", "img": "https://archive.orkl.eu/da3e566d2970f336b1991366f9f3bbcfac3913a8.jpg" } }