MuddyWater Exposed: Inside an Iranian APT operation

Ctrl-Alt-Intel exposed a MuddyWater (Iranian MOIS-linked) operation by dumping C2 tooling, scripts, logs, and victim data from an exposed VPS; the report documents reconnaissance using Shodan/Nuclei/subdomain tools, exploitation of numerous CVEs (Fortinet, Ivanti, Exchange, others and novel SQLi), custom C2 frameworks (KeyC2, PersianC2, ArenaC2), a Node.js/Ethereum-based bot (Tsundere) that resolves C2 via smart contracts, multiple exfiltration channels (Wasabi S3, put.io, EC2, a Flask receiver), targeted victims across Israel, Jordan, Egypt, UAE, Portugal, and the US, and provides IOCs and MITRE ATT&CK mappings.