From Shadows to Spotlight: Iran’s MuddyWater Group Strikes Again

less than 1 minute read

MuddyWater, an Iranian state-aligned advanced persistent threat (APT) group, has been actively spying on an unnamed Middle Eastern government for eight months. The group is also known by various other names, such as APT34, Crambus, Helix Kitten, and OilRig.

The campaign initiated on Feb. 1 with an unknown PowerShell script from a suspicious directory.

MuddyWater employed four custom malware tools in its campaign, three of which were unfamiliar to cybersecurity experts. These include:

Backdoor.Tokel: Downloads files and executes arbitrary PowerShell commands.
Trojan.Dirps: Used for PowerShell commands and enumerates files in a directory.
Infostealer.Clipog: Capable of keylogging, logging processes for keystrokes, and copying clipboard data.
Backdoor.PowerExchange: This PowerShell tool logs into Microsoft Exchange Servers using hardcoded credentials for command-and-control and monitors emails sent by attackers.

In addition to custom tools, MuddyWater also leveraged two popular open-source hacking tools: Mimikatz and Plink.

The group’s success in evading detection for months can be credited to its choice of tools. Introducing new tools and using legitimate ones does not raise immediate suspicions, making detection challenging.

Download Toolset

Share on

Twitter Facebook LinkedIn

Professor Galde

From Shadows to Spotlight: Iran’s MuddyWater Group Strikes Again

Share on

You may also enjoy

Cyber Siege: Long Beach’s Controversial Network Shutdown

Redefining Cyber Extortion: ALPHV’s SEC Complaint Strategy

USB Under Siege: Unraveling the International Reach of LittleDrifter

Evolving Threat of LummaC2 v4.0: A Step Ahead in Cybercrime