#muddywater — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #muddywater, aggregated by home.social.
-
📰 Iranian APT MuddyWater Masquerades as Ransomware Group in Microsoft Teams-Based Espionage Campaign
⚠️ Iranian APT MuddyWater targets orgs via Microsoft Teams, posing as a ransomware group. The real goal: espionage & data theft. Attackers trick users in screen-shares to steal credentials, bypassing MFA. #MuddyWater #CyberEspionage #ThreatIntel
-
Iranian Hackers Target Electronics Maker in Global Espionage Push
Iran-linked hackers, known as MuddyWater, infiltrated a major South Korean electronics manufacturer's network for a week in February 2026, as part of a massive global cyber-espionage campaign targeting nine high-profile organizations across multiple sectors and countries.
#Muddywater #Seedworm #CyberEspionage #DllSideloading #Chromelevator
-
📰 Iranian APT MuddyWater Masquerades as Ransomware Group in Microsoft Teams-Based Espionage Campaign
⚠️ Iranian APT MuddyWater targets orgs via Microsoft Teams, posing as a ransomware group. The real goal: espionage & data theft. Attackers trick users in screen-shares to steal credentials, bypassing MFA. #MuddyWater #CyberEspionage #ThreatIntel
-
📰 Iranian APT MuddyWater Masquerades as Ransomware Group in Microsoft Teams-Based Espionage Campaign
⚠️ Iranian APT MuddyWater targets orgs via Microsoft Teams, posing as a ransomware group. The real goal: espionage & data theft. Attackers trick users in screen-shares to steal credentials, bypassing MFA. #MuddyWater #CyberEspionage #ThreatIntel
-
MuddyWater usa il ransomware Chaos come falsa bandiera: l’Iran maschera lo spionaggio di Stato da cybercrime
Il gruppo APT iraniano MuddyWater ha condotto un'operazione di cyberspionaggio mascherandola da attacco ransomware Chaos. Rapid7 rivela come Microsoft Teams sia stato usato per rubare credenziali e bypassare l'MFA, con il vero obiettivo di esfiltrazione dati e persistenza a lungo termine: non l'estorsione finanziaria. -
Iran-Linked APT Exploits Ransomware Disguise for Espionage
MuddyWater, an Iran-linked APT group, has been caught exploiting a ransomware disguise to secretly infiltrate systems, using interactive tactics to harvest credentials and gain internal access. By masquerading as a Chaos ransomware affiliate, the group aimed to throw off detectives and cover its espionage tracks.
-
MuddyWater hackers exploit Chaos ransomware as cyber-espionage decoy
MuddyWater hackers have cleverly used Chaos ransomware as a decoy to mask their true intentions - and it's not about making a quick buck. Instead, their tactics suggest a more sinister goal, blurring the lines between state-sponsored espionage and cybercrime.
#Muddywater #Iran #Cyberespionage #Statesponsored #Ransomware
-
MuddyWater hackers exploit Chaos ransomware as cyber-espionage decoy
MuddyWater hackers have cleverly used Chaos ransomware as a decoy to mask their true intentions - and it's not about making a quick buck. Instead, their tactics suggest a more sinister goal, blurring the lines between state-sponsored espionage and cybercrime.
#Muddywater #Iran #Cyberespionage #Statesponsored #Ransomware
-
Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed
An exposed command and control server on RouterHosting infrastructure revealed an active Iranian-nexus intrusion campaign targeting twelve Omani government ministries. The operation primarily focused on the Ministry of Justice and Legal Affairs, deploying custom webshells that provided persistent access through April 2026. Over 26,000 user records containing judicial case data, committee decisions, and registry hives were exfiltrated. The attacker utilized ProxyShell exploits, DotNetNuke vulnerabilities, and custom Python scripts targeting Exchange servers, SQL databases, and Oracle systems. Infrastructure analysis revealed connections to spoofed Iranian diaspora media and censorship circumvention tools, with tactical overlaps indicating MOIS-linked groups such as APT34 and MuddyWater. The campaign specifically targeted judicial records, immigration systems, and citizen identity data across multiple government entities.
