Muddyc2go

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

MuddyC2Go is a new malware that has been linked to the Iranian state-backed threat operation MuddyWater. The first evidence of malicious activity was identified through the execution of PowerShell code, which connected to a command-and-control (C2) framework known as MuddyC2Go. This infrastructure is associated with Seedworm, an advanced persistent threat group. MuddyC2Go, a successor to MuddyC3 and PhonyC2, showcases Iran's rapidly improving malicious cyber capabilities. Its deployment marks a significant shift in strategy following the exposure of the source code of its predecessor, PhonyC2. The utilization of MuddyC2Go was first seen in attacks against Israel in November 2023. These attacks were part of a broader pattern of MuddyWater activities aimed at disrupting operations and stealing valuable information. In addition to Israel, the telecommunications sector in Egypt, Sudan, and Tanzania has also been targeted using this novel C2 framework. The malware is delivered via a PowerShell launcher, and once inside a system, it establishes contact with an actor-controlled server, thereby granting remote access to the attackers. While the full extent of MuddyC2Go’s capabilities remains unknown, several tools have been identified that facilitate these attacks. These include the SimpleHelp remote management software for continuous access to compromised devices and command execution, and the Venom Proxy software for managing intranet-connected devices. The revelation of MuddyC2Go's use underscores the evolving threat landscape and the need for constant vigilance and robust cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Phonyc2	1	PhonyC2 is a malware, specifically a command-and-control framework, that has been used by the Iranian-based cyber-espionage group MuddyWater since at least 2021. This software was designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. O

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Proxy

Tool

Malware

PowerShell

Symantec

Simplehelp

Github

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Venom Proxy	Unspecified	1	Venom Proxy is a malicious software (malware) that has been associated with Seedworm, a cyber espionage group, since mid-2022. It is a multi-hop proxy tool developed for penetration testers and is written in Go. This malware, often used as Seedworm's "tool of choice," can infiltrate systems via susp
Venom	Unspecified	1	Venom is a malicious software (malware) that has been associated with Seedworm, a cyber-espionage group, since at least mid-2022. As per Microsoft's August 2022 blog post, Venom is Seedworm's "tool of choice". The malware uses several tools such as Venom RAT v6.0.3, SimpleHelp remote access tool, an

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
MuddyWater	Unspecified	2	MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Seedworm	Unspecified	2	Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Muddyc2go Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	9 months ago	Ukraine's power grid targeted by Sandworm hackers last year
CERT-EU	9 months ago	Israel subjected to Charming Kitten attacks
InfoSecurity-magazine	9 months ago	Israeli Entities Under Attack By MuddyWater’s Advanced Tactics
CERT-EU	9 months ago	Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
CERT-EU	7 months ago	Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	MuddyWater targets African telecommunications companies
DARKReading	7 months ago	Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs
CERT-EU	7 months ago	Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa