Home Cyber Security Iran’s MuddyWater Targets Israel in New Spear-Phishing Cyber Marketing campaign

Iran’s MuddyWater Targets Israel in New Spear-Phishing Cyber Marketing campaign

Iran’s MuddyWater Targets Israel in New Spear-Phishing Cyber Marketing campaign


Nov 02, 2023NewsroomCyber Assault / Malware

Spear-Phishing Cyber Campaign

The Iranian nation-state actor referred to as MuddyWater has been linked to a brand new spear-phishing marketing campaign focusing on two Israeli entities to in the end deploy a reliable distant administration software from N-able referred to as Superior Monitoring Agent.

Cybersecurity agency Deep Intuition, which disclosed particulars of the assaults, stated the marketing campaign “displays up to date TTPs to beforehand reported MuddyWater exercise,” which has, prior to now, used related assault chains to distribute different distant entry instruments like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

Whereas the newest improvement marks the primary time MuddyWater has been noticed utilizing N-able’s distant monitoring software program, it additionally underscores the truth that the largely unchanged modus operandi continues to yield some degree of success for the menace actor.


The findings have additionally been individually confirmed by cybersecurity firm Group-IB in a publish shared on X (previously Twitter).

The state-sponsored group is a cyber espionage crew that is stated to be a subordinate component inside Iran’s Ministry of Intelligence and Safety (MOIS), becoming a member of different MOIS-affiliated clusters like OilRig, Lyceum, Agrius, and Scarred Manticore. It has been lively since not less than 2017.

Prior assault sequences have entailed sending spear-phishing emails with direct hyperlinks in addition to HTML, PDF, and RTF attachments containing hyperlinks to archives hosted on numerous file-sharing platforms that in the end drop one of many aforementioned distant administration instruments.

The newest ways and instruments signify in some methods a continuation, and in different methods an evolution, for the group variously referred to as Mango Sandstorm and Static Kitten.

What’s completely different this time round is the usage of a brand new file-sharing service referred to as Storyblok to provoke a multi-stage an infection vector.

“It comprises hidden recordsdata, an LNK file that initiates the an infection, and an executable file designed to unhide a decoy doc whereas executing Superior Monitoring Agent, a distant administration software,” safety researcher Simon Kenin stated in a Wednesday evaluation.


“After the sufferer has been contaminated, the MuddyWater operator will connect with the contaminated host utilizing the reliable distant administration software and can begin doing reconnaissance on the goal.”

The lure doc exhibited to the sufferer is an official memo from the Israeli Civil Service Fee, which will be publicly downloaded from its official web site.

In an additional signal of Iran’s quick bettering malicious cyber capabilities, Deep Intuition stated it additionally noticed the MuddyWater actors leveraging a brand new command-and-control (C2) framework referred to as MuddyC2Go, a successor to MuddyC3 and PhonyC2.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.



Please enter your comment!
Please enter your name here