INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Muddywater Targets Orgs with Fresh Malware
| 2026-02-23 20:35 CRITICAL LOWExecutive Summary AI-generated
Iran's MuddyWater cyber threat group is ramping up its attack campaign, delivering new strains of custom malware to organizations in the Middle East and Africa region. The group deviated from its typical entry tactic on January 26 by exploiting flaws in public-facing servers as part of the activity. With roots dating back to 2017, MuddyWater Tightens Its Game is one of Iran's most active and notorious APTs. The first malware delivery was a malicious Microsoft Excel document mimicking an energy and marine services company, likely targeting contractors or the organization itself. Recent tactics include stealthier stagecraft using memory-only loaders, custom backdoors, and defense evasion techniques. Defenders can strengthen their position against MuddyWater by monitoring for indicators of compromise, implementing email and phishing defenses, and enhancing network and infrastructure security measures to reduce risk of compromise.
Technical Mitigations AI-generated
* Implement robust email security measures: Organizations should use advanced email security solutions, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Register) to prevent spear-phishing attacks.
* Regularly update and patch operating systems and software: Keeping software up-to-date with the latest security patches can help protect against known vulnerabilities that attackers may exploit. This includes updating Microsoft Office applications, as well as other critical system components.
* Use secure communication protocols (e.g., HTTPS): Organizations should ensure their websites and online services use industry-standard encryption protocols like HTTPS to prevent eavesdropping and tampering with data in transit.
* Implement a robust incident response plan: Establishing an incident response plan can help organizations quickly respond to and contain cyber attacks. This includes procedures for identifying, containing, and eradicating malware, as well as communication strategies for affected stakeholders.
* Use AI-powered security tools to detect anomalies: Organizations should consider implementing AI-powered security tools that can analyze network traffic and identify potential threats in real-time. These tools can help automate the process of detecting suspicious activity and alerting IT teams to potential attacks.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation SentinelOperation SentinelOperation OlalampoOperation Olalampo
MuddyWaterMuddyWater
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
EUROPE
EUROPE
AFRICA
AFRICA
MIDDLE_EAST
MIDDLE_EAST
LATAM
LATAM
defensedefense
governmentgovernment
logisticslogistics
energyenergy
technologytechnology
Incident Timeline
2025-02-20
Threat actors used social engineering primarily to target organizations with fresh malware as tensions in the region escalated.
Click on any entity below to view its context and source!
general_metric
471 Intel
For example, Intel 471 reported more than 450 ransomware breach events in the region last year, marking a 78% increase over 2024.
tactic
Ransomware
For example, Intel 471 reported more than 450 ransomware breach events in the region last year, marking a 78% increase over 2024.
financial
450 ransomware breach events
For example, Intel 471 reported more than 450 ransomware breach events in the region last year, marking a 78% increase over 2024.
general_metric
78 %
For example, Intel 471 reported more than 450 ransomware breach events in the region last year, marking a 78% increase over 2024.
tactic
Phishing
Related:
Sprawling 'Operation Sentinel' Neutralizes African Cybercrime Syndicates
Broadly speaking, social engineering primarily enabled financial
fraud
in the region last year, with email and SMS phishing the most common mechanisms.
campaign
Operation Sentinel
Related:
Sprawling 'Operation Sentinel' Neutralizes African Cybercrime Syndicates
Broadly speaking, social engineering primarily enabled financial
fraud
in the region last year, with email and SMS phishing the most common mechanisms.
tactic
Social Engineering
Related:
Sprawling 'Operation Sentinel' Neutralizes African Cybercrime Syndicates
Broadly speaking, social engineering primarily enabled financial
fraud
in the region last year, with email and SMS phishing the most common mechanisms.
organisation
SMS
Related:
Sprawling 'Operation Sentinel' Neutralizes African Cybercrime Syndicates
Broadly speaking, social engineering primarily enabled financial
fraud
in the region last year, with email and SMS phishing the most common mechanisms.
