MuddyWater

MuddyWater is an Iran-linked advanced persistent threat and associated malware/toolset active since at least 2017. The provided reporting describes sustained spear-phishing operations, including a 2018 campaign targeting government, military, telecommunications, and educational organizations, primarily across the Middle East, with victims observed in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan, Azerbaijan, and additional cases in Russia, Iran, Bahrain, Austria, and Mali. Infection commonly began with macro-enabled Word documents using geopolitical decoys and password-protected macros. In some cases, users were tricked into activating a fake text box to trigger VBA execution.

Observed execution chains dropped staged files under C:\ProgramData, including names such as EventManager.dll, EventManager.logs, WindowsDefenderService.ini, Defender.sct, DefenderService.inf, and ZIPSDK\InstallConfNT.vbs. Persistence was established via HKCU Run keys, including entries such as WindowsDefenderUpdater, or via scheduled tasks. The malware abused LOLBins and Microsoft-signed binaries including rundll32.exe, advpack.dll LaunchINFSection, scrobj.dll, mshta.exe, WMI, and Office applications to decode and launch obfuscated PowerShell payloads. One reported behavior disabled Office Macro Warnings and Protected View to facilitate subsequent malicious document execution.

The malware conducted victim reconnaissance and communicated with command-and-control infrastructure selected at random from an embedded URL array. If one C2 failed, it selected another, slept briefly, and retried. It queried api.ipify.org to determine the victim’s public IP address and sent encrypted host data to C2, including public IP, OS version, internal IP, machine name, domain name, and username. The server returned a victim identifier used in later command requests. Supported commands included file upload, screenshot capture, execution of secondary PowerShell stages via Excel DDE, Outlook COM with MSHTA, or Explorer COM interaction, reboot, shutdown, and a destructive clean function that wiped drives C through F and rebooted the system. Screenshot output was stored as a PNG in ProgramData.

Anti-analysis behavior was also reported. Variants checked running processes against a denylist including OllyDbg, ProcessHacker, Wireshark, Procmon, Autoruns, and ImmunityDebugger. Some samples triggered a BSOD via ntdll.dll NtRaiseHardError when analysis-tool checks matched. More recent reporting cited a MuddyWater operation dubbed Operation Olalampo that used Telegram bots for C2 and deployed new malware including the Rust backdoor CHAR, the downloaders GhostFetch and HTTP_VIP, and GhostBackDoor, primarily affecting organizations in the MENA region.

The content also notes that Microsoft linked MuddyWater to malware signed through the Fox Tempest malware-signing-as-a-service operation, alongside families such as Oyster, Lumma Stealer, and Vidar.