Pulse ID: 69fa3e5f84a20294f972fa64
Pulse Link: https://otx.alienvault.com/pulse/69fa3e5f84a20294f972fa64
Pulse Author: AlienVault
Created: 2026-05-05 19:00:47Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT34 #CyberSecurity #Government #InfoSec #Iran #MuddyWater #OTX #OpenThreatExchange #Proxy #Python #RAT #SQL #UK #bot #AlienVault
-
Iranian APT Seedworm Targets Global Organizations via Microsoft Teams
In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations. The attack demonstrates the group's evolution in using collaboration platforms as initial access vectors while combining dual-use tooling with living-off-the-land techniques to bypass traditional security controls.
Pulse ID: 69e2417dcac9587a626c98a2
Pulse Link: https://otx.alienvault.com/pulse/69e2417dcac9587a626c98a2
Pulse Author: AlienVault
Created: 2026-04-17 14:19:41Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #Iran #Microsoft #MicrosoftTeams #MiddleEast #Military #MuddyWater #Nim #OTX #OpenThreatExchange #RAT #SeedWorm #SocialEngineering #Worm #bot #AlienVault
-
ChainShell: MuddyWater’s Russian MaaS Link
#MuddyWater #CastleRAT #TAG_150 #ChainShell #Dindoor
https://www.jumpsec.com/guides/chainshell-muddywater-russian-criminal-infrastructure/ -
Rapid7 Detection Coverage for Iran-Linked Cyber Activity
#MuddyWater #VoidManticore #HandalaHackTeam #CyberAv3ngers #Keymous+ #DieNet #NoName057(16) #CVE_2026_1281 #CVE_2024_4577 #CVE_2025_32433 #CVE_2025_52691 #CVE_2025_9316 #CVE_2026_21514
https://www.rapid7.com/blog/post/tr-detection-coverage-iran-linked-cyber-activity/ -
Iran's MuddyWater hackers breached US organizations and an Israeli department of a software firm using phishing and a new backdoor dubbed #Dindoor - All this, despite the ongoing conflict.
Read: https://hackread.com/iran-muddywater-hackers-us-dindoor-backdoor/
-
Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates
#MuddyWater #HandalaHackTeam #SicariiRansomware
https://www.halcyon.ai/ransomware-alerts/iranian-use-of-cybercriminal-tactics-in-destructive-cyber-attacks-2026-updates -
Over 100 government organizations hit by a single, stealthy campaign. MuddyWater’s new Phoenix backdoor uses cutting-edge tactics to slip past top defenses. Could this signal a new era in cyber espionage?
#muddywater
#phoenixbackdoor
#statesponsored
#cyberespionage
#malwareanalysis -
Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict
#MuddyWater #DCHSpy
https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware -
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” – Source: news.sophos.com https://ciso2ciso.com/sophos-mdr-blocks-and-tracks-activity-from-probable-iranian-state-actor-muddywater-source-news-sophos-com/ #legitimateserviceabuse #SecurityOperations #ThreatResearch #nakedsecurity #0CISO2CISO #MuddyWater #phishing #STAC1171 #Atera #TA450 #MDR #RMM
-
Happy Tuesday everyone!
Proofpoint researches observed activity from TA450 (AKA #MuddyWater) that involved social engineering and targeted Israeli employees. The researches noticed a change in the adversaries #TTPs, moving from using a PDF with malicious attachments to putting the malicious link in the email body.
Taking this information into account, how can we hunt for this? Well, we can always look for Microsoft Office programs executing strange behavior such as spawning abnormal processes (especially the abuse of [LOLBINS]) or making network connections. Or, as a wise old man said back in 1986 "It's dangerous to go alone! Take this."
Potential Maldoc Execution Chain Observed
https://hunter.cyborgsecurity.io/research/hunt-package/b194088b-c846-4c72-a4b7-933627878db4This hunt package has been designed to detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Enjoy and Happy Hunting!
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
#introduction
I’m Josh/Yoshi.
I work as a Senior Threat Researcher hunting for state aligned cyber threat actors (aka APTs).
I focus on threats suspected of originating in the Middle East & North Africa Region, primarily Iranian aligned threats like #TA453 (#CharmingKitten), #TA450 (#Muddywater), and #TA456 (#Tortoiseshell).Before this, I did #threatIntel work in healthcare. Before that, I worked for the #FBI.
I live in Chicago(land) with 3 kids, 2 dogs and my beautiful wife.
I’m a huge fan of #StarWars and the #LAChargers
This seems like a pretty cool place, excited to see how it grows.