CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities

First reported
Last updated
4 unique sources, 12 articles

Summary

Hide ▲

The Iran-linked MuddyWater APT (a.k.a. Seedworm, Static Kitten) has expanded its global espionage operations to include a major South Korean electronics manufacturer, government agencies, and an international airport in the Middle East, marking a geographic shift beyond its traditional MENA and Israeli targets. In February 2026, the group spent a week inside the network of the South Korean firm, conducting industrial espionage and intellectual property theft while leveraging DLL sideloading via legitimate Fortemedia and SentinelOne binaries to deploy ChromElevator for browser data exfiltration. MuddyWater’s evolving tradecraft includes the continued use of PowerShell—now orchestrated via Node.js loaders—for reconnaissance, credential theft, and persistence, alongside anti-detection techniques like fake Windows prompts, registry hive theft, and public file-sharing services (*sendit.sh*) for exfiltration. This follows earlier 2026 campaigns where the group masqueraded as Chaos ransomware to deploy the Darkcomp RAT, targeted US companies with Dindoor/Fakeset backdoors, and expanded its toolset with Rust-based implants like RustyWater. The group’s persistent focus on espionage, use of legitimate tools for evasion, and geographic diversification underscore its adaptability as a state-aligned threat actor linked to Iran’s MOIS.

Timeline

  1. 14.05.2026 00:59 1 articles · 23h ago

    MuddyWater Expands to South Korea with DLL Sideloading and ChromElevator

    In February 2026, MuddyWater targeted a major South Korean electronics manufacturer, spending a week inside the victim’s network to conduct industrial espionage and intellectual property theft. The campaign leveraged DLL sideloading via legitimate binaries—*fmapp.exe* (Fortemedia audio utility) and *sentinelmemoryscanner.exe* (SentinelOne component)—to load malicious DLLs (*fmapp.dll*, *sentinelagentcore.dll*) that deployed ChromElevator, a commodity tool for stealing Chrome-based browser data. PowerShell, orchestrated via Node.js loaders, was used for reconnaissance (host/domain enumeration, antivirus checks via WMI), screenshot capture, payload fetching, persistence (registry modifications), credential theft (fake Windows prompts, SAM/SECURITY/SYSTEM hive theft, Kerberos ticket abuse), and SOCKS5 tunneling. Beaconing occurred at 90-second intervals, with sideloaded binaries repeatedly relaunched to maintain access. Data exfiltration relied on *sendit.sh*, a public file-sharing service, likely to obscure malicious traffic. Symantec assessed the campaign as a strategic expansion beyond MuddyWater’s traditional MENA/Israeli focus, emphasizing operational maturity and increased abuse of legitimate tools to reduce detection risk.

    Show sources
    Open in new tab
  2. 06.05.2026 16:00 3 articles · 8d ago

    MuddyWater Conducts False-Flag Ransomware Intrusion with Darkcomp RAT

    In early 2026, MuddyWater conducted an intrusion disguised as a Chaos ransomware attack, using Microsoft Teams social engineering to engage victims in screen-sharing sessions. The attackers stole credentials—via phishing pages masquerading as Microsoft Quick Assist or by tricking victims into typing passwords into local text files—manipulated MFA protections, and deployed remote management tools (AnyDesk, DWAgent) to establish persistence and exfiltrate data. Extortion emails directed victims to a Chaos ransomware leak site, but no file-encrypting malware was deployed, confirming the use of ransomware-as-a-decoy tactics. The operation involved a malware loader (*ms_upd.exe*, also known as Stagecomp) that collected system information and reached out to a C2 server (172.86.126[.]208) to drop next-stage payloads, including *game.exe* (Darkcomp RAT), *WebView2Loader.dll* (a legitimate DLL required by Microsoft Edge WebView2), and *visualwincomp.txt* (an encrypted configuration for C2 information). The Darkcomp RAT, a trojanized version of the Microsoft WebView2APISample project, connects to the C2 server every 60 seconds to poll for commands, supporting PowerShell/CMD execution, file operations, and persistent shell access. The campaign’s links to MuddyWater are reinforced by the use of a code-signing certificate attributed to 'Donald Gay' to sign *ms_upd.exe*, a certificate previously used by the group to sign its malware, including the CastleLoader downloader Fakeset. Rapid7 researchers attribute the incident to MuddyWater with moderate confidence, citing infrastructure overlap, the reused code-signing certificate, and alignment with the group’s known tradecraft. This follows a late 2025 attack where MuddyWater used Qilin ransomware for similar deception against an Israeli organization, suggesting a deliberate pivot to Chaos branding after prior attribution to Iranian MOIS operatives.

