December 9, 2025

Synopsis

MuddyWater’s campaign reflects a sustained, espionage-driven threat in which targeted spearphishing delivers legitimate-looking RMM installers that subsequently deploy custom loaders, the MuddyViper backdoor, credential stealers, and covert reverse tunnels, enabling persistent access to Windows systems, credential theft, and encrypted data exfiltration across government and critical-infrastructure sectors. Strategically, this intelligence requires organizations to reassess their exposure to state-aligned actors, prioritize governance around RMM usage and credential protections, and plan for long-term defensive investment against multi-stage intrusion operations. Operationally, the findings compel improved monitoring of RMM deployments, email and endpoint behaviors, encrypted outbound traffic, and persistence mechanisms, along with tightening incident-response readiness for complex, multi-tool intrusions. Tactically, security teams must enhance phishing detection, endpoint logging, signature and behavior-based detections for loaders and backdoors, and rapid isolation of compromised systems. Overall risk posture increases due to high threat capability, moderate control strength, and user-driven exploitability, resulting in a meaningful likelihood of harmful compromise if contacted during an active campaign. Financial resilience is affected by potential incident-response costs, service disruption, credential resets, regulatory or contractual exposure, and reputational impact, with modeled loss ranges indicating that even contained events can be materially costly. At the same time, worst-case espionage-driven intrusions may impose multi-million-dollar consequences.

Evaluated Source, Context, and Claim

Artifact Title

MuddyWater: Snakes by the riverbank

https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/

Source Type

Vendor threat research blog (ESET WeLiveSecurity article)

Publication Date: December 2, 2025

Credibility Assessment

ESET is a long-standing, well-regarded security vendor with a track record of detailed APT reporting and transparent IOCs, which supports high credibility. The article is technically rich, internally consistent, and aligns with broader public reporting on MuddyWater.

General Claim

Iran-aligned MuddyWater is running a focused cyberespionage campaign against Israeli and Egyptian organizations, deploying new custom tools, including the Fooder loader, MuddyViper backdoor, credential stealers, and reverse tunnels to improve stealth, persistence, and credential theft against government and critical infrastructure networks.

Narrative Reconstruction

An Iran-aligned cyberespionage group commonly known as MuddyWater is conducting a targeted campaign against organizations in Israel and Egypt, especially in government, engineering, technology, manufacturing, utilities, transportation, and other critical infrastructure verticals. The operators use a killchain-like flow that starts with spearphishing emails linking to remote-monitoring-and-management installers hosted on third-party file-sharing services, then deploy a layered toolset, including the Fooder loader, the MuddyViper backdoor, credential stealers, browser-data stealers, and Go-based reverse tunnels to gain and maintain access. These tools enable system reconnaissance, remote command execution, credential harvesting from browsers and fake Windows Security dialogs, local staging of stolen data, and encrypted command-and-control over HTTP(S) using reflective loading and evasion techniques to avoid analysis and monitoring. The primary assets at risk are Windows workstations and servers in targeted organizations, their stored credentials and browser data, and the connected internal networks that can be reached via remote tunnels, with an operational goal of sustained espionage-focused access and data exfiltration rather than immediate destructive impact.

Risk Scenario

Risk Scenario

An Iran-aligned APT group (MuddyWater) uses spearphishing links to deploy remote monitoring tools and custom loaders that install the MuddyViper backdoor and associated credential stealers on Windows systems in a critical-infrastructure or government organization, enabling persistent remote access, credential theft, and exfiltration of sensitive data, which may lead to operational disruption and incident response, legal, and reputational losses.

Threat

Iran-aligned advanced persistent threat actors (MuddyWater and cooperating Iran-nexus groups such as Lyceum/OilRig) are seeking long-term access to government and critical infrastructure networks for espionage and strategic advantage.

Method

Targeted spearphishing with links to RMM installers hosted on file-sharing services, followed by deployment of the Fooder loader, MuddyViper backdoor, credential stealers (CE-Notes, LP-Notes, Blub), and Go-based socks5 reverse tunnels that use reflective loading, token impersonation, sandbox evasion, encrypted C2, and fake Windows Security dialogs to capture credentials and maintain covert access.

Asset

Windows endpoints and servers in government and critical infrastructure organizations (e.g., local government agencies, engineering and manufacturing firms, utilities, transportation, technology, and university environments), along with the credentials, browser data, and internal network access reachable from these systems.

Impact

If successful, the campaign can result in compromise of privileged accounts, theft of sensitive operational and business data, potential misuse of RMM tools for deeper lateral movement, and sustained unauthorized visibility into critical operations, causing losses from incident response and remediation, regulatory or contractual exposure, business interruption, and long-term reputational and geopolitical impacts.

Evidentiary Basis for Synopsis and Recommendations

Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.

FAIR Breakdown

Threat Event Frequency (TEF)

Because the OSINT describes a multi-month, targeted APT campaign with a finite but diverse victim set, TEF for a single similarly profiled organization must be inferred from MuddyWater’s persistence, sector focus, and spearphishing delivery. TEF is likely low-to-moderate for any one organization, reflecting focused but not ubiquitous outreach within prioritized verticals (government, utilities, transportation, manufacturing, and technology).

Contact Frequency (CF)

The campaign relies on spearphishing emails containing links to RMM installers hosted on file-sharing platforms, indicating episodic but deliberate contact rather than continuous scanning or mass phishing. Given MuddyWater’s multi-country victim list and repeated focus on Israeli critical sectors, CF for a single targeted organization is plausibly on the order of a few tailored phishing approaches per year, with higher intensity during active campaigns.

Probably of Action (PoA)

MuddyWater is assessed as an Iran-aligned espionage actor with a history of sustained operations, suggesting high motivation to gain and maintain access to strategic targets. The use of custom loaders, new backdoors, credential stealers, and reverse tunnels, combined with observable cooperation with Lyceum/OilRig, indicates that once contact is made with a viable target, the actors are highly likely to execute their complete toolchain and pursue exploitation rather than abandoning opportunities.

Threat Capability (TCap)

TCap is high, given the breadth and sophistication of the toolset and tradecraft demonstrated in the campaign.

Exploit sophistication: The attack chain blends social engineering (spearphishing links), abuse of legitimate RMM software, reflective loading of AES-encrypted payloads, browser and credential theft, and fake Windows Security dialogs, indicating above-average technical and operational sophistication.

Bypass ability: MuddyViper and related tools use reflective code loading, sandbox and VM evasion via sleep/delay logic, token impersonation, embedded payloads, and encrypted C2, all designed to bypass endpoint protections and analysis tooling.

Tooling maturity: The presence of multiple purpose-built components (Fooder, MuddyViper, CE-Notes, LP-Notes, Blub, customized go socks5 variants) along with consistent cryptographic APIs (CNG, AES-CBC) and extensive status logging suggests a mature, evolving toolkit rather than ad hoc scripts.

Campaign success rate: Historical reporting on MuddyWater indicates repeated successful compromises of multiple organizations across regions and sectors, and the current OSINT lists a sizable victim set, suggesting a moderate-to-high success rate against contacted, sufficiently exposed targets.

Attack path sophistication: The path includes reconnaissance and targeting, spearphishing link delivery, user execution of RMM installers, weaponization of RMM or loaders to deploy MuddyViper and stealers, establishment of persistence via startup folders and scheduled tasks, credential harvesting, reverse-shell operation, and reverse tunnels for covert C2, reflecting a complex, multi-stage operation.

Cost to run the attack: Once the custom tooling and infrastructure are in place, the incremental operational cost is moderate, centered on phishing operations, infrastructure maintenance, and ongoing development; for a state-aligned group, these costs are easily sustainable, making the attack path feasible over extended periods.

Control Strength (CS)

Typical target environments (government, utilities, engineering/manufacturing, universities) have mixed maturity in phishing defenses, EDR deployment, RMM governance, and monitoring of encrypted outbound traffic. Controls may be strong in some segments but weaker in others, particularly regarding user behavior and RMM oversight, resulting to an overall moderate level of control strength.

Resistive Strength (RS) Effectiveness of preventive/detective controls:

• Mature email security and phishing filters may block some spearphishing emails or malicious links, but targeted messages with benign-looking RMM installers can bypass generic filters.

• Endpoint protection and EDR can detect some MuddyWater binaries based on known signatures or behavior, but reflective loading, encrypted payloads, and time-based evasion complicate reliable detection.

• Strong RMM governance (allowlisting tools, code signing, and monitoring RMM deployments) can significantly reduce the chance that unauthorized RMM-based access persists.

• Network monitoring and IDS/IPS on egress paths can flag unusual HTTPS traffic to known C2 infrastructure or anomalous file transfers. Still, encrypted C2 and the use of cloud providers can blend into regular traffic.

• Privileged access management and MFA can limit the impact of stolen credentials, particularly for administrative or remote-access accounts.

Control Failure Rate

• Weak user training and awareness of spearphishing and RMM abuse can lead users to install unauthorized remote access tools or click links to untrusted file-sharing platforms.

