Chronology of MuddyWater APT Attacks Targeting the Middle East

hendryadrian.com

TL;DR

◈ Key Findings

• The Middle East serves as a strategic cyber threat hub where state-sponsored APT activities are highly concentrated.
• Attacks originating from the Middle East prioritized long-term infiltration and intelligence collection over short-term gains.
• Abuse of RMM tools and macro-based attacks were primary initial access vectors used by Middle Eastern APT groups.
• User-driven attacks leveraging social engineering techniques and outdated environments continued to be actively employed.
• Perimeter-based detection has clear limitations, making endpoint behavior-based EDR essential.

1. Overview

The Middle East is a region of high strategic importance from geopolitical, military, and energy security perspectives, where a significant volume of state-sponsored cyber threat activities has been observed. Due to these characteristics, persistent intrusion-focused cyber operations (APT) conducted for state-level intelligence collection and the execution of diplomatic and security strategies have been actively carried out. These activities have not been confined to the Middle East, but have shown a pattern of expansion across Europe, Asia, and North America.

Cybersecurity threats originating from the Middle East have been analyzed as prioritizing long-term persistence, information theft, and influence expansion over one-off attacks or direct financial gain. Attack targets are primarily concentrated in sectors critical to national functions, such as government agencies, diplomatic and defense organizations, and energy and telecommunications infrastructure.

Cybersecurity authorities in multiple countries, including the United States and the United Kingdom, have highlighted that Middle East-based threat actors continued to rely on document-based spear-phishing as an initial access method.

Recent versions of Microsoft Office block macro execution by default for documents downloaded from the internet or apply enhanced security protections. However, attackers combined email content with social engineering techniques to persuade users to explicitly enable macros. In environments where legacy software remained widely deployed, automatic macro execution was still enabled, resulting in a relatively high success rate.

In addition, document-based threats that abuse OLE and embedded object features to conceal payloads remain a commonly used attack vector worldwide. When such environments are combined with well-crafted phishing messages, document-based initial access techniques that rely on user interaction continue to be considered an effective attack method.

Against this backdrop, this threat intelligence report aims to analyze the current landscape of state-sponsored cyber threats operating primarily in the Middle East and to systematically outline the key tactics and technical characteristics observed in real-world attacks.

This report aims to provide an objective view of the current landscape of Middle East–based cyber threats by focusing on recently observed attack flows, including spear-phishing–based initial access, user deception through malicious documents, and post-compromise techniques for persistence and evasion.

In such a threat environment, traditional perimeter security and signature-based detection approaches are assessed as having inherent limitations in effectively identifying and blocking attacks across their full lifecycle. Accordingly, this report also examines the necessity of adopting Endpoint Detection and Response (EDR) from the perspective of behavior-based detection and post-compromise visibility.

EDR is recognized as an effective countermeasure for continuously collecting and analyzing anomalous endpoint behaviors. It enables the detection of techniques repeatedly leveraged in Middle East–based APT attacks following initial compromise, such as lateral movement, script execution, and memory-based malicious activity.

Ultimately, this report aims to enhance understanding of the tactics and technical evolution of Middle East cyber threats and, based on this analysis, to derive practical technical and operational insights for strengthening organizational detection and response capabilities.

2. Background

State-sponsored cyber threat groups operating in the Middle East are generally known to have structural ties to intelligence agencies or quasi-governmental organizations. While these groups outwardly present themselves as independent hacking collectives, numerous cases have confirmed that they are in fact leveraged as operational entities for intelligence collection and the execution of cyber operations aligned with national strategic objectives.

The names used to refer to threat groups within the international security community are typically not official designations adopted by the actors themselves. Instead, they commonly originate from classification labels assigned by security analysts based on factors observed during initial compromise analysis, including attack infrastructure, malicious tools, campaign characteristics, and internal identifiers. These names serve as practical identifiers for systematically distinguishing and analyzing threat actor activities.

The designation “MuddyWater” was first used in November 2017 in the Palo Alto Networks Unit 42 report titled “Muddying the Water: Targeted Attacks in the Middle East,” during the process of identifying and classifying a series of targeted attacks against the Middle East.

Since then, the name was widely adopted by multiple security vendors and national cybersecurity authorities in threat intelligence (TI) analysis reports as the term used to refer to the same threat actor.

