Keypoints
- MuddyWater is suspected of using a new C2 framework named DarkBeatC2 that serves PowerShell payloads via web endpoints (e.g., googleonlinee[.]com).
- Initial access is commonly achieved via spear-phishing PDFs linking to archives hosted on public file services (egnyte, filetransfer[.]io, freeupload[.]store) that install remote administration tools (Atera Agent / RMMs).
- DarkBeatC2 PowerShell flow: fetch a small launcher, read/write a local SysInt.log file, POST log contents to the C2, and loop-fetch executable scriptblocks for execution.
- Attackers abused supply-chain and managed-service provider access (Rashim) to distribute malicious links and leverage admin/VPN credentials to access multiple customer networks.
- Open-source tooling (reNgine) and publicly hosted Tactical RMM instances were observed on hosting IPs linked to the campaign, indicating reconnaissance and RMM abuse for lateral movement and persistence.
- Multiple IPs, domains, and file hashes are provided as indicators (see IOC section); several webshell variants and wipers were also linked to Iranian activity in related incidents.
MITRE Techniques
- [T1566] Phishing – Delivered malicious PDF attachments containing links to hosted archives used to deploy remote administration tools. [‘PDF attachments contained links to various web hosting services where users could download an archive containing a remote administration tool’]
- [T1204] User Execution – Relied on victims opening and following links in spear-phishing PDFs to execute payloads. [‘trick victims into executing malicious PDF attachments’]
- [T1059.001] PowerShell – Used chained PowerShell scripts to fetch, write, and execute remote scriptblocks and to send local logs to the C2. [‘PowerShell remains their “bread and butter.”’]
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication used HTTP(S) endpoints with GET/POST requests to fetch scripts and exfiltrate SysInt.log contents. [‘sends it to the C2 via a POST request.’]
- [T1583] Acquire Infrastructure – Registered and used lookalike domains and VPS IPs (e.g., mafatehgroup[.]com, aramcoglobal[.]site) to host reconnaissance and C2 services. [‘domains aramcoglobal[.]site and mafatehgroup[.]com point to the IP address’]
- [T1505] Server Software Component / Web Shells – Deployed or used webshells (including FoxShell variants) on compromised web servers for persistence and command execution. [‘it is not a generic webshell but a variant of the FoxShell’]
- [T1574] Hijack Execution Flow (DLL Sideloading) – Employed DLL sideloading techniques to run C2 connectors under the guise of legitimate applications (PowGoop, MuddyC2Go). [‘Sideloading a malicious DLL to execute the code to establish a C2 connection’]
- [T1105] Ingress Tool Transfer – Delivered and installed remote administration tools (Atera Agent / RMM) via downloadable archives on public file hosts. [‘download an archive containing a remote administration tool’]
- [T1021] Remote Services – Abused VPN/admin accounts from a compromised MSP (Rashim) to access multiple customer networks and expand the intrusion. [‘hijacking this admin account, the attackers were able to access numerous organizations by using their VPN’]
- [T1486] Data Encrypted for Impact / Wiper – Related campaigns included wiper deployments and destructive payloads against targets. [‘wiper malware’]
Indicators of Compromise
- [IP Address] suspected C2/recon hosts – 185.236.234[.]161 (reNgine host), 185.216.13[.]242 (Tactical RMM / websiteapicloud[.]com), and other IPs listed in the report (many more associated with DarkBeatC2).
- [Domain] C2 and hosting domains – googleonlinee[.]com (DarkBeatC2 endpoint), salary.egnyte[.]com / kinneretacil.egnyte[.]com (public file-hosting subdomains used to host malicious archives), and other related domains such as googlelinks[.]net.
- [File hash – MD5] PowerShell/C2 responses and malware – 3dd1f91f89dc70e90f7bc001ed50c9e7 (PowerShell response from googleonlinee[.]com/setting/… ), 353b4643ec51ecff7206175d930b0713 (MEK-DDMC.exe wiper), and 3 more hashes listed in the source.
- [File name / installer] RMM installer artifacts and local log – IronSwords.msi (Atera Agent installer observed uploaded to public hosts), Atera Agent (RMM), C:ProgramDataSysInt.log (created/read by DarkBeatC2 PowerShell stages).
Deep technical summary:
MuddyWater’s DarkBeatC2 framework centers on lightweight PowerShell stages served from web endpoints (example: googleonlinee[.]com). The initial stage fetches two PowerShell scripts: one that retrieves and executes further scripts, and another that reads a local log file (C:ProgramDataSysInt.log) and POSTs its contents to the C2. A looping fetch stage polls the C2 every ~20s, interprets special “SRT_” timing commands or converts arbitrary responses into PowerShell scriptblocks which are then executed and appended to the SysInt.log.
Initial access and distribution use spear-phishing PDFs containing links to archives hosted on public file services (Egnyte, filetransfer[.]io, freeupload[.]store), which deliver remote administration tools (Atera Agent / other RMMs) or connectors that establish the C2 connection. The operators also abused compromised MSP/admin accounts and VPNs (Rashim -> customer networks) to propagate links and directly access downstream targets; open-source recon tooling (reNgine) and Tactical RMM panels were observed on threat-hosting IPs tied to the campaign.
Operationally, the intrusions combine classic MuddyWater TTPs: phishing + user execution, PowerShell-based C2, DLL sideloading variants to run connectors, webshells on compromised servers for persistence, and use of RMMs for broader access and lateral movement. The report includes multiple IPs, domains, and MD5 hashes that map to these behaviors and should be used in contextual detection and containment (block/report C2 domains, validate RMM deployments, and inspect SysInt.log-like artifacts).
Read more: https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework