{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] Unmasking an Attack Chain of MuddyWater", "protected": false, "publish_timestamp": "1773997256", "published": true, "threat_level_id": "1", "timestamp": "1773997256", "uuid": "1283800d-7556-4c20-ba35-f5e5c1dcf2ba", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a320c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unsecured Credentials - T1552\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MuddyWater\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"iran\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054009", "to_ids": false, "type": "link", "uuid": "db36795b-7956-4aaf-9e0b-34c816aa493b", "value": "https://www.huntress.com/blog/muddywater-attack-chain" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773054009", "to_ids": false, "type": "text", "uuid": "1e1ed7a0-cf37-405b-bf5c-44401b852852", "value": "An intrusion attributed to MuddyWater, an Iranian-linked APT, was identified in a customer environment. The attack involved initial access through RDP, establishing an SSH tunnel, and deploying malware via DLL side-loading. The threat actor used FMAPP.exe, a legitimate Fortemedia Inc. application, to load a malicious FMAPP.dll for C2 communications. The timeline of activities revealed typos in commands, suggesting manual typing by the attacker. The intrusion included reconnaissance efforts, attempts to verify tunnel functionality, and issues with initial C2 communication. The attack targeted an Israeli company, aligning with known MuddyWater tactics." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773054009", "to_ids": false, "type": "text", "uuid": "172ebd59-06ed-4872-9756-02ca88e1b795", "value": "Name: Unmasking an Attack Chain of MuddyWater\nAuthor: AlienVault\nAdversary: MuddyWater\nTags: [\"dll side-loading\", \"iranian\", \"rdp\", \"fmapp.dll\", \"apt\", \"ssh tunnel\"]\nTgtd countries: [\"Israel\"]\nMlwr families: [\"FMAPP.dll\"]\nAttack_ids: [\"T1033\", \"T1082\", \"T1552\", \"T1016\", \"T1059.001\", \"T1078\", \"T1571\", \"T1018\", \"T1574.002\", \"T1105\", \"T1021.001\", \"T1569.002\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773054009", "to_ids": false, "type": "threat-actor", "uuid": "53cbbc15-402f-4830-afeb-fa0bd856300a", "value": "MuddyWater" }, { "category": "Network activity", "comment": "IP address used with ssh", "deleted": false, "disable_correlation": false, "timestamp": "1773276166", "to_ids": true, "type": "ip-dst", "uuid": "80a72add-098f-4203-9502-d391af4e98b0", "value": "162.0.230.185", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious DLL used for the C2 No sample in VT\r\nLast check:12/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773276048", "to_ids": true, "type": "sha256", "uuid": "277b0a07-364f-41f2-ad74-bc4991ebe534", "value": "589ecb0bb31adc6101b9e545a4e5e07ae2e97d464b0a62242a498e613a7740b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "FMAPP.dll C2 IP address", "deleted": false, "disable_correlation": false, "timestamp": "1773276187", "to_ids": true, "type": "ip-dst", "uuid": "b9cb6580-ba1a-4623-9a1d-8cd518cded33", "value": "157.20.182.49", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP address from initial RDP connection", "deleted": false, "disable_correlation": false, "timestamp": "1773276209", "to_ids": true, "type": "ip-dst", "uuid": "cab4c6dd-6e67-4959-a3fb-160474630915", "value": "173.16.10.1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773276231", "uuid": "e2e2888f-3ec9-4303-8d9c-a22b3d66b3ff", "Attribute": [ { "category": "Payload delivery", "comment": "Legitimate Fortemedia Inc. executable", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773276231", "to_ids": true, "type": "md5", "uuid": "5ad6669c-8583-4a5d-8504-2a45861ac505", "value": "2533307ec1ef8b0611c8896e1460b076", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legitimate Fortemedia Inc. executable", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276047", "to_ids": true, "type": "sha1", "uuid": "b2104e62-62a2-4adc-be4b-009837ce0fed", "value": "324918c73b985875d5f974da3471f2a0a4874687", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legitimate Fortemedia Inc. executable", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276047", "to_ids": true, "type": "sha256", "uuid": "4285c565-87e4-403e-8fc7-37607a9e9ac6", "value": "e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773274915", "to_ids": true, "type": "ssdeep", "uuid": "9fc97383-de41-486e-94a5-d9a1ce77dffb", "value": "3072:DvxBhQz1y9Tiy4HzMLPdHZq0L2yKhrADqGVU6:Dbhy+TEILPdHZf2NUU6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773274915", "to_ids": false, "type": "size-in-bytes", "uuid": "e7d5dbd8-f589-43b5-ab8e-d2f8dc4da5fe", "value": "150080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773274915", "to_ids": true, "type": "vhash", "uuid": "fdc872a5-2806-488a-9d03-a649ecf99083", "value": "015066651d1555151038z527z4cz12fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773274915", "to_ids": true, "type": "filename", "uuid": "6eee0e42-5029-4473-bcc8-101ab93116f1", "value": "FMAPP.EXE" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 12/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773274915", "to_ids": false, "type": "text", "uuid": "92216723-389d-4a1c-b9a8-4b1fdda53a1c", "value": "Legitimate Fortemedia Inc. executable\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/72\nFirst Submission:2016-06-08T09:50:10.000000+00:00\nLast Submission:2026-03-06T15:16:58.000000+00:00" } ] } ] } }