Iranian Hackers New Malware Campaign Targeting Turkey and Arabian Peninsula

A new swarm of malicious attacks has been detected targeting Turkey and the Arabian Peninsula to deploy a remote access trojan. The success of these attacks have been attributed to the state-sponsored threat actor known as MuddyWater.

Muddywater, a hacking entity, is full of resources and they use them in many different ways. They use their tactics to target many different entities and they sub-divide themselves into smaller groups.

Iran is often accused of launching cyberattacks on the U.S., Israel, and other Western countries. In one case, the U.S. Cyber Command attributed an attack to the country’s Ministry of Intelligence and Security, which is also known as MOIS.

One cybersecurity firm noted that MuddyWater is not a single group of hackers but rather multiple teams operating independently. The umbrella of MuddyWater is akin to that of Winnti, a China-based advanced persistent threat.

SloughRAT, an advanced remote access trojan, is among the malware-laced documents delivered via phishing messages that hackers have recently deployed. SloughRAT can execute arbitrary code and commands that it receives from its command-and-control servers.


A malicious macro hidden in an Excel file is what triggers the infection chain. The first Windows Script File (.WSF) executes the next-stage payload, while the second one acts as a facilitator of the code.

In addition to the previously discovered Visual Basic and JavaScript-based script-implanted malicious code, there are two new finds, one written in Visual Basic and the other coded in JavaScript. Both of these scripts have the same goal: downloading and running a malicious command on its host.

In November 2021, a new campaign using PowerShell-based backdoors to gather information from Turkish organizations hit private institutions and governmental bodies. This new campaign is slightly different from the campaign in March 2021, but they do share some similarities.

The attackers are all using the same techniques. What does that mean? It’s possible that these attacks are related and maybe even coordinated. The attackers might be uniting to share more tactics, techniques, and procedures (TTPs). This is often seen in teams of people working together.


Image Source:


In an attack sequence observed by Cisco Talos, the adversary used a task scheduler to set up timed sessions with VBS-based malicious downloaders. They are used for executing payloads retrieved from remote servers, which then in turn report back to the C2.

Researchers found various similarities between the Muddywater attack on Epsilon and Muddywater’s attacks on RSA, Google and others.