Tracking MuddyWater in Action: Infrastructure, Malware and Operations during 2025

Group-IB details that MuddyWater, an Iran-nexus APT, remains active and increasingly sophisticated—shifting from opportunistic RMM abuse to targeted spearphishing with malicious Office documents and custom backdoors (BugSleep, StealthCache, Phoenix) and loaders (Fooder). The report includes technical malware behavior, C2 communication patterns, hosting and certificate pivots (AWS, Cloudflare, bulletproof hosts), sample IOCs, hunting techniques, and mitigation recommendations for defenders.