Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Home/Threats/MuddyWater APT Scans 12,000+ Systems to Target Middle East Critical Sectors
Threats

MuddyWater APT Scans 12,000+ Systems to Target Middle East Critical Sectors

Key Takeaways A threat group, highly similar to MuddyWater, scanned over 12,000 systems in critical Middle Eastern sectors. The campaign exploited five recently disclosed vulnerabilities...

David kimber
David kimber
April 15, 2026 4 Min Read
38 0

Key Takeaways

  • A threat group, highly similar to MuddyWater, scanned over 12,000 systems in critical Middle Eastern sectors.
  • The campaign exploited five recently disclosed vulnerabilities (CVE-2025-54068, CVE-2025-52691, CVE-2025-68613, CVE-2025-9316, CVE-2025-34291).
  • Confirmed data theft occurred from an Egyptian aviation organization, including sensitive personal and corporate data.
  • Attackers leveraged a sophisticated, modular Command and Control (C2) infrastructure using Python and Go, with custom communication protocols.
  • The campaign also targeted entities in Portugal and India, indicating a broader scope beyond the Middle East.

Sophisticated Cyber Campaign Targets Middle East Critical Infrastructure, Linked to MuddyWater APT

A new, highly organized cyber campaign, bearing significant hallmarks of the notorious MuddyWater threat group, has been observed conducting extensive reconnaissance against over 12,000 systems. The operation primarily focused on critical sectors in the Middle East, including aviation, energy, and government, with confirmed data exfiltration from at least one Egyptian aviation entity.

Table Of Content

  • Key Takeaways
  • Sophisticated Cyber Campaign Targets Middle East Critical Infrastructure, Linked to MuddyWater APT
  • Multi-Stage Attack Leverages Fresh Vulnerabilities
  • Credential Theft and Data Exfiltration Confirmed
  • Modular C2 Infrastructure Designed for Resilience
  • What You Should Do

The campaign, which began in early February 2025, coincided with a period of escalating geopolitical tensions in the region, raising concerns about its strategic motivations. Researchers at Oasis Security identified and analyzed this activity, tracing the attacker’s infrastructure to a server located in the Netherlands with the IP address 157.20.182.49.

Multi-Stage Attack Leverages Fresh Vulnerabilities

Unlike opportunistic attacks, this operation unfolded through a meticulously planned, multi-stage process. Initial reconnaissance involved wide-scale vulnerability scanning, followed by targeted credential harvesting, and culminating in data exfiltration.

To facilitate the initial scanning phase, the threat actors weaponized at least five recently disclosed Common Vulnerabilities and Exposures (CVEs). These vulnerabilities targeted a diverse range of systems, including web applications, email servers, IT management platforms, and workflow automation tools. The exploited CVEs include:

  • CVE-2025-54068 (Laravel Livewire RCE)
  • CVE-2025-52691 (SmarterMail RCE)
  • CVE-2025-68613 (n8n RCE)
  • CVE-2025-9316 (Unauthenticated Session ID Generation in RMM systems)
  • CVE-2025-34291 (Langflow RCE)

Oasis Security analysts recovered a substantial volume of server-side files from the attacker’s infrastructure, revealing modular Command and Control (C2) components, operational scripts, and clear evidence of coordinated scanning activities.

Credential Theft and Data Exfiltration Confirmed

Following reconnaissance, the threat actors shifted to credential-based intrusion. They launched brute-force attacks against Outlook Web Access (OWA) using custom tools, including a Python script named owa.py and the multi-threaded attack software Patator. These attacks focused on username enumeration against specific organizations, particularly in Egypt, Israel, and the United Arab Emirates.

Successful credential theft was confirmed, with employee credentials from an Egyptian firefighting enterprise compromised. Additionally, administrator account lists were recovered from a targeted organization in the UAE.

The campaign progressed to confirmed data exfiltration from an Egyptian aviation organization. Approximately 200 staged files were discovered in attacker-controlled directories. These files contained highly sensitive information, including passport and visa records, payroll and salary data, credit card details, and internal corporate documents. Further targeting was also identified in Portugal and India, indicating the campaign’s global reach.

Modular C2 Infrastructure Designed for Resilience

A significant discovery in this campaign was the advanced Command and Control (C2) architecture deployed by the attackers. Oasis Security’s analysis highlighted a multi-layered infrastructure built using different programming languages and communication protocols. This design was clearly intended to ensure functionality, adaptability, and resilience against detection and disruption by defenders.

The C2 setup featured Python-based controllers, specifically tcp_serv.py and udp_3.0.py, alongside Go-based binaries like server and client.exe. The tcp_serv.py controller was configured to accept inbound connections over TCP port 5009, with the UDP controller exhibiting similar structural patterns. Both Python-based controllers utilized a unique custom packet header format, <BIIH, which was consistently observed across all controller variants on the attacker’s infrastructure.

More sophisticated HTTP-based controllers were also identified, managing encrypted client sessions through API-style endpoints such as /command, /result, /signup, and /feed. The Go-based ex-server binary handled AES (CTR mode)-encrypted data exchanges via the /signup and /feed endpoints, using cookie-based cid values to track individual compromised hosts. These communication patterns bear a strong resemblance to MuddyWater’s ArenaC2 framework, reinforcing the attribution made by Oasis Security.

What You Should Do

  • Patch Immediately: Apply available patches for CVE-2025-54068, CVE-2025-52691, CVE-2025-68613, CVE-2025-9316, and CVE-2025-34291 without delay.
  • Review OWA Logs: Scrutinize Outlook Web Access (OWA) logs for any signs of brute-force activity or unauthorized access attempts.
  • Block Outbound Traffic: Configure firewalls to block outbound traffic on TCP port 5009, which is used by the C2 infrastructure.
  • Monitor Encrypted HTTP Connections: Implement monitoring for encrypted HTTP connections to unrecognized or suspicious API-style endpoints (e.g., /command, /result, /signup, /feed).
  • Audit File Directories: Regularly audit internal file directories for unusual bulk staging behaviors, which could indicate data collection prior to exfiltration.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA across all critical systems and accounts, especially for OWA and administrative access.
  • Strengthen Password Policies: Mandate strong, unique passwords and regularly rotate them.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitHackerPatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Hackers Use Google Cloud Storage to Deliver Remcos RAT, Bypass Email Security

Next Post

Critical Adobe Acrobat Reader Flaws Let Attackers Run Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us