MuddyWater is changing its tactics to evade modern security defenses by abandoning familiar tools for new programming languages.
Since the start of 2026, we have seen three campaigns, three runtimes, and one strategic shift from MuddyWater. The Iranian Advanced Persistent Threat (APT) group launched three separate attacks using three distinct programming environments. This points to a single strategy to bypass modern security.
MuddyWater’s 2026 retooling shows how a nation-state actor adapts to disruption and when its traditional methods stop working.
Quick Facts: How has MuddyWater pivoted in 2026?
|
How Did MuddyWater Evolve Its Tactics in 2026?
MuddyWater evolved its tactics in early 2026 by abandoning easily detected tools for a polyglot approach using multiple new programming languages to compromise global targets.
The Iranian APT MuddyWater (MITRE ATT&CK ID G0069) first surfaced in 2017. The group is also known as Seedworm, Mango Sandstorm, TA450, and Static Kitten.
The group historically relied on PowerShell scripts and Python downloaders. The tradecraft was never sophisticated, instead, the group relied on operational tempo and a sheer volume of attacks. By late 2025, security tools easily detected these legacy attacks. Security platforms like Windows System Monitor (Sysmon) and Event Tracing for Windows (ETW) could identify MuddyWater’s old loaders on first execution.
Rather than abandon the operation, they opted to continue the attacks by relocating it to an execution environment where defenders are not looking.
In the first ninety days of 2026, the Ministry of Intelligence and Security (MOIS) launched three distinct campaigns. These are Operation Olalampo, the RustyWater spear-phishing wave, and the Dindoor plus Fakeset intrusion. None of them share a runtime environment. They were all built using different tools, making them more difficult to detect.
That is what we see in these new attacks:
- Rust binaries
Rust binaries are modern, pre-packaged software files. Hackers use them because they bypass older security filters and disguise malicious activity as normal network traffic. MuddyWater are compiling the RustyWater and CHAR backdoors to Rust binaries. They embed asynchronous networking via software packages like reqwest and tokio, making their traffic look legitimate. - Deno runtime abuse
Deno is a modern environment for running software. Hackers use it because most Endpoint Detection and Response (EDR) tools blindly trust it and fail to inspect its network activity. The Dindoor campaign lets the operator deliver malicious code inside a sandboxed JavaScript runtime. - Telegram-bot Command and Control (C2)
The Olalampo CHAR backdoor hides command traffic inside standard Telegram HTTPS network traffic. Enterprise networks generally allow this domain for standard notifications.
Each of these choices punishes the same defender weakness. Security visibility is often tied to a specific programming language rather than the behavior of active network traffic.
What Are the Current 2026 MuddyWater Campaigns?
MuddyWater is executing three major campaigns across the globe targeting different regions with distinct techniques. Let’s dissect them.
Campaign 1: Operation Olalampo (Middle East and North Africa)
Group-IB detected Operation Olalampo on 26 January 2026. Telemetry (data tracking) attribution ties this back to prior MuddyWater samples and four new payloads.
- GhostFetch: a first-stage downloader
- HTTP_VIP: a secondary HTTP-based downloader
- GhostBackDoor: a full-featured backdoor
- CHAR: a Rust backdoor that uses a Telegram bot for Command and Control (C2)
The CHAR Telegram bot (username stager_51_bot, display name Olalampo) shows how prepared the attacker was. Attackers staged the bot in October 2025 and waited until January 2026 to launch.
Group-IB published seven network Indicators of Compromise (IoCs). Attackers masked their infrastructure using Iceland privacy proxies and U.S. IP addresses. The campaign targets diplomatic, financial, and defense organizations.
A reverse SOCKS5 proxy module (FMAPP.dll) creates a hidden, two-way tunnel into the victim network. Firewalls usually block outside threats from breaking in, so to bypass this defense, the malware reaches out from the inside to the attacker. The attacker then uses this tunnel to step inside the network while appearing to be a legitimate employee. This hidden access enables attackers to steal passwords and move deeper into the company’s critical systems.
Campaign 2: RustyWater (Middle East)
RustyWater is a parallel spear-phishing (email phishing aimed at specific victims) campaign hitting Middle Eastern diplomatic, financial, and telecom entities. It primarily targets Israeli government and infrastructure targets.
The infection chain follows a structured path:
- Initial Access: The attack begins with a deceptive Word document named Cybersecurity.doc. This document launches an automated script.
- Execution: This automated script acts as a dropper file. It launches CertificationKit.ini, which then executes a Rust-compiled implant named reddit.exe.
- Persistence: The malware ensures continuous access. It sets a Registry Run key (an automatic Windows startup setting).
- Defense Evasion: The implant uses process injection to hide malicious code inside legitimate programs. It specifically targets explorer.exe.
- Anti-Analysis: The malware actively resists security researchers. It uses a Vectored Exception Handler (VEH) to intercept system errors and evade standard security tracing.
- Command and Control: The implant communicates through scrambled web traffic. It connects to a primary server at nomercys.it.com resolving to 159.198.66.153.
Six SHA-256 hashes exist for these samples (see the IoCs section). The presence of reqwest/tokio in the binary is a key fingerprint. The binary uses the asynchronous Rust HTTP stack to mimic legitimate cloud software traffic and evade detection.
