This report provides a detailed overview of phishing campaigns associated with the Iranian APT group MuddyWater (also known as Static Kitten or Mercury). These campaigns, active between February 2025 and October 2025, demonstrate the group’s persistence, technical consistency, and evolving tactics, techniques, and procedures (TTPs). The operations targeted Israel, Hungary, the United Arab Emirates (UAE), Azerbaijan, Turkmenistan, and diplomatic missions worldwide, reflecting MuddyWater’s broad geopolitical interests and regional intelligence priorities.
In our previous publication, the campaign was tentatively attributed to an Iranian-linked cluster sharing overlapping tactics, techniques, and procedures with several known groups. However, subsequent discoveries prompted a re-evaluation of the entire infrastructure, tooling, and operational workflow. This report presents a comprehensive re-analysis of ten interconnected attacks, including the recent intrusion against several entities, with the objective of achieving a conclusive and evidence-based attribution.
Through a detailed examination of command-and-control infrastructure, malware families, and email delivery mechanisms, we identified a unified operational fingerprint that matches MuddyWater (also known as Seedworm or Mercury). The consistent use of identical C2 response patterns, VBS loaders, and encoded staging logic across multiple regions, including the Middle East, Europe, and South Asia, indicates a single orchestrating entity.
This report, therefore, not only revisits earlier assumptions but establishes a definitive link between previously isolated incidents and MuddyWater’s long-standing espionage apparatus. By dissecting the actor’s infrastructure reuse, malware development lifecycle, and cross-operation TTPs, we present a clear and technically substantiated attribution narrative.
Overall, the nine attacks described in this report demonstrate that MuddyWater consistently employs the same infrastructure patterns, reuses malware tools, and replicates phishing templates across its operations. Together, these findings expose a well-coordinated campaign that underscores the group’s persistence and strategic focus on defense, government, education, and diplomatic sectors.
There are a total of nine attacks investigated for attribution across these campaigns was established through multiple technical pivots:
|
Identifier |
Registration Timestamp, Registrar, and App.msi Template. |
Phishing Document Templates |
Raw Hex to Bytes Decoding |
Recurring “#success!” HTTP Fingerprint and Shared Hosting Providers |
Code Similarity |
|
#1 |
Yes |
Yes |
Yes |
– |
– |
|
#2 |
Yes |
– |
– |
– |
– |
|
#3 |
– |
Yes |
– |
Yes |
– |
|
#4 |
– |
– |
Yes |
– |
– |
|
#5 |
– |
– |
– |
Yes |
Yes |
|
#6 |
– |
– |
– |
Yes |
Yes |
|
#7 |
– |
– |
– |
– |
Yes |
|
#8 |
– |
– |
– |
– |
Yes |
|
#9 |
– |
– |
– |
– |
Yes |
The following table summarizes each attack and its general description:
|
Attack Alias |
Description |
Date |
|
Attack #1: NetivTech |
Targeted an Israeli defense supplier using a spoofed IIOSH document by delivering the LIGHTPHOENIX malware, attributed to the MuddyWater APT, through a Word-to-VBS dropper chain. Using three distinct TTPs supporting attribution: · The App.MSI landing page template. · A phishing document spoofing IIOSH. · The HH decoding function. |
Jun 2025 |
|
Attack #2: ProcessPlanet |
Infrastructure-only setup with no confirmed victims. Domain registered simultaneously with Attack #1 and reused the App.MSI template. |
Feb 2025 |
|
Attack #3: Photosjournalism |
Two dropper chains using shifted-hex decoding and distinctive #success! Server responses. Phishing docs visually matched Attack #1. |
Jun 2025 |
|
Attack #4: Hungary Gov |
Likely targeted the Hungarian government with government-themed phishing documents. Reused HH decoding function and raw hex-to-bytes logic from Attack #1. |
Apr 2025 |
|
Attack #5: Diplomatic Missions |
Global phishing attacks against embassies and consulates were delivered using a compromised Oman MFA mailbox. The operation deployed the sysProcUpdate malware, and the C2 server returned the distinctive “#success!” server response linked to MuddyWater. |
Aug 2025 |
|
Attack #6: UAE Marine Sector |
Marine infrastructure-themed phishing. Delivered sysProcUpdate malware by decoding three-digit numbers to ASCII, and returned the distinctive “#success!” server response. |
Aug 2025 |
|
Attack #7: Azerbaijan Diplomatic |
MuddyWater impersonated the Azerbaijan Investment Company (AIC) using a convincing Azerbaijani-language Word document. |
Sep 2025 |
|
Attack #8: The Micsoft Lure |
MuddyWater used a Spanish-language CV phishing lure impersonating UAE-based company to trick victims into enabling macros that deployed the Miaza V2. |
Sep 2025 |
|
Attack #9:Seminar Lure |
MuddyWater conducted regionally tailored seminar-themed phishing attacks targeting at list Oman and Egypt |
Oct 2025 |
The campaign exposes MuddyWater’s ongoing operations against Israel and regional governments, targeting defence, government, and educational institutions. These findings highlight MuddyWater’s continued activity and its use of multi-vector phishing chains.
All attacks documented in this report are linked to MuddyWater based on the supporting technical evidence shared and detailed in this report.
Dream recommends the following actions to prevent a similar attack success:
Enforce firewall rules to block outbound connections to known MuddyWater C2 domains (see IoC table below).