2025-02-23
Threat actors used memory-only loaders and custom backdoors to target organizations in Iran.
Click on any entity below to view its context and source!
industry
Defense
Late last year, the group
demonstrated stealthier stagecraft
that included the use of memory-only loaders, custom backdoors, and techniques designed for defense evasion and persistence.
The first quarter of 2025
Threat actors used malware to infect Iranian targets with fresh versions of the MuddyWater cyberattack tool.
Click on any entity below to view its context and source!
general_metric
108 %
The first quarter of 2025 alone saw a 108% year-over-year increase.
December 2025
The Organization of American States released a report in December 2025 detailing the increasing security maturity of Iran, which cited an OAS assessment from that time.
Click on any entity below to view its context and source!
organisation
the Organization of American States
Broadly speaking, the report references increasing security maturity for the region — citing a December 2025 report from the Organization of American States (OAS)
attesting to this
— while observing an increasingly hostile threat landscape.
organisation
OAS
Broadly speaking, the report references increasing security maturity for the region — citing a December 2025 report from the Organization of American States (OAS)
attesting to this
— while observing an increasingly hostile threat landscape.
Jan. 26
Threat actors used MuddyWater to target organizations in Iran.
Click on any entity below to view its context and source!
threat_actor
MuddyWater
There also is evidence that MuddyWater, which is tied to Iran's Ministry of Intelligence and Security (MOIS), deviated from its typical entry tactic and also tried to exploit flaws in public-facing servers as part of the activity, which the researchers first discovered on Jan. 26.
source_region
Iran, Islamic Republic of
There also is evidence that MuddyWater, which is tied to Iran's Ministry of Intelligence and Security (MOIS), deviated from its typical entry tactic and also tried to exploit flaws in public-facing servers as part of the activity, which the researchers first discovered on Jan. 26.
attribution
Ministry of Intelligence and Security
There also is evidence that MuddyWater, which is tied to Iran's Ministry of Intelligence and Security (MOIS), deviated from its typical entry tactic and also tried to exploit flaws in public-facing servers as part of the activity, which the researchers first discovered on Jan. 26.
2026-02-23
Iran's MuddyWater targets organizations with fresh malware as tensions mount.
Click on any entity below to view its context and source!
threat_actor
MuddyWater
Iran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount.
As the US prepares for a possible military strike against Iran, the
nation-state threat group
MuddyWater is wasting no time ramping up its cyber offensive against organizations in the Middle East and Africa region with an emerging attack campaign delivering several new strains of custom malware.
MuddyWater Tightens Its Game
MuddyWater
— also known asTA450, Helix Kitten, Seedworm, and other names — is one of Iran's most active and notorious APTs, with roots that stretch as far back as 2017.
Related:
Iran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount
The OAS report cited increasingly complex digital threats in the region, as well as a wide variance in security posture that's echoed in Intel 471's findings.
"The group's continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified C2 infrastructures, underscores their dedication and intent to expand their operations," according to Group-IB.
Defenders can strengthen their position against MuddyWater by using the indicators of compromise (IoCs), YARA rules, and EDR rules set out in Group-IB's report to monitor for group activity.
Moreover, as is the case with a number of recent threat campaigns, Olalampo showed signs of artificial intelligence
(AI)-assisted development
in the malware, demonstrating that this is likely to be the norm and not the exception going forward, according to Group-IB.
Delivery of AI-Developed Malware
Attacks in the campaign started typically for
MuddyWater
— with a targeted spear-phishing email, this time employing one of various Microsoft documents with malicious macros that decode the payload, drop it into a system, and execute it.
Related:
Latin America's Cyber Maturity Lags Threat Landscape
One of the new malware strains, the Char backdoor, used a
Telegram bot
as a command-and-control (C2) channel, which gave researchers "valuable insight into MuddyWater’s post-exploitation activity," according to the report.
This insight showed that the infrastructure in the campaign was reused, one of the hallmarks of MuddyWater that contributed to the researchers identifying the perpetrator.