• Limited inspection of encrypted outbound traffic and insufficient threat-intel integration make it harder to detect AES-encrypted C2 traffic to MuddyWater infrastructure over HTTPS.

• Inadequate visibility over RMM deployment (shadow or unmanaged tools) allows attackers to piggyback on legitimate remote-access pathways.

• Gaps in EDR coverage, outdated signatures, or disabled security tooling on specific endpoints create blind spots for loader and backdoor activity.

• Weak logging, retention, or correlation of Windows startup-folder changes, scheduled tasks, and registry modifications makes persistence harder to detect and remediate.

Susceptibility

Given high threat capability and only moderate control strength, overall susceptibility for a representative critical infrastructure or government organization targeted by MuddyWater is estimated at approximately 45–65 percent. This reflects the chance that, if the organization is contacted with a tailored spearphish during an active campaign, at least one endpoint will be successfully compromised and experience a harmful impact.

Probability the asset will be harmed is influenced by:

Exploitability: User-driven execution of RMM installers and loaders, combined with credential prompts and stealthy C2, means that exploitability is high once a user engages with the phishing link; an exploitability estimate in the 60–75 percent range is reasonable for exposed users lacking strong RMM and EDR governance.

Attack surface: The attack surface includes email users with access to file-sharing platforms, Windows endpoints that permit installation of RMM tools, and outward-facing network paths that allow HTTPS C2; across a typical organization in the cited sectors, 40–60 percent of endpoints may be in scope.

Exposure conditions: Exposure is most significant in organizations that rely on RMM, cloud services, and email attachments for daily operations and that have partner or cross-border ties; during periods of heightened geopolitical tension, staff may see more external communications, raising adequate exposure to 55–70 percent of relevant users.

Patch status: Traditional operating-system patching somewhat mitigates commodity exploit risk but offers limited protection against this primarily social-engineering and tool-abuse-driven campaign; patch posture may reduce the success of some secondary tooling but has only a modest impact (perhaps 10–20 percent improvement) on overall susceptibility without complementary controls.

Numerical Frequencies and Magnitudes

All values relating to actual dollar amounts are for example/speculative purposes only. Organizations would need to take into account their own asset values, control strength, telemetry, etc., and adjust numbers accordingly.

Loss Event Frequency (LEF)

1/year (estimated)

• Justification: TEF is approximated at two relevant campaign contacts per year, with an estimated vulnerability (probability of harm per contact) of 0.5, yielding LEF ≈ 2 × 0.5 = 1 successful harmful event per year on average.

Vulnerability (probability of harm per contact): .5

• Justification: Although controls exist, the combination of targeted spearphishing, RMM abuse, stealthy loaders, and social-engineering credential capture suggests that roughly half of meaningful contacts could lead to at least one materially harmful compromise in a typical but moderately mature environment.

Secondary Loss Event Frequency

0.5/year (estimated)

• Justification: Not all primary compromise events result in secondary losses such as regulatory scrutiny, partner impacts, or broader business interruption, but credential theft and persistent access make secondary misuse reasonably likely in about 50 percent of primary events.

Loss Magnitude

Estimated range:

• Min: $100,000

• Most Likely: $750,000

• Maximum: $5,000,000

Justification:

• Minimum reflects a contained endpoint-level compromise requiring forensic investigation, reimaging, limited credential rotation, and modest operational disruption.

• Most likely reflects broader credential resets, extended IR, potential limited data exposure, temporary disruption of specific services, and increased security spend.

• Maximum reflects scenarios in which attackers access sensitive operational or governmental data, require large-scale remediation, and cause significant downtime of critical services, but still fall short of catastrophic national-level impact.

Secondary Loss Magnitude (SLM)

Estimated range:

• Min: $250,000

• Most Likely: $1,500,000

• Maximum: $10,000,000

Justification:

• Secondary losses include regulatory or contractual penalties, reputational damage that impacts funding or customer trust, extended service disruptions, and costs related to public communication and external investigations.

• Maximum bound accounts for severe cases where exposed data or sustained espionage activities lead to significant business or mission impact, large-scale service interruption, or significant compliance actions.

Mapping, Controls, and Modeling

MITRE ATT&CK Mapping

Reconnaissance

T1591 – Gather Victim Org Information

Reference: “MuddyWater primarily targeted organizations in Israel, but also one in Egypt… Table 1 lists the victims by country and vertical.”

Resource Development

T1583 – Acquire Infrastructure

Reference: “MuddyWater… uses acquired infrastructure to host malware download locations and C&C servers.”