The CTI analysis includes the following IoCs:
|
# |
Attack # |
IoC Type |
Identifier |
Type |
|
1. |
1 |
File Hash |
b445a9e92bc9609884c4ed6304a5dbdb |
VBS |
|
2. |
1 |
File Hash |
07824f0ee982774b25a3beeadc727734 |
DOC |
|
3. |
1 |
File Hash |
32f51a376a8277649088047dd61efdf5 |
EXE |
|
4. |
1 |
File Hash |
a9effec03c1945f791e72c39acf51f8f |
EXE |
|
5. |
1 |
File Hash |
61c45a0f9422406f27dc7342fb713cef |
MSI |
|
6. |
1 |
Domain |
Netivtech[.]org |
C2 |
|
7. |
2 |
Domain |
Processplanet[.]org |
C2 |
|
8. |
2 |
IP |
194[.]11[.]246[.]101 |
C2 |
|
9. |
3 |
File Hash |
e905d26ff243c54576ac78496189af7d |
VBS |
|
10. |
3 |
File Hash |
6636407299e0b1a74961ae998cec20e0 |
DOC |
|
11. |
3 |
File Hash |
4dee09dcd5ab407ee9086445303e7cdf |
EXE |
|
12. |
3 |
File Hash |
d067c3fff70c1d61b60f2409090caade |
VBS |
|
13. |
3 |
File Hash |
adf7606b900fa1d4630f7fd63a585e60 |
DOC |
|
14. |
3 |
File Hash |
844d714c0bdab06d4d85e26202e654dc |
EXE |
|
15. |
3 |
Domain |
Photosjournalism[.]com |
C2 |
|
16. |
3 |
IP |
45[.]150[.]108[.]151 |
C2 |
|
17. |
4 |
File Hash |
759f5fea34a502edc8b0f4cf830cc6f4 |
VBS |
|
18. |
4 |
File Hash |
2c19001d5b81037ac70ef17f887cbec0 |
DOC |
|
19. |
4 |
File Hash |
c0fad3bdb4d0bd55ac8966687cf7c8fa |
EXE |
|
20. |
4 |
IP |
46[.]101[.]36[.]39 |
C2 |
|
21. |
5 |
File Hash |
8b01d3ba8a5df19a37d9bd212875c4aa |
VBS |
|
22. |
5 |
File Hash |
3ab16bd1c339fd0727be650104b74dd1 |
DOC |
|
23. |
5 |
File Hash |
7e73ca410dc6480c77a9236c0733c0a1 |
EXE |
|
24. |
5 |
File Hash |
e71743da2965b2b85cc00dba5d9f6515 |
VBS |
|
25. |
5 |
File Hash |
e2a5019f85a8aed140b13c87cf9a791a |
DOC |
|
26. |
5 |
File Hash |
69fed0fafc29065ff081793b4647bfc0 |
VBS |
|
27. |
5 |
File Hash |
1de19958e7c2ef14addfb35b43a594ec |
DOC |
|
28. |
5 and 6 |
Domain |
Screenai[.]online |
C2 |
|
29. |
5 and 6 |
IP |
159[.]198[.]36[.]115 |
C2 |
|
30. |
6 |
File Hash |
7e3c10bb262865a0daaf5c88a2fe7a79 |
VBS |
|
31. |
6 |
File Hash |
e73ba93d008affdc4cce0cb4e18ae5c6 |
DOC |
|
32. |
6 |
File Hash |
a408e056425307096dbf3e8b50a0b673 |
EXE |
|
33. |
6 |
File Hash |
7e3c10bb262865a0daaf5c88a2fe7a79 |
VBS |
|
34. |
6 |
File Hash |
d6ad04612f9a6060f3955c43ad5cf236 |
DOC |
|
35. |
6 |
File Hash |
a408e056425307096dbf3e8b50a0b673 |
EXE |
|
36. |
7 |
File Hash |
03a9dec54484756c7c1e2dc75df7efe4 |
VBS |
|
37. |
7 |
File Hash |
07502104c6884e6151f6e0a53966e199 |
DOC |
|
38. |
7 |
File Hash |
aa75a0baebc93d4ca7498453ef64128a |
EXE |
|
39. |
7 |
File Hash |
2963aafff56043ebae6d48589aa47a70 |
DOC |
|
40. |
7 |
IP |
64[.]7[.]198[.]12 |
C2 |
|
41. |
8 |
Domain |
micsoft[.]store |
C2 |
|
42. |
8 |
Domain |
fourdjecem[.]shop |
Related Domain |
|
43. |
8 |
IP |
62[.]60[.]148[.]85 |
C2 |
|
44. |
8 |
File Hash |
26e5ff398ec6b30c51d6b6552bb932f8 |
EXE |
|
45. |
8 |
File Hash |
d1af72a943f3b1eb45934e07f205c5ed |
DOC |
|
46. |
8 |
File Hash |
b4b673c0a60e57c9c8f7560d609902b6 |
EXE |
|
47. |
9 |
Domain |
bootcamptg[.]org |
C2 |
|
48. |
9 |
IP |
161[.]35[.]228[.]250 |
C2 |
|
49. |
9 |
File Hash |
cb9c3b49e8ceea7a058f8b09936cd338 |
VBS |
|
50. |
9 |
File Hash |
b15c11faf60a41f855e117d9c1886b92 |
EXE |
|
51. |
9 |
File Hash |
d9619d23098231bec2f17787d1d1b182 |
DOC |
|
52. |
9 |
File Hash |
80f9e456c55af2a2fda224b58adfd72f |
VBS |
|
53. |
9 |
File Hash |
e67c4eee0f424064d811794fc8f80130 |
EXE |
|
54. |
9 |
File Hash |
14fb6a186166577fab71d56cbe1c74d9 |
DOC |
|
55. |
9 |
Domain |
portal-transafe[.]com |
Related Domain |
|
56. |
9 |
Domain |
Phoenixplus[.]co[.]za |
Related Domain |
By clicking Subscribe, I agree to the use of my personal data in accordance with Dream security Privacy Policy. Dream security will not sell, trade, lease, or rent your personal data to third parties. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.