A new campaign has been observed targeting Turkish governmental institutions (such as Tubitak) as well as private organizations. Researchers have associated the campaign with the Iranian MuddyWater APT, with high confidence.

About the attack campaign

According to Cisco Talos, Muddywater actors are using malicious PDFs and Microsoft Office documents as an initial infection vector.
  • The maldocs masquerade as genuine documents from the Turkish Health and Interior Ministries. 
  • This campaign uses malicious XLS files, Windows executables, and PDFs to deploy malicious PowerShell-based downloaders, allowing initial footholds into the targeted network.
  • It, subsequently, runs a series of scripts that serve as downloaders for additional payloads.
  • Moreover, the attackers used flags or canary tokens for signaling a successful infection by malicious artifacts. These tokens may be a tactic to evade sandbox detection.

Why is it a MuddyWater campaign?

Researchers connected these campaigns to MuddyWater based on technical indicators and the TTPs used in earlier campaigns by the group.
  • Code, along with metadata similarities in the scripts and maldocs used in the recent campaign, provide a high extent of resemblance to previously uncovered MuddyWater artifacts.
  • The infection chains have a close resemblance to those described in Secureworks’ report from 2020. Moreover, an IOC was observed as a key part of the infection chain that was used in previous MuddyWater campaigns.


Iran-related threat groups are operating malicious campaigns worldwide, which have only grown in intensity and volume. The MuddyWater group, particularly, has brought some twists to its tools and techniques of operation. Thus, organizations require in-depth and multi-layered security infrastructure to stay protected.
Cyware Publisher