T1608 – Stage Capabilities

Reference: “Initial access is typically achieved through spearphishing emails… hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega.”

T1587.001 – Develop Capabilities: Malware

Reference: “MuddyWater develops backdoors like MuddyViper and tools such as the Fooder loader, LP-Notes credential stealer, and the Blub and CE-Notes browser-data stealers.”

T1588.002 – Obtain Capabilities: Tool

Reference: “Once launched thus, Fooder has been used to deliver not only MuddyViper but also HackBrowserData, an open-source utility…”

Initial Access

T1566.002 – Phishing: Spearphishing Link

Reference: “MuddyWater initiated access through a spearphishing email containing a link to an installer for the Syncro remote monitoring and management (RMM) software.”

Execution

T1059.001 – Command-Line Interface: PowerShell

Reference: “In March and April 2023, MuddyWater… deploying a batch script that downloaded a PowerShell-based backdoor…” and “MuddyViper has the capability to open and execute PowerShell scripts.”

T1059.003 – Command-Line Interface: Windows Command Shell

Reference: “MuddyViper… launches a reverse shell using… C:\windows\system32\cmd.exe (command ID 301).”

T1559.001 – Inter-Process Communication: Component Object Model

Reference: “MuddyViper uses the ITaskService COM object to create a scheduled task for persistence.”

T1106 – Native API

Reference: “Fooder then loads the payload directly into memory using reflective techniques… using the WinCrypt API and the AES key,” and “MuddyViper uses the CreateProcess API to execute additional files and commands.”

T1204.001 – User Execution: Malicious Link

Reference: “Initial access is typically achieved through spearphishing emails… These links lead to the download of RMM tools including Atera, Level, PDQ, and SimpleHelp.”

Persistence

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Reference: “MuddyViper has two methods of establishing persistence… Its installation directory can be configured as a Windows Startup folder, by setting the following registry values…”

T1543.003 – Create or Modify System Process: Windows Service

Reference: “MuddyWater operators attempt to install RMM tools in %PROGRAMFILES%, which also includes creating a Windows service set to autostart.”

T1053 – Scheduled Task/Job

Reference: “A scheduled task named ManageOnDriveUpdater can launch MuddyViper from the path on each system start.”

Defense Evasion

T1134.001 – Access Token Manipulation: Token Impersonation/Theft

Reference: “Once executed, it attempts to duplicate the token of the specified process via the DuplicateTokenEx API, and then uses CreateProcessAsUserA to execute Fooder,” and “LP-Notes starts by searching for a process named taskhostw.exe… and then impersonating the security context of the process.”

T1140 – Deobfuscate/Decode Files or Information

Reference: “CE-Notes and LP-Notes both use a custom, addition-based routine for string decryption,” and “Fooder… decrypts the embedded payload… using the WinCrypt API and the AES key.”

T1620 – Reflective Code Loading

Reference: “Fooder… loads the payload directly into memory using reflective techniques, allowing it to execute without relying on standard system calls or writing to disk.”

T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion

Reference: “Another notable characteristic of Fooder is its frequent use of a custom delay function… combined with Sleep API calls… intended to delay execution in an attempt to hide malicious behavior from automated analysis systems.”

T1027.007 – Obfuscated Files or Information: Dynamic API Resolution

Reference: “Finally, to obscure the use of Windows API functions… LP-Notes dynamically resolves the API functions during the C runtime startup… hiding direct references to the API functions.”

T1134.002 – Access Token Manipulation: Create Process with Token

Reference: “Once executed, [the launcher] attempts to duplicate the token of the specified process via the DuplicateTokenEx API, and then uses CreateProcessAsUserA to execute Fooder.”

T1622 – Debugger Evasion

Reference: “MuddyViper searches for specific debugging tools, adjusting its behavior accordingly.”

T1070.009 – Indicator Removal: Clear Persistence

Reference: “Another command, with ID 900, aims to remove MuddyViper from the compromised machine and clear its persistence…”

T1070.004 – Indicator Removal: File Deletion

Reference: “MuddyViper can delete itself from the system, if instructed to uninstall itself.”

T1036 – Masquerading

Reference: “Note that several versions of Fooder masquerade as the Snake game – see the strings and mutexes highlighted…”

T1036.004 – Masquerading: Masquerade Task or Service

Reference: “MuddyViper can be persisted as a scheduled task named ManageOnDriveUpdater.”

T1112 – Modify Registry

Reference: “MuddyViper can modify the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup and… Shell Folders\Startup registry keys…”

T1027.009 – Obfuscated Files or Information: Embedded Payloads

Reference: “Fooder then loads the payload directly into memory… hardcoded payload is decrypted… Fooder can extract an embedded, AES-encrypted payload.”

