Phonyc2

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
PhonyC2 is a malware, specifically a command-and-control framework, that has been used by the Iranian-based cyber-espionage group MuddyWater since at least 2021. This software was designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it could steal personal information, disrupt operations, or hold data for ransom. The Deep Instinct Threat Lab published a technical deep dive into PhonyC2 after observing its use in an attack on the Israeli research institute Technion. It's noteworthy that PhonyC2 is considered a successor to MuddyC3 and POWERSTATS. The source code of PhonyC2 was leaked in early 2023, leading to a shift in MuddyWater's tactics. In response, the group developed a new command-and-control framework named MuddyC2Go, written in Go language. This new framework replaced the previous PhonyC2 infrastructure, demonstrating the continued evolution of MuddyWater's cyber capabilities. Notably, MuddyC2Go contains an embedded PowerShell script that automatically connects to Seedworm’s command-and-control server, eliminating the need for manual execution by an operator and providing the attackers with remote access to victim machines. In November 2023, MuddyWater launched attacks against Israel using the novel MuddyC2Go framework. These attacks marked the first known use of MuddyC2Go, replacing the exposed PhonyC2 platform. Despite the full capabilities of MuddyC2Go not being entirely known, its deployment represents a significant advancement in Iran's malicious cyber capabilities. Further investigation and monitoring of these evolving threats are necessary to better understand their potential impact and to develop effective countermeasures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Muddyc2go
1
MuddyC2Go is a new malware that has been linked to the Iranian state-backed threat operation MuddyWater. The first evidence of malicious activity was identified through the execution of PowerShell code, which connected to a command-and-control (C2) framework known as MuddyC2Go. This infrastructure i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Iran
State Sponso...
PowerShell
Domains
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Muddyc3Unspecified
1
None
POWERSTATSUnspecified
1
PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SeedwormUnspecified
1
Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government
MuddyWaterUnspecified
1
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Phonyc2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Cyber security week in review: June 30, 2023
CERT-EU
9 months ago
MuddyWater eN-Able spear-phishing with new TTPs | Deep Instinct Blog
CERT-EU
a year ago
Signs of MuddyWater Developments Found in the DNS
CERT-EU
7 months ago
Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
7 months ago
Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
CERT-EU
9 months ago
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
Checkpoint
a year ago
3rd July – Threat Intelligence Report - Check Point Research
CERT-EU
9 months ago
Ransomware, state-sponsored attacks, AI-powered cyber threats surged in H1 2023
CERT-EU
8 months ago
Israel subjected to Charming Kitten attacks
CERT-EU
8 months ago
Ukraine's power grid targeted by Sandworm hackers last year
CERT-EU
a year ago
From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon – GIXtools