{ "id": "91fc1d45-8769-4c98-9ba3-a52b92240bf8", "created_at": "2026-04-06T00:09:16.067882Z", "updated_at": "2026-04-10T03:35:52.930922Z", "deleted_at": null, "sha1_hash": "f1b4a2d1bc768292ed60f3b34fd8e3b409b82d27", "title": "Muddying the Water: Targeted Attacks in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 401041, "plain_text": "Muddying the Water: Targeted Attacks in the Middle East\r\nBy Tom Lancaster\r\nPublished: 2017-11-14 · Archived: 2026-04-02 10:35:46 UTC\r\nSummary\r\nThis blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a\r\ngroup Unit 42 is naming \"MuddyWater\". This blog links this recent activity with previous isolated public\r\nreporting on similar attacks we believe are related. We refer to these attacks as MuddyWater due to the confusion\r\nin attributing these attacks. Although the activity was previously linked by others to the FIN7 threat actor group,\r\nour research suggests the activity is in fact espionage related and unlikely to be FIN7 related.\r\nThe MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks\r\nagainst surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are\r\ncharacterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”.\r\nDespite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes\r\nto the tools and techniques.\r\nIntroduction \u0026 Overview\r\nThe Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost\r\nidentical to those targeting the Saudi Arabian government previously discussed by MalwareBytes. Which in turn,\r\nclosely resembles a previous article by Morphisec. These attacks have also been tracked by several other\r\nresearchers on Twitter and elsewhere.\r\nThe activity has been consistent throughout 2017 and, based on our analysis, targets or is suspected to target,\r\nentities in the following countries:\r\nSaudi Arabia\r\nIraq\r\nIsrael\r\nUnited Arab Emirates\r\nGeorgia\r\nIndia\r\nPakistan\r\nTurkey\r\nUSA\r\nThe malicious documents were adjusted according to the target regions, often using the logos of branches of local\r\ngovernment, prompting the users to bypass security controls and enable macros. An overview of the technical\r\nchanges seen in the past year is given in the graphic below, note that raw IOCs present in this graphic can be\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 1 of 13\n\nfound as text in the Appendix at the end of this article.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 2 of 13\n\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 3 of 13\n\nFigure 1. An overview of the delivery of POWERSTATS, C2 URLs used, and other changes in the malware\r\nMuddyWater in the Middle East\r\nThe attackers behind MuddyWater have been active throughout 2017, with targets across the Middle East and\r\nsurrounding areas, examples of the decoy documents observed is given in Table 1.\r\nOf course, being named in a decoy document doesn’t mean any of these organizations have been attacked\r\nthemselves or are involved in the attacks: the MuddyWater actors are abusing the trust these organizations’ names\r\nand/or logos command for their malicious purposes.\r\nMonth File Name or Decoy Document Theme Suspected Target Region\r\nNov 2017\r\nThe NSA\r\nTelenor.doc\r\nUnknown\r\nPakistan\r\nOct 2017\r\nCirculars.doc\r\ndollar.doc\r\nPakistan Federal Investigation Agency\r\nCV of Middle Eastern Civil Servant\r\nTurkey\r\nPakistan\r\n \r\nSep 2017\r\nIraq National Intelligence Service\r\nKaspersky Security solution 2017.doc\r\nIraq\r\nAug 2017\r\nArab Emirate سری.docm\r\nIraq Commission of Integrity\r\nArab Emirates\r\nJul 2017\r\nRequirements of the Sago.doc\r\nCommIT-Document.doc\r\nConfidential letters.doc\r\nSaudi Arabia\r\nArab Emirates\r\nPakistan\r\nJun 2017\r\nIraq Kurdistan Regional Government\r\nRFP_VOIP.doc\r\nIraq\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 4 of 13\n\nMay 2017\r\nRFP.doc\r\nRequirement.doc\r\nIraq Kurdistan Regional Government\r\nGeorgia\r\nIraq\r\nMar 2017 court.doc Georgia\r\nFeb 2017 CERT-Audit-20172802-GEO.xls Georgia\r\nTable 1 – Examples of the lure documents observed in the MuddyWater attacks.