T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File

Reference: “The hardcoded payload is decrypted using the WinCrypt API and the AES key,” and various components encrypt data with AES-CBC before storage or transmission.

Credential Access

T1555.003 – Credentials from Password Stores: Credentials from Web Browsers

Reference: “CE-Notes is a browser-data stealer… attempts to steal and decrypt the app-bound encryption key… of Chromium browsers,” and “Blub… steals user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera.”

T1056.002 – Input Capture: GUI Input Capture

Reference: “One of the commands listed in Table 2, with ID 805, displays a fake Windows Security dialog… prompting the user to fill in credentials,” and “The sole purpose of LP-Notes is to entice victims into submitting their credentials by displaying a fake Windows Security dialog.”

Discovery

T1082 – System Information Discovery

Reference: “MuddyViper enables the attackers to collect system information, execute files and shell commands…”

T1518.001 – Software Discovery: Security Software Discovery

Reference: “MuddyViper… keeps a lengthy list of 150+ process names… to be able to send detailed reports about the security tools detected in the compromised environment,” and “Blub checks for running processes associated with security solutions before executing its malicious payload.”

Collection

T1074.001 – Data Staged: Local Data Staging

Reference: “The encrypted data is stored on disk in C:\Users\Public\Downloads\ce-notes.txt for later retrieval,” and “LP-Notes then stores the encrypted credentials in a local file… lp-notes.txt.”

T1560.001 – Archive Collected Data: Archive via Utility

Reference: “MuddyViper then compresses the collected data (into a file named CacheDump.zip) and uploads it to the C&C server.”

Command and Control

T1573.001 – Encrypted Channel: Symmetric Cryptography

Reference: “Both directions of communication AES-CBC encrypt the data, using the CNG API with the key… and the IV 0.”

T1219 – Remote Access Software

Reference: “These links lead to the download of RMM tools including Atera, Level, PDQ, and SimpleHelp,” and “Following the initial compromise, the attackers installed an additional RMM tool, PDQ…”

T1071.001 – Application Layer Protocol: Web Protocols

Reference: “To communicate with its C&C server, MuddyViper uses HTTP GET requests… over port 443… configured to use SSL/TLS.”

T1105 – Ingress Tool Transfer

Reference: “MuddyViper has the capability to download additional payloads from its C&C server.”

T1001 – Data Obfuscation

Reference: “MuddyViper leverages HTTPS for C&C communications, using the Status header to hide a backdoor command ID in the server-to-client direction of the communication.”

T1090 – Proxy

Reference: “MuddyWater’s go socks5 reverse tunnels… relay communication between the compromised machine… and a hardcoded C&C server… allowing the attacker to route C&C traffic… through the compromised machine.”

Exfiltration

T1041 – Exfiltration Over C2 Channel

Reference: “MuddyViper then compresses the collected data… and uploads it to the C&C server,” and “Collected credentials… are exfiltrated to the C&C server.”

T1030 – Data Transfer Size Limits

Reference: “MuddyViper supports downloading/‌uploading files in chunks of limited size… using sleep time between each upload.”

Impact(Explicit destructive impact is not emphasized in the OSINT; activity is primarily espionage-focused, so no additional non-speculative Impact techniques are added.)

NIST 800-53 Affected Controls

AT-2(3) – Literacy Training and Awareness | Social Engineering and Mining

User deception via spearphishing RMM links and fake Windows Security dialogs.

Reference: “Initial access is typically achieved through spearphishing emails… These links lead to the download of RMM tools including Atera, Level, PDQ, and SimpleHelp,” and “One of the commands… displays a fake Windows Security dialog… prompting the user to fill in credentials.”This activity directly attacks the objective of AT-2(3) by exploiting users’ inability to recognize malicious links and credential prompts despite awareness training.

SI-3 – Malicious Code Protection

Evasion and execution of custom loaders, backdoors, and stealers.

Reference: “Among these tools is a custom Fooder loader designed to execute MuddyViper, a C/C++ backdoor,” and “The campaign also leverages credential stealers (CE Notes and LP Notes) and reverse tunneling tools (go socks5).”These components test and bypass SI-3 controls by using reflective loading, encryption, and delayed execution to avoid traditional signature- and behavior-based detection.

SI-4 – System Monitoring

Stealthy, encrypted C2 and reverse tunnels that challenge monitoring.

