Unmasking an Attack Chain of MuddyWater

Huntress investigated a confirmed intrusion attributed to an Iranian-linked APT (MuddyWater) where the attacker gained RDP access to a customer host, created an SSH reverse tunnel, and performed DLL side-loading of a malicious FMAPP.dll via the legitimate FMAPP.exe to establish C2; the report provides a timeline of commands, verification attempts, and IOCs including IPs, username, file paths and SHA256 hashes.