Based on technical analysis findings, the threat actor is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). This assessment cited multiple factors, including the geographic and political characteristics of the targets, attack infrastructure repeatedly reused over extended periods, operational patterns concentrated within specific time windows, and tactics, techniques, and procedures (TTPs) that overlapped with Iran-based threat actors. This assessment is not based on a single indicator but is derived from a comprehensive synthesis of multi-year campaign tracking and infrastructure correlation analysis.

The name “Muddy Water” can be interpreted as a symbolic reference to operational characteristics intended to deliberately obscure the attack chain and attribution. However, such labels are convenience identifiers for analysis and classification. The substantive nature of the threat lay not in a specific group name, but in persistent, systematic, state-directed cyber operational capabilities and operating methods.

Looking at the overall attack patterns of Middle East–origin cyber threats, spear-phishing emails were most frequently used during the initial access stage. In this process, malicious files delivered via Office documents, including Microsoft Word documents, had been used as a primary delivery mechanism since the initial reporting in 2017, and were observed to be used alongside various formats such as Excel macro-enabled documents.

These documents were typically disguised as legitimate business materials or official notices to prompt users to enable content or run macros, which then installed additional malicious payloads.

Post-compromise, threat actors employed a range of tactics, techniques, and procedures (TTPs), including PowerShell-based script execution, DLL side-loading, and the abuse of legitimate remote management tools. These techniques enabled long-term access persistence within the network and evasion of security detection.

In addition, some recent attack cases showed indications of malware written in Rust, suggesting that state-sponsored threat actors in the Middle East continued to advance their malware development and operational capabilities.

Putting these observations together, Middle East cyber threats should be understood not as an issue limited to a single group or isolated campaign, but as a threat ecosystem accumulated and operated over the long term at the level of national strategy. Accordingly, rather than responding on a case-by-case basis, organizations need to analyze threats around commonalities in attack methods and the direction of technical evolution, and to establish proactive detection and response strategies based on those insights.

3. Chronology of MuddyWater APT Attacks

3-1. Case: Attack on Iraqi Telecommunications Infrastructure

To more accurately understand recent threat trends, it is necessary to first review past APT attack cases conducted against telecommunications providers in the Middle East. Reviewing these prior cases provides important background for understanding the strategic objectives pursued by threat actors over an extended period and the evolution of their tactical approaches.

A notable example is a targeted attack against an Iraqi mobile network operator, detected on March 11, 2019. The attack targeted an operator running major telecommunications infrastructure in Iraq and was assessed as aiming to maintain long-term intrusion after obtaining initial access to the internal user environment.

[Figure 3-1] Spear-Phishing Attack Case Targeting an Iraqi Mobile Network Operator

The operator provided mobile telecommunications services across Iraq and had a diverse user base, including enterprises, government agencies, and individual customers. Although its business structure and service coverage later changed due to financial and regulatory issues, at the time it was regarded as one of the key operators supporting the national telecommunications backbone. These attributes made it a high-value strategic target for external threat actors.

In the initial stage of the attack, a typical spear-phishing–based intrusion technique was used. Analysis indicated that the threat actor emailed a Microsoft Word file disguised as a work-related document to a specific internal user, prompting the recipient to open the document and enable macro execution. In this process, the lure document inserted a blurred image to trick the user into activating macros, and after the macro executed, it displayed a fake error message, which was designed to minimize user suspicion.

[Figure 3-2] Prompt to Enable Malicious Macros in a DOC Document

The malicious macro embedded in the document, immediately upon execution, invoked additional malicious logic and performed deobfuscation. In the final stage, it was structured to launch a backdoor via PowerShell.

This PowerShell-based backdoor communicated with a C2 server and provided capabilities such as remote command execution, additional payload download, and control of the infected system, enabling the attacker to maintain persistent control over the internal environment. This attack flow showed characteristics consistent with the tactics, techniques, and procedures (TTPs) repeatedly used by the threat actor. In particular, the use of PowerShell masquerading as a legitimate administrative tool served as an effective means of evading detection and establishing a stealthy, long-term foothold.

This case was not limited to a single, isolated attack against one telecommunications operator, but served as an important reference for understanding a broader series of activities that persistently targeted telecommunications, energy, and government-related organizations across the Middle East. In particular, considering the customer data, network operations data, and connections with government agencies held by telecommunications providers, these activities were likely conducted to support strategic intelligence collection and long-term influence, rather than simple information theft.