Ultimately, the malware dropped by the campaign gave MuddyWater control of the victim's system.
The use of Telegram in this way by the group signifies a tactical shift for MuddyWater, according to researchers.
"We observed four instances of this anomaly, suggesting that the adversary likely used an AI model to generate specific code segments and failed to sanitize the debug strings before compilation; this can also be seen in the command-and-control logs from the Telegram bot," according to Group-IB.
Other MuddyWater Attack Variants
Another attack variant of Olalampo used a similar document lure to the previous one, but instead of dropping Char, it deployed the GhostFetch downloader.
Indeed, MuddyWater has been steadily evolving its activities since it first emerged.
organisation
YARA
"The group's continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified C2 infrastructures, underscores their dedication and intent to expand their operations," according to Group-IB.
Defenders can strengthen their position against MuddyWater by using the indicators of compromise (IoCs), YARA rules, and EDR rules set out in Group-IB's report to monitor for group activity.
organisation
EDR
"The group's continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified C2 infrastructures, underscores their dedication and intent to expand their operations," according to Group-IB.
Defenders can strengthen their position against MuddyWater by using the indicators of compromise (IoCs), YARA rules, and EDR rules set out in Group-IB's report to monitor for group activity.
organisation
Group-IB's
"The group's continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified C2 infrastructures, underscores their dedication and intent to expand their operations," according to Group-IB.
Defenders can strengthen their position against MuddyWater by using the indicators of compromise (IoCs), YARA rules, and EDR rules set out in Group-IB's report to monitor for group activity.
organisation
Cyber Maturity Lags Threat Landscape
One
Related:
Latin America's Cyber Maturity Lags Threat Landscape
One of the new malware strains, the Char backdoor, used a
Telegram bot
as a command-and-control (C2) channel, which gave researchers "valuable insight into MuddyWater’s post-exploitation activity," according to the report.
organisation
Telegram
The use of Telegram in this way by the group signifies a tactical shift for MuddyWater, according to researchers.
organisation
GhostFetch
"We observed four instances of this anomaly, suggesting that the adversary likely used an AI model to generate specific code segments and failed to sanitize the debug strings before compilation; this can also be seen in the command-and-control logs from the Telegram bot," according to Group-IB.
Other MuddyWater Attack Variants
Another attack variant of Olalampo used a similar document lure to the previous one, but instead of dropping Char, it deployed the GhostFetch downloader.
organisation
Microsoft Excel
The first was a malicious
Microsoft Excel document
mimicking an energy and marine services company in the Middle East, likely targeting either contractors of the organization or the organization itself.
organisation
Microsoft
The third attack variant uses a Microsoft Word document employing multiple themes, such as flight tickets and reports, targeting "individuals of interest and system integrator companies in the Middle East," according to Group-IB.
organisation
Operation Olalampo
The campaign, dubbed Operation Olalampo, starts with the group's typical entry tactic — spear-phishing emails — and ends with the deployment of one of several strains of never-before-seen second-stage loader and backdoor malware, according to
a report
by Group-IB published Friday.
organisation
Group-IB
The campaign, dubbed Operation Olalampo, starts with the group's typical entry tactic — spear-phishing emails — and ends with the deployment of one of several strains of never-before-seen second-stage loader and backdoor malware, according to
a report
by Group-IB published Friday.
organisation
Cyber Maturity Lags Threat Landscape
Latin America's Cyber Maturity Lags Threat Landscape.
organisation
Intel
Intel 471 this week published a report detailing
Latin America's cyber threat landscape
, synthesizing data collected during 2025.
organisation
APT
The
advanced persistent threat
(APT) group used three attack-sequence variations against different targets.