Reference: “To communicate with its C&C server, MuddyViper uses HTTP GET requests… over port 443… Both directions of communication AES-CBC encrypt the data,” and “go socks5 reverse tunnels… enabling attackers to bypass firewalls and Network Address Translation (NAT) mechanisms.”Encrypted C2 over standard web ports and tunneling through compromised hosts reduce the effectiveness of SI-4 monitoring unless deep inspection and anomaly detection are in place.

SC-7 – Boundary Protection

Use of reverse tunnels and cloud-hosted infrastructure to bypass network boundaries.

Reference: “MuddyWater’s go socks5 proxy is to relay communication… enabling attackers to bypass firewalls and Network Address Translation (NAT) mechanisms,” and the use of cloud providers (Amazon, DigitalOcean) as staging and C&C servers. These behaviors undermine SC-7 by turning internal systems into outbound proxies, effectively punching holes through perimeter defenses.

IA-5 – Authenticator Management

Theft and offline storage of browser and Windows credentials.

Reference: “CE-Notes… attempts to steal and decrypt the app-bound encryption key stored in the Local State file of Chromium browsers,” and “LP-Notes… stores the encrypted credentials in a local file – in this case C:\Users\Public\Downloads\lp-notes.txt.”These activities exploit weaknesses in credential storage and protection, attacking IA-5 objectives to safeguard authenticators and associated secrets.

AC-6 – Least Privilege

Token impersonation and use of RMM to gain elevated access.

Reference: “Once executed, [OsUpdater.exe] attempts to duplicate the token of the specified process via the DuplicateTokenEx API, and then uses CreateProcessAsUserA to execute Fooder,” and “LP-Notes… impersonating the security context of the process (via the ImpersonateLoggedOnUser API).”By duplicating and impersonating tokens, MuddyWater undermines AC-6, effectively escalating privileges and operating with broader access than intended for the compromised identity.

CM-8 – System Component Inventory

Abuse and covert deployment of remote monitoring and management tools.

Reference: “MuddyWater initiated access through a spearphishing email containing a link to an installer for the Syncro remote monitoring and management (RMM) software… Following the initial compromise, the attackers installed an additional RMM tool, PDQ.”The covert introduction and use of unauthorized or unmanaged RMM tools highlight deficiencies in CM-8, where organizations fail to maintain a complete, authorized inventory of software, especially powerful remote-access components.

IR-4 – Incident Handling

Need for coordinated response to multi-tool, multi-stage espionage intrusions.

Reference: “This campaign indicates an evolution in the operational maturity of MuddyWater… being timely, effective, and increasingly challenging to defend against,” and the extensive list of tools and IOCs.The complexity and persistence of the campaign stress IR-4, requiring organizations to have robust incident handling capabilities to detect, analyze, contain, and eradicate MuddyWater’s presence across loaders, backdoors, stealers, and tunnels.

Threat Model

Monitoring, Hunting, Response, and Reversing

Monitoring

Monitoring for this campaign should prioritize rich endpoint telemetry (EDR process trees, PowerShell and cmd-line logs, scheduled task and registry change auditing, RMM install/uninstall events), proxy and firewall logs for outbound HTTPS to known or suspicious C2 and file-sharing infrastructure, DNS for newly observed domains and atypical resolutions, identity logs for token impersonation and anomalous logons, cloud and RMM logs for new agents or policies, and secure email gateways for spearphishing links. Logging should be expanded to include detailed process command lines, script block logging, module loads, task creation, and startup-folder modifications on Windows servers and workstations, with sufficient retention to enable correlation across multi-month campaigns. Key indicators include installation or execution of RMM tools from non-standard sources, processes named like legitimate software (e.g., Snake/game, updater) executing reflective loaders, repeated fake Windows Security dialogs, creation of tasks named similarly to ManageOnDriveUpdater, local files such as ce-notes.txt or lp-notes.txt in public folders, and persistent HTTPS to a small set of external IPs/domains over port 443 with unusual user agents. Gaps often include a lack of centralized RMM logging, limited visibility into encrypted C2, insufficient monitoring of startup and task persistence, and weak linkage between phishing telemetry and endpoint behavior. Correlation logic should tie spearphishing delivery to subsequent RMM installs, loader execution, persistence events, credential-stealer file creation, and new outbound tunnels, with thresholds tuned to alert on small chains of related events rather than single low-signal indicators. Dashboards should surface RMM usage anomalies, new scheduled tasks and startup entries, high-risk outbound destinations by sector and geography, and counts of credential-stealer-like file creations, with trend views across months. Validation should use replay or simulation of RMM installs, Fooder/MuddyViper-style persistence patterns, and benign test tunnels to confirm that alerts fire as designed without overwhelming operators.