\r\n \r\nAll of these documents we observed and outlined above are related via:\r\nShared C2 infrastructure.\r\nUse of the non-public PowerShell backdoor previously described by Morphisec and MalwareBytes (which\r\nwe refer to as POWERSTATS).\r\nShared attributes of the malicious documents used in attacks.\r\nShared attributes as to how the documents were delivered.\r\nBased on these connections we can be confident that all the files and infrastructure we give in our appendices are\r\nrelated, since more than one of these can be used to link each of the samples discussed in each case.\r\nI download my tools from GitHub, and so do my victims.\r\nThe tools used by the MuddyWater attackers have been well documented by the previously cited research and a\r\ncommon theme of previous reporting was the open source nature of much of the toolset used by MuddyWater:\r\nMeterpreter, Mimikatz, Lazagne, Invoke-Obfuscation etc.. In some of their recent attack documents, the attackers\r\nalso used GitHub as a hosting site for their custom backdoor, POWERSTATS. Specifically, the following GitHub\r\nrepositories appear to be controlled by the MuddyWater threat actor(s):\r\n[unknown SHA256]\r\nDownloads payload from:\r\nhxxps://raw.githubusercontent[.]com/F0R3X/BrowserFontArabic/master/ArabicBrowserFont.exe\r\n[unknown SHA256]\r\nDownloads payload from:\r\nhxxps://raw.githubusercontent[.]com/F0R3X/BrowserFontArabic/master/FontArabic.exe\r\n9b5e36bb7518a9e333c31d09b589102f89e3425571dd434820ab3c437dc4e0d9 (and several others)\r\nDownloads payload from:\r\nhxxps://raw.githubusercontent[.]com/ReactDeveloper2017/react/master/src/test/test.js\r\nInterestingly, both profiles were populated with forked repositories to give them an air of legitimacy as shown in\r\nfigure 2. The POWERSTATS malware was compiled as an exe using PS2EXE. However, this was a minor\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 5 of 13\n\nanomaly, as it was only seen in this case: raw scripts being used in all other cases.\r\nFigure 2 – The GitHub profile for F0R3X containing both legitimate forked code and the binaries created by the\r\nattacker. Note that the username could be a small joke on the attackers’ part regarding the attribution to FIN7.\r\nPwn one to pwn them all\r\nIn some of the instances we observed what appeared to be compromised accounts at third party organizations\r\nsending the malware. In one case, the attackers sent a malicious document which was nearly identical to a\r\nlegitimate attachment which we observed later being sent to the same recipient. This indicates that the attackers\r\nstole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word\r\nmacro document using this stolen document and sent it to the target recipient who might be expecting the email\r\nfrom the original account user before the real sender had time to send it.\r\nThis targeting of third party organizations to attack further targets is a risky move on the attackers’ part, as it\r\npotentially reveals their activity within the compromised third party organizations to the new target (those\r\nreceiving the malicious documents\r\nMaking sense of MuddyWater\r\nWhen we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the\r\nMiddle East, we were somewhat confused as the previous public reporting had attributed these attacks to FIN7.