{ "id": "79e47bba-6fa7-4245-99ab-a12c76c4c731", "created_at": "2026-04-06T00:22:27.540912Z", "updated_at": "2026-04-10T13:12:11.493225Z", "deleted_at": null, "sha1_hash": "f99231c89457414326ccd31b09ab8342a4825b8a", "title": "MuddyWater Operations in Lebanon and Oman – ClearSky Cyber Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60396, "plain_text": "MuddyWater Operations in Lebanon and Oman – ClearSky Cyber\r\nSecurity\r\nPublished: 2018-11-28 · Archived: 2026-04-05 16:35:59 UTC\r\nAbstract\r\nMuddyWater is an Iranian high-profile threat actor that’s been seen active since 2017. The group is known for\r\nespionage campaigns in the Middle East. Over the past year, we’ve seen the group extensively targeting a wide\r\ngamut of entities in various sectors, including Governments, Academy, Crypto-Currency, Telecommunications and\r\nthe Oil sectors.\r\nMuddyWater has recently been targeting victims likely from Lebanon and Oman, while leveraging compromised\r\ndomains, one of which is owned by an Israeli web developer. The investigation aimed to uncover additional\r\ndetails regarding the compromise vector. Further, we wished to determine the infection vector, which is currently\r\nunknown. With that in mind, past experience implies that this might be a two-stage spear-phishing campaign.\r\nIn the first stage of the operation the attackers deliver a macro-embedded document. Depending on each sample,\r\nthe content of document is either a fake resume application, or a letter from the Ministry of Justice in Lebanon or\r\nSaudi Arabia. Note that these documents’ content is falsely blurred in order to increase the chances of infection.\r\nAs stated, the obfuscated code used in the campaign was hosted on three compromised domains, including an\r\nIsraeli domain (pazazta[.]com).\r\nAn interesting aspect of this campaign is that the attackers, uncharacteristically to the group, implemented a\r\nmanual override to the attack process; which in turn provided them with more control over the payload. \r\nMoreover, previously the group only executed single-stage attacks; however, this time around they split the course\r\nof attack into two stages. Thus, spreading MuddyWater’s main PowerShell Backdoor dubbed POWERSTATS in a\r\nstealthier method.\r\nSpecial thanks for the researchers Jacob Soo and Mo Bustami that assisted us.\r\nRead the full report: MuddyWater Operations in Lebanon and Oman \r\nhttps://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/\r\nPage 1 of 5\n\nFigure 1: Blurred resume document showing a deceptive error message.\r\nFigure 2: Blurred document disguised as a letter from the Ministry of Justice in Lebanon\r\nhttps://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/\r\nPage 2 of 5\n\nFigure 3: Blurred document disguised as a letter from the Ministry of Justice in Saudi Arabia (target from Oman)\r\nAttribution\r\nAs MuddyWater has consistently been using POWERSTATS as its main tool, they are relatively easy to\r\ndistinguish from other actors. Nevertheless, this time we observed a slightly similar but different pattern, depicting\r\nconservation of TTPs alongside developing new capabilities.\r\nOur findings corroborate several TTPs changes that were foreseen by other researchers. These assessments were\r\nbased on leaked test documents attributed to the group, that were observed during the past year. It appears\r\nMuddyWater recent efforts to evolve are beginning to bear fruit, as they also added evasion capabilities to their\r\narsenal.\r\nTTPs\r\nOne of the most noteworthy aspects of MuddyWater’s recent transformation is the progression from a single-stage\r\nto a two-stage attack process.\r\nMalicious macro-embedded document used to launch an Excel process and a PowerShell command as first\r\nstage. The group leverages commands execution via 3rd\r\n party processes (e.g. Excel) used not only for\r\nhttps://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/\r\nPage 3 of 5\n\nPOWERSTATS functionality as seen before, but also for first-stage needs – pertaining to downloading the\r\nsecond stage from a certain open-directory.\r\nObfuscated source code hosted on compromised domains is retrieved and executed as second stage for\r\nPOWERSTATS Backdoor propagation. Main source code consists of PowerShell commands and variables.\r\nThese variables are then divided into multiple layers of obfuscated intertwined encoded VBScript (VBE),\r\nJavaScript and PowerShell code.\r\nThis point is of particular importance, as it is the basis for a new three-steps backdoor execution mechanism\r\n(this will be further detailed later in the blog).\r\nMoreover, it appears MuddyWater operators do not cover their tracks and do not remove their code from these\r\nopen-directories that are currently accessible and available to everyone.\r\nConclusions\r\nThe Iranian MuddyWater group keeps evolving, improving its capabilities with every new campaign. We\r\nencourage the security community to harness these IOCs and knowledge to detect and defend from the threat.\r\nPivot\r\nThe Maltego graph below depicts the relationship among the indicators (click to enlarge):\r\nIndicators of Compromise\r\nMacro-embedded Documents:\r\nSHA256 Hash\r\nFile\r\nName\r\nImpersonation\r\nhttps://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/\r\nPage 4 of 5\n\n65bd49d9f6d9b92478e3653362c0031919607302db6cfb3a7c1994d20be18bcc MyCV.doc Fake resume\r\n294a907c27d622380727496cd7c53bf908af7a88657302ebd0a9ecdd30d2ec9d Cv.doc Fake resume\r\nac360ec9dbf84ab7e26effcb1d28ca4d0ac4381c9376ac1eddee7a8f7f26ccb0\r\nshakva-lb\r\n(1).zip Ministry of\r\nJustice in\r\nLebanon b6c483536379840e89444523d27ac7828b3eb50342b992d2c8f608450cd7bb53\r\nshakva-lb.doc\r\na6ba3480f3c7055dce2a7a43c3f70d3d6b266290f917be150a0e17b6ac4a3724\r\nshakva-om.zip Ministry of\r\nJustice in Saudi\r\nArabia e5c56c5b9620fb542eab82bdf75237d179bc996584b5c5f7a1c34ef5ae521c7d\r\nshakva-om.doc\r\nNetwork Indicators:\r\nSecond-stage delivery URLs:\r\nhxxp://3cbc[.]net/dropbox/icon[.]icon\r\nhxxp://pazazta[.]com/app/icon[.]png\r\nhxxp://ohe[.]ie/cli/icon[.]png\r\nhxxp://ohe[.]ie/cp/icon[.]png\r\nProxy-List of POWERSTATS backdoor:\r\nhxxp://andreabelfi[.]com/main.php\r\nhxxp://andreasiegl[.]com/main.php\r\nhxxp://andresocana[.]com/main.php\r\nhxxp://amorenvena[.]com/main.php\r\nhxxp://amphira[.]com/main.php\r\nhxxp://amphibiblechurch[.]com/main.php\r\nSource: https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/\r\nhttps://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/" ], "report_names": [ "muddywater-operations-in-lebanon-and-oman" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434947, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f99231c89457414326ccd31b09ab8342a4825b8a.pdf", "text": "https://archive.orkl.eu/f99231c89457414326ccd31b09ab8342a4825b8a.txt", "img": "https://archive.orkl.eu/f99231c89457414326ccd31b09ab8342a4825b8a.jpg" } }