Since early 2025, cybersecurity groups have noticed a marked resurgence in operations attributed to MuddyWater, an Iranian state–sponsored superior persistent menace (APT) actor.
Rising initially via broad distant monitoring and administration (RMM) exploits, the group has pivoted to extremely focused campaigns using customized malware backdoors and multi-stage payloads designed to evade detection.
Slightly than relying solely on off-the-shelf instruments, the adversary has expanded its arsenal to incorporate bespoke implants equivalent to BugSleep, StealthCache, and the Phoenix backdoor.
These parts work in live performance to determine covert footholds, extract delicate information, and masks infrastructure utilizing industrial companies at scale.
Assault vectors proceed to middle on spear-phishing emails embedding malicious Microsoft Workplace paperwork.
Risk actor profile (Supply – Group-IB)
Victims obtain decoy paperwork laced with VBA macros that drop and execute secondary payloads from Cloudflare-protected domains.
Contaminated hosts then attain out to command-and-control (C2) servers hosted throughout mainstream and bulletproof suppliers—starting from AWS and DigitalOcean to Stark Industries—earlier than shifting communication behind Cloudflare proxies to obscure origin IPs.
Group-IB analysts famous that Cloudflare’s reverse-proxy service dramatically will increase the problem of monitoring energetic C2 endpoints, as all site visitors seems to originate from shared Cloudflare hosts.
Preliminary loader
Upon execution, the preliminary loader (generally named wtsapi32.dll) decrypts and injects the StealthCache backdoor into official processes.
An infection Chain (Supply – Group-IB)
StealthCache establishes a pseudo-TLV protocol over HTTPS, sending and receiving encrypted instructions at endpoint /aq36 and reporting errors at /q2qq32.
Group-IB analysts recognized customized XOR routines that dynamically derive decryption keys from the sufferer’s machine and username strings, thwarting sandbox evaluation when executed on mismatched hosts.
In its newest operational section, MuddyWater’s multi-stage strategy has delivered a trio of payloads: an preliminary VBA dropper, a loader equivalent to Fooder, and a feature-rich backdoor like StealthCache.
Upon receiving a command code, StealthCache executes actions starting from interactive shells to file exfiltration:
// Decrypt operate snippet
void decrypt_payload(uint8_t *buffer, size_t dimension, const char *key) {
for (size_t i = 0; i
Subsequently, the Phoenix backdoor is deployed from the loader’s reminiscence area. Phoenix registers with its C2 through /register, then periodically posts beacons to /imalive and polls /request for additional directions.
This modular design permits seamless command updates and payload swaps with out writing to disk, reinforcing persistence and minimizing forensic artifacts.
By leveraging Cloudflare to masks true server endpoints and integrating dynamic decryption keyed to host identifiers, MuddyWater has crafted a resilient, multi-stage an infection chain that is still elusive to community defenders.
Steady monitoring of Cloudflare-associated domains, alongside vigilant evaluation of distinctive mutex names and C2 URL patterns, is important for preempting new campaigns and safeguarding essential infrastructure.
Free dwell webinar on new malware ways from our analysts! Be taught superior detection strategies -> Register for Free
