MuddyWater, the Iranian state-sponsored threat actor, has been linked to a new wave of attacks aimed at Turkey and the Arabian Peninsula. The aim of this campaign is to deploy RATs on compromised systems.

Ongoing attacks

According to Cisco Talos, the highly motivated MuddyWater is working as an umbrella group to support multiple other groups.
  • The recent wave of attacks launched by the hacking crew distributed malware-laced documents through phishing messages to deploy SloughRAT.
  • The threat group is believed to have use unauthorized access to carry out espionage and theft of intellectual property by deploying ransomware and destructive malware on targeted networks.

Infection chain

While investigating attacks, researchers discovered the use of a simple yet tricky infection chain to carry out the attack.
  • An Excel file laden with malicious macro triggers the infection chain to drop two Windows Script files on the endpoint, with the first one executing the next-stage payload.
  • Further, two additional script-based implants are discovered, one coded in JavaScript and the other written in Visual Basic. Both are developed to download and execute arbitrary code and malicious commands on the networks of the targeted host.

Additional insights

  • The recent intrusions appear to be a continuation of a November 2021 campaign targeting Turkish entities. In fact, the attacks overlapped in TTPs and regional targeting between the MuddyWater campaigns from March 2021.
  • The similarities in tactics and techniques make it more likely that these attacks are distinct, yet have some connection with each other. Possibly they are sharing TTPs among different campaigns in the form of coordinated operational teams working separately.


MuddyWater has now become a conglomerate of multiple teams operating separately with different goals. The recent wave of malicious activities shows group interest in the region and geopolitics.
Cyware Publisher