Hunting

Hunting should start from hypotheses such as “MuddyWater-style RMM abuse is present in our environment,” “custom loaders and backdoors are persisting via startup folders or scheduled tasks,” and “browser and Windows credentials are being staged locally then exfiltrated over encrypted C2.” Hunters should leverage endpoint telemetry (process creation, script execution, scheduled tasks, registry changes, file creation in public downloads and appdata paths), network/proxy and DNS logs (HTTPS to rare IPs/domains, especially cloud hosts and suspected staging servers, plus anomalous user agents or small, periodic encrypted beacons), identity logs (logon anomalies associated with RMM or token impersonation), and email logs (targeted spearphishing with file-sharing or RMM links). Detection logic can include chains such as email with external RMM link > new RMM process from user profile or downloads > execution of unusual binaries that spawn cmd/PowerShell > creation of suspicious scheduled tasks or startup entries > subsequent outbound HTTPS with atypical destinations and periodic patterns, along with searches for known file names or patterns reminiscent of CE-Notes/LP-Notes/Blub staging behavior. Noise-to-signal must be managed by scoping hunts to high-value hosts and accounts, focusing on newly introduced RMM agents and tasks rather than all baseline activity, and whitelisting known-good administrative behavior, with hunts tuned to identify small clusters of related anomalies rather than single generic events like every PowerShell invocation.

Response

Response should prioritize collection and preservation of detailed EDR logs, Windows event logs (security, Sysmon if present, task scheduler, application), email gateway logs, proxy/DNS/firewall records, and any RMM and identity provider logs for affected accounts and hosts, focusing on timelines around spearphishing delivery and suspected execution. Expected artifacts include suspicious RMM installers, Fooder-like loaders, and MuddyViper binaries in download or temporary paths, scheduled tasks and startup-folder entries linked to unusual executables, local staging files such as ce-notes.txt, lp-notes.txt, or similar, and traces of encrypted HTTPS C2 and reverse tunnels. Anti-forensic behavior may include self-deletion of binaries, removal or modification of persistence keys, and use of time-based delays to blur event sequences, so responders should rely on central logging where possible. Reconstruction of events should piece together phishing emails, RMM or loader execution, persistence setup, credential harvesting, and subsequent lateral movement or data exfiltration, feeding DFIR findings (number and type of accounts compromised, systems touched, data accessed) into FAIR loss estimates for primary and secondary impacts. Likely containment includes disabling and uninstalling unauthorized RMM agents, blocking outbound C2 endpoints, removing scheduled tasks and startup entries, resetting or revoking affected credentials, and isolating or reimaging high-risk endpoints. Priority artifacts are binaries associated with loaders/backdoors/stealers, scheduled-task XMLs, registry snapshots of startup locations, credential-staging files, and complete packet captures or proxy logs around suspected C2 sessions. Telemetry requirements include a high-fidelity endpoint and network logs with sufficient retention to cover the campaign window. At the same time, IR gaps often involve weak RMM governance, limited task/startup auditing, and incomplete credential-use tracking. DFIR validation should use controlled replays or lab reconstruction of the attack chain to confirm that eradication steps are practical and that no residual persistence or C2 remains.

Reverse Engineering

Reverse engineering efforts should focus on characterizing loader behavior such as Fooder’s decryption routines, reflective loading of embedded AES-encrypted payloads, process-token manipulation, and potential masquerading as benign applications (e.g., games or updaters), capturing how it hands off to MuddyViper or other tools. Analysts should document evasion techniques, including custom delay loops, Sleep-based timing, sandbox/VM checks, and API resolution strategies that hinder static and dynamic analysis, as well as how persistence is delegated to MuddyViper or other components via startup folders and scheduled tasks. Indicators to extract include file names, PDB paths, mutexes, command-line artifacts, URLs and IPs, AES keys or key-derivation routines, user agents, and characteristic registry and filesystem behaviors that can be transformed into detection signatures. Dynamic and static hooks should include monitoring of key APIs (CreateProcess*, DuplicateTokenEx, CredUIPromptForWindowsCredentialsW, LogonUserW, WinHTTP, crypto APIs, task scheduler COM interfaces), as well as filesystem and registry activity tied to startup and task configuration. Expected artifacts are decrypted payloads, configuration blocks (C2 addresses, keys, timing parameters), logs or status messages sent to C2, and staged credential or browser data. Additional suggestions include building YARA rules around code and string patterns, comparing variants to previously documented MuddyWater tools to track evolution, and using sandbox automation to generate behavior-based IOCs suitable for SOC consumption.

