MuddyWater, an Iranian state-sponsored APT, has shifted from broad RMM-based intrusions to more targeted attacks using custom malware and spearphishing. Their evolving tactics and infrastructure, including cloud hosting platforms, make them a persistent threat to international critical sectors. #MuddyWater #IranianApt
Keypoints
- MuddyWater has decreased RMM-based intrusions and increased targeted spearphishing campaigns.
- The group now extensively uses custom malware families like Phoenix, StealthCache, BugSleep, and Fooder.
- New tools have been weaponized, including backdoors with advanced capabilities and anti-analysis features.
- Their infrastructure involves major cloud providers such as AWS, Cloudflare, DigitalOcean, OVH, and M247.
- Despite operational security efforts, reuse of TLS certificates and domains allows tracking of their activities.
Read More: https://securityonline.info/muddywater-apt-shifts-tactics-to-custom-malware/