MuddyWater RustyWater spear-phishing campaign against Middle East entities
Campaign
Summary
Hide ▲
Show ▼
MuddyWater is conducting an active spear-phishing campaign against diplomatic, maritime, financial, and telecom entities in the Middle East, using RustyWater to gain access and control. The lure chain relies on malicious Word documents and an "Enable content" prompt to trigger a malicious VBA macro. The operation adds asynchronous C2, anti-analysis, and registry persistence, making the malware set harder to detect and remove.
Related Happenings
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware Activity
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware ActivityAbout this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
Windows 11 Insider Preview adds secure batch-file execution controls
Security Tool/Service
First: 27.02.2026 22:00
Last: 27.02.2026 22:00
Sources 1
About this happening:
**Microsoft** is adding a more secure batch-file and CMD-script execution mode in **Windows 11 Insider Preview builds**, which matters for **enterprise scripted workflows** that n...
Windows 11 Insider Preview adds secure batch-file execution controls
Security Tool/ServiceAbout this happening: **Microsoft** is adding a more secure batch-file and CMD-script execution mode in **Windows 11 Insider Preview builds**, which matters for **enterprise scripted workflows** that n...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
Campaign
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
About this happening:
The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
CampaignAbout this happening: The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor malware activity
Malware Activity
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
About this happening:
MuddyWater's **new malware toolkit** now includes **GhostFetch**, **HTTP_VIP**, **CHAR**, and **GhostBackDoor**, extending **multi-stage delivery** and **remote-control capability...
MuddyWater GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor malware activity
Malware ActivityAbout this happening: MuddyWater's **new malware toolkit** now includes **GhostFetch**, **HTTP_VIP**, **CHAR**, and **GhostBackDoor**, extending **multi-stage delivery** and **remote-control capability...
Timeline
-
10.01.2026 12:35 2 articles · 4mo ago
CloudSEK details MuddyWater RustyWater spear-phishing campaign
Initial DisclosureMuddyWater is described as running a spear-phishing campaign against diplomatic, maritime, financial, and telecom entities in the Middle East using a Rust-based implant called RustyWater. The payload is delivered through malicious Word documents and an "Enable content" lure that triggers a malicious VBA macro, while the implant gathers victim machine information, detects security software, sets Windows Registry persistence, and reaches the C2 server "nomercys.it[.]com"; the group is also linked to the aliases Mango Sandstorm, Static Kitten, and TA450 and assessed as affiliated with Iran's Ministry of Intelligence and Security (MOIS).
Show sources
- MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors — thehackernews.com — 10.01.2026 12:35
- MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors — thehackernews.com — 10.01.2026 12:35