{ "id": "d0f57e5e-0822-4d59-90a1-4895b933c315", "created_at": "2026-04-06T00:19:50.199599Z", "updated_at": "2026-04-10T03:34:22.681109Z", "deleted_at": null, "sha1_hash": "f221fa7da69985d7085dc3e729221c8e3703c614", "title": "MuddyWater Back with DarkBit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1394321, "plain_text": "MuddyWater Back with DarkBit\r\nPublished: 2023-04-21 · Archived: 2026-04-05 22:51:14 UTC\r\nRecently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is\r\nreportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method,\r\nthe use of Cobalt Strike and the final ransomware payload.   \r\nInitial Access Method\r\nThe initial lure was delivered as an ISO file. \r\nFigure 1 –  ISOFile\r\nThe payload included a shortcut file (with a .doc extension) and a zip file.\r\nFigure 2 – Contents Inside ISO File\r\nThe shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a\r\nwindows inbuilt command line tool.\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 1 of 9\n\nFigure 3 – Shortcut File\r\ncmd.exe /c xcopy .\\HR-Update.zip %TEMP% /h /y \u0026\u0026 PrintBrm.exe -r -f %TEMP%\\HR-Update.zip -d %TEMP%\\unzip \u0026 %TEM\r\nFigure 4 –  HR-Update.exe Running\r\nHR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers\r\nfor gaining a foothold in the system. The final ransomware payload is downloaded with the help of Cobalt Strike.\r\nAt the time of writing the blog, we were unable to get the exact DarkBit ransomware payload. So we are using\r\nanother available sample that belonged to the same campaign.\r\nAnalysis of Ransomware\r\nThis DarkBit ransomware sample is written in GoLang. It contains command line arguments.\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 2 of 9\n\nFigure 5 –  Ransomware Features\r\nIt also contains an inbuilt configuration file as shown in Figure 6.\r\nFigure 6 – InBuilt Config\r\nFurther analysis revealed that they had obfuscated some dll names like advapi32.dll and functions like\r\nSystemFunction036.\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 3 of 9\n\nFigure 7-  Obfuscation\r\nIts dynamically resolving API at this address. Malware authors tend to dynamically resolve API to avoid static\r\ndetections.\r\nFigure 8 –  Dynamically Resolving API\r\nCreateMutexW API is being used to check if an instance of the malware is already running. As can be seen in\r\nFigure 5 previously, they are also using multithreading.\r\nAs the customary prelude to file encryption, they are using vssadmin.exe to delete all the shadow copies.\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 4 of 9\n\nFigure 9 – Delete Shadow all\r\nHere they are using SystemFunction036 (documented in MSDN as RtlGenRandom) to generate a random key as\r\nshown in Figure 10.\r\nFigure 10 –  SystemFunction036\r\nSystemFunction036 is accessed multiple times in the code with varying buffer sizes passed to it.\r\nFigure 11 – Call To Dynamically Resolve API and Then SystemFunction036\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 5 of 9\n\nHere we can see that the buffer size of 80 is made available for SystemFunction036. \r\nFigure 12 – Encrypting Key\r\nLater-on, the key used for encrypting the files is itself encrypted and attached to the encrypted files.\r\nFigure 13 –  EncryptionAlgorithm\r\nFrom Figure 13, we can see that It’s encrypting. It is likely using AES to encrypt the files, as strings related to the\r\nsame functions can be found elsewhere in this same sample.\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 6 of 9\n\nFindFirstFileW, FindNextFileW are used to iterate through the file system, to find the appropriate file and then\r\nencrypt it.\r\nAt that point it was observed that its writing file in chunks and not as a whole. For doing the same it’s using\r\nSetFilePointerEx API to move the file pointer to a specific address.\r\nFigure 14 – SetFilePointerEx\r\nIt’s then using the WriteFile API.\r\nFigure 15 –  WriteFile\r\nAll these functions are called one after another, till all the files are encrypted.\r\nAfter encrypting the file, the key is stored at the end of the file.\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 7 of 9\n\nFigure 16 –  Ransomware key\r\nThe encrypted files are given ‘.darkbit’ extension and also a ransom note is dropped in the respective folders.\r\nFigure 17  – Ransomware Note\r\nTweet from a self-identifying DarkBit twitter handle, associating itself with  MuddyWater\r\nFigure 18 – Tweet on DarkBit\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 8 of 9\n\nMuddyWaters uses different types of attacks for initial access like phishing email campaigns, using tools like\r\nMimiKatz to break into the system, etc. In this case, MuddyWaters made use of Cobalt Strike to get initial access\r\ninto the system. From the ransomware note, we figured out that it was a politically motivated attack.\r\nWe at K7 Labs provide detection for DarkBit ransomware and all the latest threats. Users are advised to use a\r\nreliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.\r\nIndicators of Compromise (IOCs)\r\nFile Name Hash Detection Name\r\nDarkBit.exe 9880FAE6551D1E9EE921F39751A6F3C0 Trojan (0058e3dd1)\r\nhr-update.iso 1219A8880DEBDD10D081195E27A2A016 Trojan (0001140e1)\r\nReferences\r\nhttps://attack.mitre.org/groups/G0069/\r\nSource: https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nhttps://labs.k7computing.com/index.php/muddywater-back-with-darkbit/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/" ], "report_names": [ "muddywater-back-with-darkbit" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434790, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f221fa7da69985d7085dc3e729221c8e3703c614.pdf", "text": "https://archive.orkl.eu/f221fa7da69985d7085dc3e729221c8e3703c614.txt", "img": "https://archive.orkl.eu/f221fa7da69985d7085dc3e729221c8e3703c614.jpg" } }