Such historical cases carried significant value as a baseline for analyzing later campaigns, enabling analysts to compare and contrast the adversary’s approach to objective setting, initial access strategy, and the end-to-end flow of malware use.

3-2. Case: Attack Targeting a University in Jordan

The second case was a sophisticated spear-phishing attack carried out on April 8, 2019, against a member of a university in Jordan. The attack targeted the university and impersonated a trusted government agency, with socially engineered initial access attempts serving as its core component.

The attacker sent an email impersonating the Jordanian government agency “Civil Status and Passport Department (cspd.gov.jo)”. The email subject line was “Students Migration Verification – Civil Status and Passport Department”. This was a spoofing technique intended to lead the recipient to perceive the message as an official administrative request sent by a legitimate government institution.

[Figure 3-3] Spear-Phishing Case Targeting a University in Jordan

The email body stated that, per a request from the CSPD, migration-related information for certain students needed to be verified, and asked the recipient to review the attached document and promptly inform the relevant students. This structure closely reflected the roles and responsibilities of university administrative staff and was a social engineering design intended to prompt the recipient to open the attachment without suspicion.

The attachment was a Microsoft Word document disguised as legitimate student-related content and contained malicious macro code. The document was configured to execute macros if the user enabled content, and after execution, it loaded additional malicious payloads or attempted to communicate with remote infrastructure controlled by the attacker.

In particular, the document was configured via OpenXML relationship definitions to reference an externally hosted template. It used the attachedTemplate relationship to load a template file from a remote URL controlled by the attacker. This external template was automatically loaded when the document was opened and could be used as an additional delivery path for malicious code either before or after macro execution. This is a typical document-based initial access method that leverages user action as the direct trigger and an indirect loading technique used to bypass security detection.

[Figure 3-4] Prompt to Enable Malicious Macros in a DOC Document

The VBA script embedded in the malicious document served to invoke PowerShell commands, and was designed to enable follow-on actions such as backdoor installation, collection of information from the infected system, and remote command execution. The external template invocation technique made static analysis of the document itself more difficult and, by separating the actual malicious logic into remote resources, enabled flexible replacement of attack infrastructure and modification of payloads. This attack flow combined document-based social engineering, external template loading, and script execution, and was designed with multi-stage intrusion in mind.

The attacker selected an educational institution to gain broader network access rather than simply infecting an individual user. Educational institutions such as universities often have direct or indirect ties to government departments, research organizations, and public projects, which can provide access to additional information assets and follow-on intrusion paths. Accordingly, this attack reflected a strategic focus on mid- to long-term intelligence collection and internal foothold establishment, rather than short-term malware distribution.

In addition, the attack flow observed in this case was structured to account for post-compromise persistence and potential expansion. Follow-on command execution via PowerShell, potential communication with remote control infrastructure, and the possibility of installing additional tools were assessed as characteristics designed to enable the attacker to observe and control the internal environment over an extended period.

Overall, this case is a representative example of an advanced spear-phishing attack that abused the trust of educational institution members through emails impersonating a government agency and attempted internal intrusion triggered by the execution of a malicious document. It shows that email-based attacks remained an effective initial access vector in targeted attacks, and suggests that messages disguised as administrative or official requests could have a high likelihood of success within organizations.

3-3. Case: Attacks Targeting Egypt’s Hosting Services, Israel’s Insurance, and Malaysia’s Pension Sector

The spear-phishing cases discussed earlier primarily relied on malicious MS Word documents. However, between Q4 2022 and Q2 2023, a shift in attack techniques was observed, with attackers using malicious HTML files or embedding Dropbox URLs.

The HTML file used in this attack, when opened, prompted additional user actions through an embedded URL and ultimately redirected the recipient to a Microsoft OneDrive address. The recipient was then led to download a malicious ZIP archive.

During this process, the threat actor used legitimate cloud storage services such as Dropbox and OneDrive as an intermediate delivery path to bypass security solutions and user vigilance.

This technique abused trusted service domains to evade URL reputation-based detection and to increase credibility through social engineering.

[Figure 3-5] Spear-Phishing Case Using an HTML Attachment and Embedded URL Links

In October 2022, the attacker conducted a spear-phishing attack targeting an Egypt-based data hosting and IT infrastructure service provider, disguising the email as an inquiry about hosting services. Analysis indicated that the attacker used a format similar to a legitimate customer inquiry as a social engineering technique to lower the recipient’s vigilance.

