MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign

Sekoia TDR details a June 2024 MuddyWater campaign in which the actor replaced previously abused RMM tooling with a custom x64 implant dubbed "MuddyRot" delivered via malicious PDFs linking to Egnyte-hosted ZIPs; the report includes a technical breakdown of MuddyRot's string obfuscation, persistence via scheduled tasks, raw-TCP C2 on port 443 with obfuscated traffic, reverse-shell and file upload/download capabilities, supported command IDs, plus observed IOCs, infrastructure IPs and YARA rules.