A recent cyber campaign, reminiscent of MuddyWater, has been observed targeting over 12,000 internet-facing systems globally, with a particular focus on high-value sectors in the Middle East. The campaign has primarily affected aviation, energy, and government industries, with data theft confirmed from an Egyptian aviation entity.
Initial Reconnaissance and Exploited Vulnerabilities
The campaign commenced in early February 2025, a time marked by increasing geopolitical tensions in the region. Attackers employed a systematic, multi-stage strategy, beginning with an extensive vulnerability scan. This phase targeted various systems through five newly disclosed Common Vulnerabilities and Exposures (CVEs), including web applications and IT management platforms.
The specific vulnerabilities exploited were CVE-2025-54068 (Laravel Livewire RCE), CVE-2025-52691 (SmarterMail RCE), CVE-2025-68613 (n8n RCE), CVE-2025-9316 (Unauthenticated Session ID Generation in RMM systems), and CVE-2025-34291 (Langflow RCE).
Credential Harvesting and Data Exfiltration
Following the reconnaissance phase, the attackers shifted towards credential harvesting, utilizing Outlook Web Access (OWA) brute-force attacks. Tools like owa.py and Patator facilitated these attacks, which targeted organizations in Egypt, Israel, and the UAE. In a notable incident, an Egyptian firefighting company’s employee credentials were compromised, and administrative account lists were obtained from a UAE organization.
The operation progressed to confirmed data exfiltration from an Egyptian aviation company, with attackers staging roughly 200 files containing sensitive information such as passport and visa records, payroll data, and corporate documents. The campaign’s reach extended beyond the Middle East, affecting entities in Portugal and India.
Complex Command and Control Infrastructure
Central to this campaign was a sophisticated Command and Control (C2) framework, designed to maintain operational resilience. Oasis Security’s analysis revealed a multi-layered C2 architecture using various programming languages and communication protocols, making it challenging to disrupt.
The C2 system included Python-based controllers like tcp_serv.py and udp_3.0.py, alongside Go-based binaries. The tcp_serv.py controller managed inbound connections over TCP port 5009, using a custom packet header format that was consistent across the infrastructure.
This campaign highlights significant cybersecurity challenges, particularly given its timing amid geopolitical unrest. Organizations in critical sectors must bolster their defenses to mitigate such sophisticated threats.