\r\nFIN7 is a threat actor group that is financially motivated with targets in the restaurant, services and financial\r\nsectors. Following the trail of existing public reporting, the tie to FIN7 is essentially made based on a download\r\nobserved from a MuddyWater C2, of a non-public tool “DNSMessenger”.\r\nFor example, Morphisec wrote:\r\n“Later in our investigation, the same command server also delivered a variant of the DNS messenger similar to\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 6 of 13\n\nthat described by Talos. The domain names differed but the script adheres to the same logic (including the logic\r\nfunction).”\r\nThe DNSMessenger malware is an obfuscated and customized version of the popular DNS_TXT_PWNAGE.ps1\r\nscript available on GitHub and is also referred to by FireEye as POWERSOURCE. The use of the DNSMessenger\r\ntool appears primarily linked to FIN7, with no other samples being attributable to MuddyWater.\r\nThis led us to query the relationship between the newer attacks we were looking at and the alleged FIN7 link. As\r\npart of this research, we came up with the following hypotheses along with their likelihoods, and a rationale for\r\neach one.\r\n1) The FIN7 threat actor is also involved in espionage in the Middle East - Unlikely\r\nWhilst this may seem an attractive hypothesis to some, there are aspects on the technical side that simply don’t\r\nadd up. Primarily, there are significant disparities between FIN7 and MuddyWater, specifically in terms of:\r\nMalware unique to FIN7, or commonly used by them has not yet been seen in any MuddyWater\r\ninvestigations (except for the single observation of the DNSMessenger sample)\r\nOther non-public malware and tools used by MuddyWater have not been observed in our FIN7\r\ninvestigations.\r\nFrom an infrastructure point of view there is no overlap between the two sets of activity, the only overlap is\r\nthe use of the unique tool “DNSMessenger”\r\nWhen these points are considered together in conjunction with the significant difference in targeting they make a\r\nstrong case for classifying this activity as distinct from FIN7 activity.\r\n2) The DNSMessenger malware is a shared tool, used by FIN7, MuddyWater and perhaps other groups -\r\nUnlikely\r\nWe have attempted to find examples of code available in public data sources that would generate the variation of\r\nthe DNSMessenger malware and had little luck in doing so. Even though the code for DNSMessenger is publicly\r\navailable following research into attackers published by 3rd parties, attackers would have to write the\r\ncorresponding server side to use it, and as such they may well choose to use the public DNS_TXT_Pwnage.ps1\r\nscript instead.\r\nDespite this, based on the chain of analysis above we cannot discount the notion that DNSMessenger is shared by\r\nmultiple attackers, including FIN7 and MuddyWater.\r\n3) There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 -  Possible\r\nLittle detail is given on the nature of how the connection between DNSMessenger and MuddyWater was\r\ndiscovered it isn’t possible for us to verify this link.\r\n4) The attackers realized they were under investigation and planted a false flag - Possible\r\nThe attackers realized they were under investigation and planted a false flag on their C2 server, uploading a copy\r\nof the FIN7 DNSMessenger code which had been previously mentioned (and was since publicly available) by\r\nFireEye and delivering it to researchers to trick them into mis-attributing the campaign.\r\nIndeed, the sample shared by Morphisec on PasteBin is identical to the one dropped by the sample discussed in\r\nthe FireEye FIN7 SEC campaign blog except for the final line.