In November 2022, the attacker simultaneously targeted three Israel-based insurance companies, showing a campaign-style pattern aimed at the broader insurance industry rather than a single organization. This was assessed as an attempt to expand the scope of attacks by consecutively targeting multiple organizations within the same sector.

In April 2023, an attack targeting an individual affiliated with a Malaysian government-run public pension fund management institution was also identified.

Notably, the malicious HTML attachment used in this attack was the same file used in the November 2022 attacks against Israel’s insurance industry.

This confirmed that the threat actor reused the malicious file and conducted sustained attack activity over several months, with professionals in the insurance and pension sectors as primary targets.

<img src=”https://www.genians.co.kr/hs-fs/hubfs/%5B%EA%B7%B8%EB%A6%BC%203-6%5D%20HTML%20%EC%B2%A8%EB%B6%80%20%EB%B0%8F%20URL%20%EB%A7%81%ED%81%AC%20%ED%8F%AC%ED%95%A8%ED%98%95%20%EC%8A%A4%ED%94%BC%EC%96%B4%ED%94%BC%EC%8B%B1%20%EA%B3%B5%EA%B2%A9%20%EC%82%AC%EB%A1%80.png?width=5736&height=5976&name=%5B%EA%B7%B8%EB%A6%BC%203-6%5D%20HTML%20%EC%B2%A8%EB%B6%80%20%EB%B0%8F%20URL%20%EB%A7%81%ED%81%AC%20%ED%8F%AC%ED%95%A8%ED%98%95%20%EC%8A%A4%ED%94%BC%EC%96%B4%ED%94%BC%EC%8B%B1%20%EA%B3%B5%EA%B2%A9%20%EC%82%AC%EB%A1%80.png” width=”5736″ height=”5976″ loading=”lazy” alt=”[Figure 3-6] Malicious HTML Execution Screen” srcset=”https://www.genians.co.kr/hs-fs/hubfs/%5B%EA%B7%B8%EB%A6%BC%203-6%5D%20HTML%20%EC%B2%A8%EB%B6%80%20%EB%B0%8F%20URL%20%EB%A7%81%ED%81%AC%20%ED%8F%AC%ED%95%A8%ED%98%95%20%EC%8A%A4%ED%94%BC%EC%96%B4%ED%94%BC%EC%8B%B1%20%EA%B3%B5%EA%B2%A9%20%EC%82%AC%EB%A1%80.png?width=2868&height=2988&name=%5B%EA%B7%B8%EB%A6%BC%203-6%5D%20HTML%20%EC%B2%A8%EB%B6%80%20%EB%B0%8F%20URL%20%EB%A7%81%ED%81%AC%20%ED%8F%AC%ED%95%A8%ED%98%95%20%EC%8A%A4%ED%94%BC%EC%96%B4%ED%94%BC%EC%8B%B1%20%EA%B3%B5%EA%B2%A9%20%EC%82%AC%EB%A1%80.png 2868w, https://www.genians.co.kr/hs-fs/hubfs/%5B%EA%B7%B8%EB%A6%BC%203-6%5D%20HTML%20%EC%B2%A8%EB%B6%80%20%EB%B0%8F%20URL%20%EB%A7%81%ED%81%AC%20%ED%8F%AC%ED%95%A8%ED%98%95%20%EC%8A%A4%ED%94%BC%EC%96%B4%ED%94%BC%EC%8B%B1%20%EA%B3%B5%EA%B2%A9%20%EC%82%AC%EB%A1%80.png?width=5736&height=5976&name=%5B%EA%B7%B8%EB%A6%BC%203-6%5D%20HTML%20%EC%B2%A8%EB%B6%80%20%EB%B0%8F%20URL%20%EB%A7%81%ED%81%AC%20%ED%8F%AC%ED%95%A8%ED%98%95%20%EC%8A%A4%ED%94%BC%EC%96%B4%ED%94%BC%EC%8B%B1%20%EA%B3%B5%EA%B2%A9%20%EC%82%AC%EB%A1%80.png?width=8604&height=8964&name=%5B%EA%B7%B8%EB%A6%BC%203-6%5D%20HTML%20%EC%B2%A8%EB%B6%80%20%EB%B0%8F%20URL%20%EB%A7%81%ED%81%AC%20%ED%8