“`html
Since the beginning of 2025, cybersecurity teams have recognized a significant resurgence in activities linked to MuddyWater, an Iranian state-sponsored advanced persistent threat (APT) actor.
Originating initially through extensive remote monitoring and management (RMM) vulnerabilities, the group has shifted towards sharply focused campaigns utilizing custom malware backdoors and multi-stage payloads engineered to avoid detection.
Instead of depending solely on ready-made tools, the adversary has broadened its collection to encompass tailored implants like BugSleep, StealthCache, and the Phoenix backdoor.
These elements collaborate to establish covert footholds, extract sensitive information, and mask infrastructure utilizing commercial services on a large scale.
Attack strategies continue to revolve around spear-phishing emails that embed harmful Microsoft Office documents.
.webp)
Targets receive deceptive documents embedded with VBA macros that drop and execute secondary payloads from Cloudflare-protected domains.
Compromised hosts subsequently communicate with command-and-control (C2) servers hosted across prominent and bulletproof providers—spanning from AWS and DigitalOcean to Stark Industries—prior to transitioning communication behind Cloudflare proxies to conceal origin IPs.
Group-IB analysts observed that Cloudflare’s reverse-proxy service greatly elevates the difficulty of tracing active C2 endpoints, as all traffic seems to originate from shared Cloudflare hosts.
Initial loader
Upon execution, the initial loader (commonly known as wtsapi32.dll) decrypts and injects the StealthCache backdoor into legitimate processes.
.webp)
StealthCache establishes a pseudo-TLV protocol over HTTPS, transmitting and receiving encrypted commands at endpoint /aq36 and reporting errors at /q2qq32.
Group-IB analysts discovered custom XOR routines that dynamically generate decryption keys from the victim’s device and username strings, hindering sandbox analysis when operated on mismatched hosts.
During its latest operational phase, MuddyWater’s multi-stage methodology has provided a trio of payloads: an initial VBA dropper, a loader such as Fooder, and a feature-rich backdoor like StealthCache.
Upon receiving a command code, StealthCache performs actions ranging from interactive shells to file exfiltration:
// Decrypt function snippet
void decrypt_payload(uint8_t *buffer, size_t size, const char *key) {
for (size_t i = 0; i < size; ++i) {
buffer[i] ^= key[i % strlen(key)];
}
}Consequently, the Phoenix backdoor is deployed from the loader’s memory space. Phoenix registers with its C2 via /register, then periodically sends beacons to /imalive and polls /request for additional instructions.
This modular architecture facilitates effortless command updates and payload replacements without writing to disk, enhancing persistence and minimizing forensic traces.
By utilizing Cloudflare to obscure true server endpoints and integrating dynamic decryption keyed to host identifiers, MuddyWater has engineered a robust, multi-stage infection chain that remains elusive to network defenders.
Ongoing surveillance of Cloudflare-associated domains, alongside diligent analysis of unique mutex names and C2 URL patterns, is vital for thwarting new campaigns and protecting critical infrastructure.
“`