\r\nFinal thoughts\r\nWhilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were\r\nnot able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 7 of 13\n\nconclusion about the origin of the attackers, or the specific types of information they seek out once on a network.\r\nIn any case we will continue to track their activities to provide protections for our customers.\r\nWe hope the analysis presented shows the importance of drawing your own conclusions based on the data\r\navailable to you, not just taking the conclusions given in the public domain at face value. This is especially true\r\nwhen actors who rely on slightly modified (and publicly available) open source tools are in play. Copycat threat\r\nactors can easily mimic attackers who use open source tools which can confuse attribution efforts meaning more\r\nthan one aspect of the attacks observed must be considered when clustering.\r\nOn top of this, whilst the vast majority of threat analysis in the public domain is repeatable and correct, in some\r\ncases it can be difficult to verify the analysis available. When it is hard to reproduce the analysis the confidence in\r\nany conclusions drawn must be lower than it would otherwise be, since you cannot know for sure that what is\r\nstated is true.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nWildFire and Traps detect all the malware supported in this report as malicious.\r\nTraps customers can deploy Heuristic methods to detect attacks that use these techniques.\r\nC2 domains used by the attackers are blocked via Threat Prevention.\r\nAutoFocus customers can monitor ongoing activity from the threats discussed in this report by looking at the\r\nfollowing tags:\r\nMuddyWater\r\nPowerStats\r\nLazaGne\r\nDNSMessenger\r\nFIN7\r\nAppendix A – C2 Addresses\r\n148.251.204[.]131\r\n144.76.109[.]88\r\n138.201.75[.]227\r\nCompromised Legitimate Sites\r\n106[.]187[.]38[.]21\r\narbiogaz[.]com\r\nazmwn[.]suliparwarda[.]com\r\nbangortalk[.]org[.]uk\r\nbest2[.]thebestconference[.]org\r\ncamco[.]com[.]pk\r\ncbpexbrasilia[.]com[.]br\r\ncgss[.]com[.]pk\r\ndiplomat[.]com[.]sa\r\nferibschat[.]eu\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 8 of 13\n\nghanaconsulate[.]com[.]pk\r\nmagical-energy[.]com\r\nmainandstrand[.]com\r\nriyadhfoods[.]com\r\nschool[.]suliparwarda[.]com\r\nsuliparwarda[.]com\r\ntmclub[.]eu\r\nwatyanagr[.]nfe[.]go[.]th\r\nwhiver[.]in\r\nwww[.]4seasonrentacar[.]com\r\nwww[.]akhtaredanesh[.]com\r\nwww[.]arcadecreative[.]com\r\nwww[.]armaholic[.]com\r\nwww[.]asan-max[.]com\r\nwww[.]autotrans[.]hr\r\nwww[.]dafc[.]co[.]uk\r\nwww[.]eapa[.]org\r\nwww[.]elev8tor[.]com\r\nwww[.]jdarchs[.]com\r\nwww[.]kunkrooann[.]com\r\nwww[.]mackellarscreenworks[.]com\r\nwww[.]mitegen[.]com\r\nwww[.]nigelwhitfield[.]com\r\nwww[.]pomegranates[.]org\r\nwww[.]ridefox[.]com\r\nwww[.]shapingtomorrowsworld[.]org\r\nwww[.]vanessajackson[.]co[.]uk\r\nwww[.]yaran[.]co\r\nwww[.]ztm[.]waw[.]pl\r\ncoa[.]inducks[.]org\r\nmhtevents[.]com\r\nskepticalscience[.]com\r\nwallpapercase[.]com\r\nwww[.]spearhead-training[.]com\r\nAppendix B – Related files\r\nsha256 Overall Description\r\nd2a0eec18d755d456a34865ff2ffc14e3969ea77f7235ef5dfc3928972d7960f\r\nLoader script from\r\n144.76.109[.]88\r\n1421a5cd0566f4a69e7ca9cdefa380507144d7ed59cd22e53bfd25263c201a6f MuddyWater Macro\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 9 of 13\n\n4e3c7defd6f3061b0303e687a4b5b3cc2a4ae84cdc48706c65a7b1e53402efc0 MuddyWater Macro\r\n8b96804d861ea690fcb61224ec27b84476cf3117222cca05e6eba955d9395deb Lazagne\r\n16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db\r\nPS2EXE