MuddyWater has been launching politically motivated targeted attacks since 2012. Despite its age, though, the threat actors aren’t showing any sign of retiring anytime soon.

Reports say MuddyWater recently updated its C&C framework with PhonyC2’s launch¹ in an attempt to better control their hold on target networks. That’s not all, they also partnered with DEV-1084² in hopes of keeping their APT involvement a secret from intended victims.

Deep Instinct named 39 PhonyC2 IoCs in their analysis. Microsoft, meanwhile, published 14 IoCs related to the MuddyWater-DEV-1084 partnership.

To uncover yet-unidentified connected artifacts, WhoisXML API researchers dove deeper into the threats aided by our comprehensive DNS intelligence and found:

• Three unique IP addresses to which some of the PhonyC2 domains identified as IoCs resolved
• Three domains that shared the dedicated IP hosts of the PhonyC2 domains identified as IoCs
• 152 domains that contained strings found among the PhonyC2 domains identified as IoCs
• 22 domains that contained the same strings as the PhonyC2 IP-connected domains, two of which were classified as malicious by a bulk malware check
• Three unique IP addresses to which some of the MuddyWater-DEV-1084 domains identified as IoCs resolved
• 294 domains that shared the dedicated hosts of the MuddyWater-DEV-1084 domains identified as IoCs, one of which turned out to be malicious based on a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

—

• [1] https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater
• [2] https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/