Furthermore, researchers tracked more than 200 initial access brokers targeting Latin American entities, multiple advanced persistent APT clusters around the world, and at least 119 hacktivist groups in 15 countries across the region.
organisation
RUST
That attack sequence ultimately led to the deployment of the Char backdoor, a RUST-based backdoor controlled by a Telegram bot, according to Group-IB.
organisation
RMM
This variant leads to the deployment of a new customer downloader called HTTP_VIP, which then deploys
Anydesk remote monitoring and management
(RMM) to take over the targeted system.
organisation
ESET
At the time, researchers from ESET said the upgrades marked a significant evolution in the group's capabilities and a departure from its historically noisier operational style.
organisation
An Uncertain Cyber Future
An Uncertain Cyber Future for Latin American Member States
Intel 471 summarized
its report
by saying the territory's rapid digitalization outpaces its security
maturity
.
financial
$148 Brazilian reals
Exploitation of its systems resulted in the diversion of 800 million Brazilian reals (approximately $148 million) from eight financial institutions.
organisation
DragonForce
The DragonForce ransomware group claimed another attack against C&M later in the year.
organisation
C&M
The DragonForce ransomware group claimed another attack against C&M later in the year.
data_breach
7 records
Related:
Asia Fumbles With Throttling Back Telnet Traffic in Region
Also in June, the Brigada Cyber PMC data extortion threat group "claimed to have stolen more than 7 million records containing personally identifiable information (PII) of Paraguayan citizens from three Paraguayan government systems."
organisation
WhatsApp
Instant messaging platforms like WhatsApp were also commonly used to impersonate financial institutions, logistics firms, and contacts.
financial
$1 researchers
Attackers demanded a ransom of approximately $7.4 million, which researchers observed was $1 for each of the country's citizens.
Tactical Metrics
Metrics
data_breach
7,000,000
Records
Click for context!
Related:
Asia Fumbles With Throttling Back Telnet Traffic in Region
Also in June, the Brigada Cyber PMC data extortion threat group "claimed to have stolen more than 7 million records containing personally identifiable information (PII) of Paraguayan citizens from three Paraguayan government systems."
Metrics
financial
450
Ransomware Breach Events
For example, Intel 471 reported more than 450 ransomware breach events in the region last year, marking a 78% increase over 2024.
Metrics
financial
148,000,000
Brazilian Reals
Exploitation of its systems resulted in the diversion of 800 million Brazilian reals (approximately $148 million) from eight financial institutions.
Metrics
financial
1
Researchers
Attackers demanded a ransom of approximately $7.4 million, which researchers observed was $1 for each of the country's citizens.
Intelligence Sources
Dark Reading
2026-02-23
Dark Reading
2026-02-20
Latin America's Cyber Maturity Lags Threat Landscape
Dark Reading
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:12
Comprehensive Tactical Telemetry
Highly Correlated Entities
23x
organisation
Identified Entity
Microsoft Excel
entity
8x
timeline
Temporal Reference
Jan. 26
date
6x
target region
Target Region
MIDDLE_EAST
region
6x
tactic
Cyber Operation Type
Phishing
tactic
6x
general metric
%
30
%
5x
source region
Origin Country
Iran, Islamic Republic of
country
5x
industry
Targeted Sector
Energy
sector
4x
attribution
Attributing Entity
Ministry of Intelligence and Security
authority
3x
target region
Target Country
Iran, Islamic Republic of
country
2x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
2x
campaign
Campaign
Operation Olalampo
operation
Contextual Telemetry
Context Block
12 METRICS
threat actor
APT Group
MuddyWater
actor
general metric
Intel
471
intel
source region
Origin Region
LATAM
region
data breach
Records
7,000,000
records
financial
Ransomware Breach Events
450
ransomware breach events
general metric
Initial Access Brokers
200
initial access brokers
general metric
Hacktivist Groups
119
hacktivist groups
general metric
Countries
15
countries
general metric
Brazilian Reals
800,000,000
brazilian reals
financial
Brazilian Reals
148,000,000
brazilian reals
general metric
Cyberattacks
2,640
cyberattacks
financial
Researchers
1
researchers
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.