    Show sources
    Open in new tab
  3. 06.03.2026 17:15 2 articles · 2mo ago

    MuddyWater Targets US Companies with Dindoor and Fakeset Backdoors

    The MuddyWater threat actor has targeted US companies in a new campaign that started in early February 2026. The campaign involves a previously unknown backdoor dubbed 'Dindoor' that leverages Deno for execution and is signed with a certificate issued to 'Amy Cherne'. An attempt to exfiltrate data from a software company using Rclone to a Wasabi cloud storage bucket was observed. A different, Python backdoor called Fakeset was found on the networks of a US airport, signed by certificates issued to 'Amy Cherne' and 'Donald Gay'. The Donald Gay certificate has been used previously to sign malware linked to MuddyWater, including the Darkcomp backdoor. In early 2026, MuddyWater also conducted an intrusion masquerading as a Chaos ransomware attack, using social engineering via Microsoft Teams to establish screen-sharing sessions, steal credentials, and deploy remote management tools like AnyDesk and DWAgent. The operation included extortion emails and the deployment of the Darkcomp RAT, signed with a certificate linked to MuddyWater’s prior campaigns.

    Show sources
    Open in new tab
  4. 23.02.2026 09:25 1 articles · 2mo ago

    MuddyWater Launches Operation Olalampo with New Malware Families

    The MuddyWater threat actor has launched a new campaign codenamed Operation Olalampo targeting organizations and individuals in the Middle East and North Africa (MENA) region. The campaign involves the deployment of new malware families including GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor. GhostFetch is a first-stage downloader that profiles the system, validates mouse movements, checks screen resolution, and fetches and executes secondary payloads directly in memory. GhostBackDoor is a second-stage backdoor delivered by GhostFetch that supports an interactive shell, file read/write, and re-run GhostFetch. HTTP_VIP is a native downloader that conducts system reconnaissance and deploys AnyDesk from the C2 server. CHAR is a Rust backdoor controlled by a Telegram bot (username "stager_51_bot") that executes cmd.exe or PowerShell commands. The PowerShell command executed by CHAR is designed to execute a SOCKS5 reverse proxy or another backdoor named Kalim, upload data stolen from web browsers, and run unknown executables referred to as "sh.exe" and "gshdoc_release_X64_GUI.exe." The MuddyWater threat actor has been observed exploiting recently disclosed vulnerabilities on public-facing servers to obtain initial access.

    Show sources
    Open in new tab
  5. 10.01.2026 12:35 2 articles · 4mo ago

    MuddyWater Deploys RustyWater RAT in New Campaign

    The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

    Show sources
    Open in new tab
  6. 08.12.2025 08:46 2 articles · 5mo ago

    MuddyWater Deploys UDPGangster Backdoor in Targeted Campaign

    The MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

    Show sources
    Open in new tab
  7. 02.12.2025 15:37 3 articles · 5mo ago

    MuddyWater Targets Israeli Entities with MuddyViper Backdoor

    The MuddyWater threat actor has targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The backdoor supports 20 commands that facilitate covert access and control of infected systems. The campaign uses go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers. The campaign uses VAXOne, a backdoor that impersonates Veeam, AnyDesk, Xerox, and the OneDrive updater service. The campaign uses CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers. The campaign uses Blub, a C/C++ browser-data stealer that gathers user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. The campaign uses LP-Notes, a credential stealer written in C/C++ that tricks users into entering their system username and password by displaying a fake Windows Security dialog.

    Show sources
    Open in new tab
  8. 22.10.2025 18:00 7 articles · 6mo ago

    MuddyWater Phishing Campaign Using Compromised Mailboxes

    The campaign started on August 19, 2025. The threat actor is also known as Static Kitten, Mercury, and Seedworm. The emails contained malicious Word documents with macro code that decoded and wrote the FakeUpdate malware loader to disk. The FakeUpdate malware loader decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload. The Phoenix backdoor establishes persistence by modifying the Windows Registry entry. The Phoenix backdoor version 4 includes an additional COM-based persistence mechanism and several functional differences. The Phoenix backdoor gathers information about the system to profile the victim. The Phoenix backdoor connects to its command-and-control (C2) via WinHTTP and starts to beacon and poll for commands. The supported commands in Phoenix v4 include Sleep, Upload file, Download file, Start shell, and Update sleep interval time. The custom infostealer attempts to exfiltrate the database from Chrome, Opera, Brave, and Edge browsers, extract credentials, and snatch the master key to decrypt them. The C2 infrastructure included the PDQ utility for software deployment and management, and the Action1 RMM tool. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of Ivanti EPMM and Palo Alto PAN-OS vulnerabilities alongside new Linux RAT and cloud credential harvesting campaigns

Wide-ranging exploitation activity observed this week encompassing critical software vulnerabilities, new Linux malware families, cloud-focused credential theft, and espionage operations masquerading as ransomware. Attackers are weaponizing CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM) for remote code execution with administrative privileges, while Palo Alto PAN-OS CVE-2026-0300 is being exploited to achieve root-level access on PA-Series and VM-Series firewalls. Concurrently, a new modular Linux remote access trojan named Quasar Linux RAT (QLNX) has emerged with P2P mesh networking, kernel-level rootkit capabilities, and PAM authentication backdoors, enabling resilient persistence and lateral movement across Linux and cloud infrastructure. Credential harvesting campaigns are escalating, with one campaign replacing TeamPCP malware to steal cloud and developer credentials while propagating via open cloud infrastructure and Common Crawl data. Iranian state-sponsored actor MuddyWater conducted an espionage operation disguised as Chaos ransomware activity to obfuscate true objectives. Supply chain compromises affected DAEMON Tools and JDownloader, delivering data miners, QUIC RAT implants, and Python-based RATs. Phishing campaigns are increasingly leveraging legitimate Remote Monitoring and Management (RMM) tools such as SimpleHelp and ScreenConnect to establish persistent remote access. The combined impact includes unauthorized access to enterprise networks, cloud environments, and operational technology systems, with demonstrated ability to exfiltrate data, deploy secondary payloads, and persist across reboots and updates.

Open in new tab

Compromise of Ruby gems and Go modules via poisoned packages leads to credential theft and CI pipeline manipulation

A dual-pronged software supply chain attack continues to unfold, with initial compromise via poisoned Ruby gems and Go modules tied to the GitHub account “BufferZoneCorp” for credential theft and CI pipeline manipulation. Concurrently, the GemStuffer campaign abuses the RubyGems registry as a data transport channel, embedding scraped content from U.K. local government council portals (Lambeth, Wandsworth, Southwark) into over 150+ valid .gem archives and republishing them using hardcoded API keys. New vendor research highlights automated scraper-worm mechanics, noisy but intentional execution indicative of testing or registry abuse, and direct API uploads bypassing the gem CLI. Security teams are advised to audit /tmp folders, block unauthorized gem pushes in CI pipelines, and lock down systems allowed to publish to public registries.

Open in new tab

ZionSiphon OT malware targeting Israeli water infrastructure; sabotage logic identified

A new operational technology (OT)-focused malware named ZionSiphon has been identified with capabilities to manipulate water treatment and desalination systems in Israel. The malware contains sabotage logic designed to increase chlorine levels to dangerous concentrations and adjust hydraulic pressures via a function named 'IncreaseChlorineLevel().' It also includes a flawed encryption-based validation mechanism that currently prevents execution, triggering a self-destruct routine instead. Targeting is confirmed by IP range checks and OT software detection, though an XOR-based logic error causes these checks to fail. The malware’s current iteration remains non-functional, but researchers warn that a minor fix could activate its destructive payload.

Open in new tab

Compromise of CPUID distribution channels delivers trojanized system monitoring tools

A threat actor compromised CPUID’s distribution infrastructure to deliver trojanized versions of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor between April 9–10, 2026, deploying the STX RAT alongside a multi-stage installer using DLL side-loading. The compromise lasted approximately 19 hours, affecting at least 150 victims across multiple sectors and geographies, with the attackers reusing infrastructure and tactics from a prior FileZilla campaign. CPUID confirmed the breach was limited to distribution links and has since restored clean versions, though the developer’s unavailability during the incident may have contributed to the prolonged exposure.

Open in new tab

Hive0163 Deploys AI-Assisted Slopoly Malware for Persistent Access

Hive0163, a financially motivated threat actor, has been observed using a new AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks. The malware, discovered in early 2026, is part of a command-and-control (C2) framework and was deployed during the post-exploitation phase of an attack. Slopoly is believed to have been developed with the help of a large language model (LLM), although it lacks advanced polymorphic capabilities. The malware functions as a backdoor, beaconing system information to a C2 server and executing commands. Hive0163 is also known for using other malicious tools like NodeSnake, Interlock RAT, and JunkFiction loader in their operations. The attack leveraged the ClickFix social engineering tactic to trick victims into running a PowerShell command. Hive0163 uses initial access brokers like TA569 and TAG-124 for establishing a foothold. The Interlock ransomware payload is a 64-bit Windows executable delivered via the JunkFiction loader, and Hive0163 may have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.

Open in new tab