MuddyWater APT Scans 12,000+ Systems to Target Middle East Critical Sectors
Key Takeaways A threat group, highly similar to MuddyWater, scanned over 12,000 systems in critical Middle Eastern sectors. The campaign exploited five recently disclosed vulnerabilities...
Key Takeaways
- A threat group, highly similar to MuddyWater, scanned over 12,000 systems in critical Middle Eastern sectors.
- The campaign exploited five recently disclosed vulnerabilities (CVE-2025-54068, CVE-2025-52691, CVE-2025-68613, CVE-2025-9316, CVE-2025-34291).
- Confirmed data theft occurred from an Egyptian aviation organization, including sensitive personal and corporate data.
- Attackers leveraged a sophisticated, modular Command and Control (C2) infrastructure using Python and Go, with custom communication protocols.
- The campaign also targeted entities in Portugal and India, indicating a broader scope beyond the Middle East.
Sophisticated Cyber Campaign Targets Middle East Critical Infrastructure, Linked to MuddyWater APT
A new, highly organized cyber campaign, bearing significant hallmarks of the notorious MuddyWater threat group, has been observed conducting extensive reconnaissance against over 12,000 systems. The operation primarily focused on critical sectors in the Middle East, including aviation, energy, and government, with confirmed data exfiltration from at least one Egyptian aviation entity.
Table Of Content
The campaign, which began in early February 2025, coincided with a period of escalating geopolitical tensions in the region, raising concerns about its strategic motivations. Researchers at Oasis Security identified and analyzed this activity, tracing the attacker’s infrastructure to a server located in the Netherlands with the IP address 157.20.182.49.
Multi-Stage Attack Leverages Fresh Vulnerabilities
Unlike opportunistic attacks, this operation unfolded through a meticulously planned, multi-stage process. Initial reconnaissance involved wide-scale vulnerability scanning, followed by targeted credential harvesting, and culminating in data exfiltration.
To facilitate the initial scanning phase, the threat actors weaponized at least five recently disclosed Common Vulnerabilities and Exposures (CVEs). These vulnerabilities targeted a diverse range of systems, including web applications, email servers, IT management platforms, and workflow automation tools. The exploited CVEs include:
- CVE-2025-54068 (Laravel Livewire RCE)
- CVE-2025-52691 (SmarterMail RCE)
- CVE-2025-68613 (n8n RCE)
- CVE-2025-9316 (Unauthenticated Session ID Generation in RMM systems)
- CVE-2025-34291 (Langflow RCE)
Oasis Security analysts recovered a substantial volume of server-side files from the attacker’s infrastructure, revealing modular Command and Control (C2) components, operational scripts, and clear evidence of coordinated scanning activities.
Credential Theft and Data Exfiltration Confirmed
Following reconnaissance, the threat actors shifted to credential-based intrusion. They launched brute-force attacks against Outlook Web Access (OWA) using custom tools, including a Python script named owa.py and the multi-threaded attack software Patator. These attacks focused on username enumeration against specific organizations, particularly in Egypt, Israel, and the United Arab Emirates.
Successful credential theft was confirmed, with employee credentials from an Egyptian firefighting enterprise compromised. Additionally, administrator account lists were recovered from a targeted organization in the UAE.
The campaign progressed to confirmed data exfiltration from an Egyptian aviation organization. Approximately 200 staged files were discovered in attacker-controlled directories. These files contained highly sensitive information, including passport and visa records, payroll and salary data, credit card details, and internal corporate documents. Further targeting was also identified in Portugal and India, indicating the campaign’s global reach.
Modular C2 Infrastructure Designed for Resilience
A significant discovery in this campaign was the advanced Command and Control (C2) architecture deployed by the attackers. Oasis Security’s analysis highlighted a multi-layered infrastructure built using different programming languages and communication protocols. This design was clearly intended to ensure functionality, adaptability, and resilience against detection and disruption by defenders.
The C2 setup featured Python-based controllers, specifically tcp_serv.py and udp_3.0.py, alongside Go-based binaries like server and client.exe. The tcp_serv.py controller was configured to accept inbound connections over TCP port 5009, with the UDP controller exhibiting similar structural patterns. Both Python-based controllers utilized a unique custom packet header format, <BIIH, which was consistently observed across all controller variants on the attacker’s infrastructure.
More sophisticated HTTP-based controllers were also identified, managing encrypted client sessions through API-style endpoints such as /command, /result, /signup, and /feed. The Go-based ex-server binary handled AES (CTR mode)-encrypted data exchanges via the /signup and /feed endpoints, using cookie-based cid values to track individual compromised hosts. These communication patterns bear a strong resemblance to MuddyWater’s ArenaC2 framework, reinforcing the attribution made by Oasis Security.
What You Should Do
- Patch Immediately: Apply available patches for CVE-2025-54068, CVE-2025-52691, CVE-2025-68613, CVE-2025-9316, and CVE-2025-34291 without delay.
- Review OWA Logs: Scrutinize Outlook Web Access (OWA) logs for any signs of brute-force activity or unauthorized access attempts.
- Block Outbound Traffic: Configure firewalls to block outbound traffic on TCP port 5009, which is used by the C2 infrastructure.
- Monitor Encrypted HTTP Connections: Implement monitoring for encrypted HTTP connections to unrecognized or suspicious API-style endpoints (e.g.,
/command,/result,/signup,/feed). - Audit File Directories: Regularly audit internal file directories for unusual bulk staging behaviors, which could indicate data collection prior to exfiltration.
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all critical systems and accounts, especially for OWA and administrative access.
- Strengthen Password Policies: Mandate strong, unique passwords and regularly rotate them.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.