PowerStats\r\n(GitHub)\r\ncf87a2ac51503d645e827913dd69f3d80b66a58195e5a0044af23ea6ba46b823\r\nPS2EXE PowerStats\r\n(GitHub)\r\n3030d80cfe1ee6986657a2d9b76b626ea05e2c289dee05bd7b9553b10d14e4a1\r\nDecoded PowerStats\r\npayload\r\n99077dcb37395603db0f99823a190f50313dc4e9819462c7da29c4bc983f42fd Lazagne Runner Script\r\n1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce MuddyWater Macro\r\n2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1 MuddyWater Macro\r\n367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433 MuddyWater Macro\r\n58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d MuddyWater Macro\r\n58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482 MuddyWater Macro\r\n81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3 MuddyWater Macro\r\n90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024 MuddyWater Macro\r\n96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd MuddyWater Macro\r\n964aaf5d9b1c749df0a2df1f1b4193e5a643893f251e2d74b47663f895da9b13 MuddyWater Macro\r\n97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc MuddyWater Macro\r\na3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5 MuddyWater Macro\r\nfcfbdffbcad731e0a5aad349215c87ed919865d66c287a6723fd8e2f896c5834 MuddyWater Macro\r\n2bb1637c80f0a7df7260a8583beb033f4afbdd5c321ff5642bc8e1868194e009 MuddyWater Macro\r\n58aec38e98aba66f9f01ca53442d160a2da7b137efbc940672982a4d8415a186 MuddyWater Macro\r\n605fefc7829cfa41710e0b844084eab1f180fe513adc1d8f0f82501a154db0f4 MuddyWater Macro\r\ne8a832b04dbdc413b71076754c3a0bf07cb7b9b61927248c482ddca32e1dab89 MuddyWater Macro\r\n5d049bd7f478ea5d978b3c78f7f0afdf294a94f526fc20ffd6e33022d40d15ae MuddyWater Macro\r\n12a7898fe5c75e0b57519f1e7019b5d09f5c5cbe49c48ab91daf6fcc09ee8a30 MuddyWater Macro\r\n2602e817a67949860733b3548b37792616d52ffd305405ccab0409bcfedc5d63 MuddyWater Macro\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 10 of 13\n\n42a4d9527063f73004b049a093a34a4fc3b6ea9505cb9b50b895486cb2dca94b MuddyWater Macro\r\n5ed5fc6c6918ff6fa4eab7742c03d59155ca87e0fe12bac339f18928e2924a96 MuddyWater Macro\r\na2ad6bfc47c4f69a2170cc1a9fd620a68b1ebb474b7bdf601066e780e592222f MuddyWater Macro\r\nc23ece07fc5432ca200f3de3e4c4b68430c6a22199d7fab11916a8c404fb63dc MuddyWater Macro\r\ncb96cd26f36a3b1aacabfc79bbb5c1e0c9850b1c75c30aa498ad2d4131b02b98 MuddyWater Macro\r\ned2f9c9d5554d5248a7ad9ad1017af5f1bbadbd2275689a8b019a04c516eeec2 MuddyWater Macro\r\nfe16543109f640ddbf3725e4d9f593de9f13ee9ae96c5e41e9cdccb7ab35b661 MuddyWater Macro\r\n886e3a2f74bf8f46b23c78a6bad80c74fe33579f6fe866bc5075b034c4d5d432 MuddyWater Macro\r\n8ec108b8f66567a8d84975728b2d5e6a2786c2ca368310cca55acad02bb00fa6 MuddyWater Macro\r\n96d80ae577e9b899772a940b4941da39cf7399b5c852048f0d06926eb6c9868a MuddyWater Macro\r\nbb1a5fb87d34c63ade0ed8a8b95412ba3795fd648a97836cb5117aff8ea08423 MuddyWater Macro\r\nd65e2086aeab56a36896a56589e47773e9252747338c6b59c458155287363f28 MuddyWater Macro\r\n588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f MuddyWater Macro\r\n917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028 MuddyWater Macro\r\ndb7bdd6c3ff7a27bd4aa9acc17dc35c38b527fb736a17d0927a0b3d7e94acb42 MuddyWater Macro\r\nde6ce9b75f4523a5b235f90fa00027be5920c97a972ad6cb2311953446c81e1d MuddyWater Macro\r\na6673c6d52dd5361afd96f8143b88810812daa97004f69661da625aaaba9363b MuddyWater Macro\r\n40a6b4c6746e37d0c5ecb801e7656c9941f4839f94d8f4cd61eaf2b812feaabe MuddyWater Macro\r\nAppendix C – Proxy URLs found from POWERSTATS samples from October 2017 