CTI

CTI teams should use this campaign to refine PIRs around whether Iran-aligned actors are targeting their sectors, geographies, or key partners, how often spearphish-and-RMM campaigns recur, which TTPs (spearphishing links, RMM abuse, reflective loaders, browser/credential stealers, go socks5 tunnels) remain stable, and which assets (Windows admin accounts, RMM consoles, high-value endpoints) are most consistently pursued. SIR work should close IOC gaps by enriching and normalizing IPs, domains, URLs, and hashes already known from vendor reporting, identifying needs for additional malware samples and deeper infrastructure mapping, clarifying attribution overlaps with other Iran-nexus groups, and specifying which internal logs (email, RMM, EDR, DNS, proxy) are required to validate suspected activity. Collection plans should emphasize continuous OSINT monitoring of vendor blogs and sandboxes for new MuddyWater tooling, ingestion of internal telemetry into threat-intel platforms, collaboration with ISACs/ISAOs for sector-specific indicators, and use of malware repositories and network/endpoint data sources to track new variants. Mapping and analysis should cluster related infrastructure and tools into coherent campaigns, align behaviors to ATT&CK for consistent tagging, compare with historical MuddyWater and Lyceum activity, and assess confidence in clustering and attribution while flagging emerging capabilities such as new loaders or persistence patterns; these findings should be used to confirm or adjust existing hypotheses about the actor’s focus, tradecraft, and likely future evolution.

GRC and Testing

Governance

Governance should reinforce policy adequacy around RMM control, email security, endpoint hardening, and credential management, ensuring policies explicitly prohibit unauthorized RMM installation, require verification of file-sharing links, and mandate privileged-account protections aligned to the threat. Oversight functions should require periodic review of RMM inventories, startup and scheduled-task governance, and executive reporting on spearphishing attempts, credential-harvesting detections, and outbound encrypted C2 trends. RA, PM, and PL family governance documents should be updated to incorporate explicit APT considerations, risk-scenario mapping, and role definitions for monitoring persistence mechanisms across Windows environments. The risk register should add or update entries for unauthorized RMM deployment, reflective-loader evasion, credential harvesting, and covert C2 tunnels, incorporating FAIR-informed loss ranges to support prioritization. Board and executive communication should summarize threat recurrence, targeted sectors, susceptibility factors, and expected financial exposure, while clarifying required investment in detection tooling, RMM governance, and incident-response readiness.

Audit and Offensive Security Testing

Audit should assess whether current RMM governance, phishing controls, endpoint logging, credential-protection mechanisms, and startup/task auditing processes are implemented as documented, and identify evidence gaps, such as missing RMM inventories, insufficient script-block logging, and incomplete tracking of outbound encrypted traffic. Controls should be validated for their ability to detect or block reflective loaders, fake Windows credential prompts, unauthorized scheduled tasks, and browser-credential harvesting. Compliance obligations tied to access control, logging, and malicious-code protection should be evaluated for adherence, particularly in sectors regulated for critical infrastructure. Red team exercises should replicate spearphishing links that deliver benign RMM installers, followed by loader-style persistence to test user behavior and control response. In contrast, purple team sessions validate the detection of credential-stealer artifacts and C2 tunnels. Pen testing scope should include RMM abuse pathways, privilege escalation via token impersonation, and persistence mechanisms. Exploit reproduction should safely mimic Fooder-like reflective loading and MuddyViper persistence without deploying harmful malware, and control validation should confirm detection, alerting, and containment across the chain.

Awareness Training

Awareness training should emphasize social-engineering patterns central to this campaign, especially spearphishing with file-sharing links, deceptive RMM installers, and fake Windows Security dialogs requesting credentials. Training should address human failure modes such as conditioned clicking, trust in familiar tools, and misunderstanding of RMM usage, with adjustments for administrators (RMM scrutiny), finance and customer-facing staff (phishing vigilance), and executives (high-value credential risk). Employees should learn to recognize behavioral indicators such as unexpected credential prompts, unfamiliar RMM installations, and files appearing in public folders. Phishing simulations should mirror the attacker’s style, using realistic but safe RMM-link lures to test user susceptibility. Communication guidelines should reinforce slow-down/verify behaviors when interacting with external links, RMM-related messages, or credential prompts. Reinforcement cycles should use short, recurring modules and measure effectiveness by reducing click-through rates, improving reporting, and validating reductions in simulated-phish success across targeted roles.

Indicators of Compromise

From the original artifact: