CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities

First reported
Last updated
4 unique sources, 11 articles

Summary

Hide ▲

The MuddyWater threat actor, linked to Iran’s Ministry of Intelligence and Security (MOIS) and also known as Static Kitten, Mango Sandstorm, and Seedworm, has continued to refine its global espionage campaigns by masquerading as ransomware operations to obscure state-sponsored activity. In early 2026, the group conducted an intrusion disguised as a Chaos ransomware attack, leveraging Microsoft Teams for social engineering to establish screen-sharing sessions, steal credentials, and deploy remote management tools like AnyDesk and DWAgent. The operation included extortion emails directing victims to a ransomware leak site, but no file-encrypting malware was deployed, confirming the use of ransomware-as-a-decoy tactics. The attackers deployed a custom RAT named Darkcomp (Game.exe), signed with a previously linked certificate, and dropped via a loader named *ms_upd.exe*. The backdoor features anti-analysis checks and supports 12 commands, including PowerShell execution and persistent shell access. Rapid7 researchers attribute the campaign to MuddyWater with moderate confidence, citing infrastructure overlap, code-signing certificates, and operational tradecraft. This follows a late 2025 incident where MuddyWater used Qilin ransomware for similar deception, suggesting an evolving pattern of false-flag operations to evade detection. Additionally, MuddyWater has been linked to a campaign targeting Omani government institutions, exfiltrating over 26,000 Ministry of Justice records, and pro-Iran-aligned hacktivist groups like Handala Hack have escalated activities, including leaking sensitive documents from the Port of Fujairah in the UAE. Earlier campaigns targeted over 100 organizations globally, including government entities, diplomatic missions, and telecommunications firms in the MENA region, using phishing emails with malicious Word documents to drop backdoors like Phoenix v4, MuddyViper, UDPGangster, and RustyWater. The group has also targeted Israeli sectors across academia, engineering, and local government, as well as US companies with backdoors such as Dindoor and Fakeset. The shift from PowerShell-based tools to Rust-based implants and now ransomware decoys underscores MuddyWater’s adaptability and focus on evading attribution while pursuing espionage objectives.

Timeline

  1. 06.05.2026 16:00 3 articles · 1d ago

    MuddyWater Conducts False-Flag Ransomware Intrusion with Darkcomp RAT

    In early 2026, MuddyWater conducted an intrusion disguised as a Chaos ransomware attack, using Microsoft Teams social engineering to engage victims in screen-sharing sessions. The attackers stole credentials—via phishing pages masquerading as Microsoft Quick Assist or by tricking victims into typing passwords into local text files—manipulated MFA protections, and deployed remote management tools (AnyDesk, DWAgent) to establish persistence and exfiltrate data. Extortion emails directed victims to a Chaos ransomware leak site, but no file-encrypting malware was deployed, confirming the use of ransomware-as-a-decoy tactics. The operation involved a malware loader (*ms_upd.exe*, also known as Stagecomp) that collected system information and reached out to a C2 server (172.86.126[.]208) to drop next-stage payloads, including *game.exe* (Darkcomp RAT), *WebView2Loader.dll* (a legitimate DLL required by Microsoft Edge WebView2), and *visualwincomp.txt* (an encrypted configuration for C2 information). The Darkcomp RAT, a trojanized version of the Microsoft WebView2APISample project, connects to the C2 server every 60 seconds to poll for commands, supporting PowerShell/CMD execution, file operations, and persistent shell access. The campaign’s links to MuddyWater are reinforced by the use of a code-signing certificate attributed to 'Donald Gay' to sign *ms_upd.exe*, a certificate previously used by the group to sign its malware, including the CastleLoader downloader Fakeset. Rapid7 researchers attribute the incident to MuddyWater with moderate confidence, citing infrastructure overlap, the reused code-signing certificate, and alignment with the group’s known tradecraft. This follows a late 2025 attack where MuddyWater used Qilin ransomware for similar deception against an Israeli organization, suggesting a deliberate pivot to Chaos branding after prior attribution to Iranian MOIS operatives.

    Show sources
    Open in new tab
  2. 06.03.2026 17:15 2 articles · 2mo ago

    MuddyWater Targets US Companies with Dindoor and Fakeset Backdoors

    The MuddyWater threat actor has targeted US companies in a new campaign that started in early February 2026. The campaign involves a previously unknown backdoor dubbed 'Dindoor' that leverages Deno for execution and is signed with a certificate issued to 'Amy Cherne'. An attempt to exfiltrate data from a software company using Rclone to a Wasabi cloud storage bucket was observed. A different, Python backdoor called Fakeset was found on the networks of a US airport, signed by certificates issued to 'Amy Cherne' and 'Donald Gay'. The Donald Gay certificate has been used previously to sign malware linked to MuddyWater, including the Darkcomp backdoor. In early 2026, MuddyWater also conducted an intrusion masquerading as a Chaos ransomware attack, using social engineering via Microsoft Teams to establish screen-sharing sessions, steal credentials, and deploy remote management tools like AnyDesk and DWAgent. The operation included extortion emails and the deployment of the Darkcomp RAT, signed with a certificate linked to MuddyWater’s prior campaigns.

    Show sources
    Open in new tab
  3. 23.02.2026 09:25 1 articles · 2mo ago

    MuddyWater Launches Operation Olalampo with New Malware Families

    The MuddyWater threat actor has launched a new campaign codenamed Operation Olalampo targeting organizations and individuals in the Middle East and North Africa (MENA) region. The campaign involves the deployment of new malware families including GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor. GhostFetch is a first-stage downloader that profiles the system, validates mouse movements, checks screen resolution, and fetches and executes secondary payloads directly in memory. GhostBackDoor is a second-stage backdoor delivered by GhostFetch that supports an interactive shell, file read/write, and re-run GhostFetch. HTTP_VIP is a native downloader that conducts system reconnaissance and deploys AnyDesk from the C2 server. CHAR is a Rust backdoor controlled by a Telegram bot (username "stager_51_bot") that executes cmd.exe or PowerShell commands. The PowerShell command executed by CHAR is designed to execute a SOCKS5 reverse proxy or another backdoor named Kalim, upload data stolen from web browsers, and run unknown executables referred to as "sh.exe" and "gshdoc_release_X64_GUI.exe." The MuddyWater threat actor has been observed exploiting recently disclosed vulnerabilities on public-facing servers to obtain initial access.

    Show sources
    Open in new tab
  4. 10.01.2026 12:35 2 articles · 3mo ago

    MuddyWater Deploys RustyWater RAT in New Campaign

    The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

    Show sources
    Open in new tab
  5. 08.12.2025 08:46 2 articles · 5mo ago

    MuddyWater Deploys UDPGangster Backdoor in Targeted Campaign

    The MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

    Show sources
    Open in new tab
  6. 02.12.2025 15:37 3 articles · 5mo ago

    MuddyWater Targets Israeli Entities with MuddyViper Backdoor

    The MuddyWater threat actor has targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The backdoor supports 20 commands that facilitate covert access and control of infected systems. The campaign uses go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers. The campaign uses VAXOne, a backdoor that impersonates Veeam, AnyDesk, Xerox, and the OneDrive updater service. The campaign uses CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers. The campaign uses Blub, a C/C++ browser-data stealer that gathers user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. The campaign uses LP-Notes, a credential stealer written in C/C++ that tricks users into entering their system username and password by displaying a fake Windows Security dialog.

    Show sources
    Open in new tab
  7. 22.10.2025 18:00 7 articles · 6mo ago

    MuddyWater Phishing Campaign Using Compromised Mailboxes

    The campaign started on August 19, 2025. The threat actor is also known as Static Kitten, Mercury, and Seedworm. The emails contained malicious Word documents with macro code that decoded and wrote the FakeUpdate malware loader to disk. The FakeUpdate malware loader decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload. The Phoenix backdoor establishes persistence by modifying the Windows Registry entry. The Phoenix backdoor version 4 includes an additional COM-based persistence mechanism and several functional differences. The Phoenix backdoor gathers information about the system to profile the victim. The Phoenix backdoor connects to its command-and-control (C2) via WinHTTP and starts to beacon and poll for commands. The supported commands in Phoenix v4 include Sleep, Upload file, Download file, Start shell, and Update sleep interval time. The custom infostealer attempts to exfiltrate the database from Chrome, Opera, Brave, and Edge browsers, extract credentials, and snatch the master key to decrypt them. The C2 infrastructure included the PDQ utility for software deployment and management, and the Action1 RMM tool. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ZionSiphon OT malware targeting Israeli water infrastructure; sabotage logic identified

A new operational technology (OT)-focused malware named ZionSiphon has been identified with capabilities to manipulate water treatment and desalination systems in Israel. The malware contains sabotage logic designed to increase chlorine levels to dangerous concentrations and adjust hydraulic pressures via a function named 'IncreaseChlorineLevel().' It also includes a flawed encryption-based validation mechanism that currently prevents execution, triggering a self-destruct routine instead. Targeting is confirmed by IP range checks and OT software detection, though an XOR-based logic error causes these checks to fail. The malware’s current iteration remains non-functional, but researchers warn that a minor fix could activate its destructive payload.

Open in new tab

Compromise of CPUID distribution channels delivers trojanized system monitoring tools

A threat actor compromised CPUID’s distribution infrastructure to deliver trojanized versions of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor between April 9–10, 2026, deploying the STX RAT alongside a multi-stage installer using DLL side-loading. The compromise lasted approximately 19 hours, affecting at least 150 victims across multiple sectors and geographies, with the attackers reusing infrastructure and tactics from a prior FileZilla campaign. CPUID confirmed the breach was limited to distribution links and has since restored clean versions, though the developer’s unavailability during the incident may have contributed to the prolonged exposure.

Open in new tab

Hive0163 Deploys AI-Assisted Slopoly Malware for Persistent Access

Hive0163, a financially motivated threat actor, has been observed using a new AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks. The malware, discovered in early 2026, is part of a command-and-control (C2) framework and was deployed during the post-exploitation phase of an attack. Slopoly is believed to have been developed with the help of a large language model (LLM), although it lacks advanced polymorphic capabilities. The malware functions as a backdoor, beaconing system information to a C2 server and executing commands. Hive0163 is also known for using other malicious tools like NodeSnake, Interlock RAT, and JunkFiction loader in their operations. The attack leveraged the ClickFix social engineering tactic to trick victims into running a PowerShell command. Hive0163 uses initial access brokers like TA569 and TAG-124 for establishing a foothold. The Interlock ransomware payload is a 64-bit Windows executable delivered via the JunkFiction loader, and Hive0163 may have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.

Open in new tab

Iranian Hacktivist Group Claims Wiper Attack on Stryker

The Iranian hacktivist group Handala—linked to Iran’s Ministry of Intelligence and Security (MOIS)—conducted a destructive wiper attack against Stryker, a U.S. Fortune 500 medical technology company, on March 11, 2026. The attack affected over 200,000 systems across 79 countries, disrupted operations in Ireland, and sent over 5,000 workers home. Handala claimed responsibility, citing retaliation for a U.S. missile strike. The attack leveraged Microsoft Intune to issue remote wipe commands and defaced Stryker’s Entra login page. Stryker confirmed the incident in an SEC filing and reported no evidence of data exfiltration. Recovery efforts prioritized restoring supply-chain systems. In a separate but related development, Handala breached the personal email account of FBI Director Kash Patel on March 28, 2026, and leaked historical emails from 2010 and 2019. The FBI acknowledged the targeting and stated the leaked data was not government-related. Handala operates under multiple monikers, including Banished Kitten and Void Manticore, and has integrated criminal tools such as Rhadamanthys stealer to enhance its operations. The group’s activities align with broader Iranian cyber operations targeting Western entities amid heightened geopolitical tensions, including destructive attacks, hack-and-leak campaigns, and psychological influence operations. U.S. authorities have seized multiple domains linked to Handala and offered a $10 million reward for information on group members.

Open in new tab

Multi-actor campaigns abuse Microsoft Teams for initial access and data theft

A phishing campaign targeting financial and healthcare organizations uses Microsoft Teams to impersonate IT staff and trick victims into granting remote access via Quick Assist, deploying the A0Backdoor malware. The campaign, linked to the BlackBasta ransomware group, uses sophisticated TTPs including digitally signed MSI installers, DNS MX-based C2 communication, and DLL sideloading with legitimate Microsoft binaries. A separate intrusion attributed to UNC6692 leverages Microsoft Teams social engineering to deploy the 'Snow' malware suite—comprising a browser extension, tunneler, and backdoor—for credential theft and domain takeover, with post-compromise activities including reconnaissance, lateral movement via pass-the-hash, and exfiltration of Active Directory assets. The A0Backdoor campaign involves multi-stage attack chains beginning with external Teams chats impersonating IT staff to initiate Quick Assist sessions, followed by reconnaissance, DLL sideloading with signed applications, lateral movement via WinRM, and targeted exfiltration using Rclone. The Snow intrusion contrasts this approach with a modular malware suite (SnowBelt, SnowBasin, SnowGlaze), WebSocket-based C2, SOCKS proxy capabilities, and exfiltration via LimeWire, indicating distinct actor goals and tooling.

Open in new tab