onwards\r\nhxxp://106[.]187[.]38[.]21/short_qr/work[.]php?c=\r\nhxxp://arbiogaz[.]com/upload/work[.]php?c=\r\nhxxp://azmwn[.]suliparwarda[.]com/wp-content/plugins/wpdatatables/panda[.]php?c=\r\nhxxp://azmwn[.]suliparwarda[.]com/wp-content/themes/twentyfifteen/logs[.]php?c=\r\nhxxp://bangortalk[.]org[.]uk/speakers[.]php?c=\r\nhxxp://best2[.]thebestconference[.]org/ccb/browse_cat[.]php?c=\r\nhxxp://camco[.]com[.]pk/Controls/data[.]aspx?c=\r\nhxxp://cbpexbrasilia[.]com[.]br/wp-content/plugins/wordpress-seo/power[.]php?c=\r\nhxxp://cbpexbrasilia[.]com[.]br/wp-includes/widgets/work[.]php?c=\r\nhxxp://cgss[.]com[.]pk/data[.]aspx?c=\r\nhxxp://diplomat[.]com[.]sa/wp-content/plugins/wordpress-importer/cache[.]php?c=\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 11 of 13\n\nhxxp://feribschat[.]eu/logs[.]php?c=\r\nhxxp://ghanaconsulate[.]com[.]pk/data[.]aspx?c=\r\nhxxp://magical-energy[.]com/css[.]aspx?c=\r\nhxxp://magical-energy[.]com/css/css[.]aspx?c=\r\nhxxp://mainandstrand[.]com/work[.]php?c=\r\nhxxp://riyadhfoods[.]com/css/edu[.]aspx?c=\r\nhxxp://riyadhfoods[.]com/jquery-ui/js/jquery[.]aspx?c=\r\nhxxp://school[.]suliparwarda[.]com/components/com_akeeba/work[.]php?c=\r\nhxxp://school[.]suliparwarda[.]com/plugins/editors/codemirror/work[.]php?c=\r\nhxxp://suliparwarda[.]com/includes/panda[.]php?c=\r\nhxxp://suliparwarda[.]com/layouts/joomla/logs[.]php?c=\r\nhxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work[.]php?c=\r\nhxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work[.]php?c=\r\nhxxp://tmclub[.]eu/clubdata[.]php?c=\r\nhxxp://watyanagr[.]nfe[.]go[.]th/e-office/lib/work[.]php?c=\r\nhxxp://watyanagr[.]nfe[.]go[.]th/watyanagr/power[.]php?c=\r\nhxxp://whiver[.]in/power[.]php?c=\r\nhxxp://www[.]4seasonrentacar[.]com/viewsure/data[.]aspx?c=\r\nhxxp://www[.]akhtaredanesh[.]com/d/file/sym/work[.]php?c=\r\nhxxp://www[.]akhtaredanesh[.]com/d/oschool/power[.]php?c=\r\nhxxp://www[.]arcadecreative[.]com/work[.]php?c=\r\nhxxp://www[.]armaholic[.]com/list[.]php?c=\r\nhxxp://www[.]asan-max[.]com/files/articles/css[.]aspx?c=\r\nhxxp://www[.]asan-max[.]com/files/articles/large/css[.]aspx?c=\r\nhxxp://www[.]autotrans[.]hr/index[.]php?c=\r\nhxxp://www[.]dafc[.]co[.]uk/news[.]php?c=\r\nhxxp://www[.]eapa[.]org/asphalt[.]php?c=\r\nhxxp://www[.]elev8tor[.]com/show-work[.]php?c=\r\nhxxp://www[.]jdarchs[.]com/work[.]php?c=\r\nhxxp://www[.]kunkrooann[.]com/inc/work[.]php?c=\r\nhxxp://www[.]mackellarscreenworks[.]com/work[.]php?c=\r\nhxxp://www[.]mitegen[.]com/mic_catalog[.]php?c=\r\nhxxp://www[.]nigelwhitfield[.]com/v2/work[.]php?c=\r\nhxxp://www[.]pomegranates[.]org/index[.]php?c=\r\nhxxp://www[.]ridefox[.]com/content[.]php?c=\r\nhxxp://www[.]shapingtomorrowsworld[.]org/category[.]php?c=\r\nhxxp://www[.]vanessajackson[.]co[.]uk/work[.]php?c=\r\nhxxp://www[.]yaran[.]co//wp-content/plugins/so-masonry/logs[.]php?c=\r\nhxxp://www[.]yaran[.]co/wp-includes/widgets/logs[.]php?c=\r\nhxxp://www[.]ztm[.]waw[.]pl/pop[.]php?c=\r\nhxxps://coa[.]inducks[.]org/publication[.]php?c=\r\nhxxps://mhtevents[.]com/account[.]php?c=\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 12 of 13\n\nhxxps://skepticalscience[.]com/graphics[.]php?c=\r\nhxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs[.]php?c=\r\nhxxps://wallpapercase[.]com/wp-includes/customize/logs[.]php?c=\r\nhxxps://www[.]spearhead-training[.]com//html/power[.]php?c=\r\nhxxps://www[.]spearhead-training[.]com/work[.]php?c=\r\n \r\nSource: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" ], "report_names": [ "unit42-muddying-the-water-targeted-attacks-in-the-middle-east" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434156, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1b4a2d1bc768292ed60f3b34fd8e3b409b82d27.pdf", "text": "https://archive.orkl.eu/f1b4a2d1bc768292ed60f3b34fd8e3b409b82d27.txt", "img": "https://archive.orkl.eu/f1b4a2d1bc768292ed60f3b34fd8e3b409b82d27.jpg" } }