Campaign 3: Dindoor + Fakeset (USA and Canada)
The Dindoor plus Fakeset wave began in February 2026. It targets North American critical infrastructure:
- a U.S. bank
- a U.S. airport
- U.S. defense contractors
- a Canadian non-profit
- an Israeli subsidiary of a U.S. software company that supplies the defense and aerospace sector
The intrusion set (group of related attacks) drops two new backdoors plus legacy MuddyWater loaders:
- Dindoor: A Deno-runtime backdoor delivered via a signed Microsoft Installer (MSI). The ‘Amy Cherne’ signature ties back to previous MuddyWater operations.
- Fakeset: A Python backdoor signed by ‘Donald Gay’.
- Stagecomp and Darkcomp: Legacy loaders repurposed for hands-on access.
Dindoor generates a unique 16-character victim ID from system data to route traffic efficiently. This lets the operator route traffic for hundreds of victims through a single Command and Control (C2) path without having to track sessions individually. Hunt.io found twenty active C2 servers using Caddy reverse proxies to hide the backend infrastructure.
The C2 URL embeds a JSON Web Token (JWT). This secure communication method ties the activity to the shared infrastructure domain serialmenot.com. Once installed, operators map the network to find high-level administrator accounts and steal passwords.
Detection requires monitoring behavioral signals like anomalous cloud storage traffic or unusual network connections from deno.exe and python.exe.
How Do MuddyWater Tactics Map to the MITRE ATT&CK Framework?
MuddyWater uses a variety of MITRE ATT&CK techniques to develop resources, gain access, and evade defenses.
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | MuddyWater registered C2 domains via Namecheap with privacy proxy in Iceland (Olalampo) and serialmenot.com, nomercys.it.com (Dindoor and RustyWater). |
| Resource Development | Develop Capabilities: Malware | T1587.001 | New custom implants in Rust (RustyWater, CHAR), Deno/JavaScript (Dindoor), and Python (Fakeset). |
| Resource Development | Obtain Capabilities: Code Signing Certificates | T1588.003 | Dindoor MSI signed by ‘Amy Cherne’. Fakeset Python binaries signed by ‘Donald Gay’. |
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Cybersecurity.doc weaponized Word file delivers RustyWater. Signed MSI installers delivered via collaboration-platform lures for Dindoor. |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Legacy MuddyWater Stagecomp/Darkcomp loaders staged after Dindoor beachhead. |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | Dindoor abuses the Deno runtime to execute TypeScript/JavaScript outside the browser. |
| Execution | Command and Scripting Interpreter: Visual Basic | T1059.005 | RustyWater VBA macro inside Cybersecurity.doc writes and launches CertificationKit.ini. |
| Execution | Windows Management Instrumentation | T1047 | MSI execution via msiexec.exe for Dindoor delivery. |
| Persistence | Boot or Logon Autostart: Registry Run Keys | T1547.001 | RustyWater establishes persistence via HKCU Run key pointing to CertificationKit.ini. |
| Defense Evasion | Obfuscated Files or Information | T1027 | RustyWater uses Base64 plus an XOR layer over JSON traffic. Dindoor URL path embeds an obfuscated JWT segment. |
| Defense Evasion | Process Injection | T1055 | RustyWater’s reddit.exe injects into explorer.exe. |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | Use of legitimate-looking signing names (Amy Cherne and Donald Gay) to bypass SmartScreen and basic Antivirus (AV) reputation gates. |
| Credential Access | OS Credential Dumping | T1003 | Post-Dindoor activity targets local and domain credentials. |
| Discovery | Account Discovery: Domain Account | T1087.002 | Active Directory reconnaissance after Dindoor establishment. |
| Discovery | Cloud Service Discovery | T1526 | Cloud admin enumeration and PIM inventory mapping occur during Dindoor post-exploitation. |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | HTTP/JSON C2 (RustyWater); HTTPS via Caddy reverse proxy used in Dindoor. |
| Command and Control | Web Service: One-Way Communication | T1102.003 | CHAR backdoor uses Telegram bot (stager_51_bot) over api.telegram.org. |
| Command and Control | Proxy: Multi-hop Proxy | T1090.003 | Dindoor C2 stack uses at least two Caddy reverse-proxy hops. Via 1.1 Caddy headers are visible. |
| Command and Control | Ingress Tool Transfer | T1105 | Stagecomp/Darkcomp legacy loaders pulled in after the initial Deno/Python beachhead. |
| Exfiltration | Exfiltration Over Web Service | T1567.002 | Anomalous outbound Rclone traffic observed during Dindoor post-exploitation. |
What Are the Indicators of Compromise (IoCs) for MuddyWater?
The Indicators of Compromise (IoCs) below detail the known infrastructure and files used in these MuddyWater campaigns. All IoCs are linkable to the live database in Maltiverse. Each link runs an interactive query. This allows analysts to pivot into related infrastructure, sample relations, and fresh enrichment data.
Domains
- nomercys.it.com (RustyWater C2) → Investigate in Maltiverse
- serialmenot.com (Dindoor shared C2 infrastructure) → Investigate in Maltiverse
- codefusiontech.org (Operation Olalampo C2) → Investigate in Maltiverse
- screenai.online (Operation Olalampo C2) → Investigate in Maltiverse
IP Addresses
- 159.198.66.153 (RustyWater primary C2) → Investigate in Maltiverse
File Hashes for RustyWater Rust implant (SHA-256)
- 76aad2a7fa265778520398411324522c57bfd7d2ff30a5cfe6460960491bc552 → Investigate in Maltiverse
- f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f → Investigate in Maltiverse
- 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58 → Investigate in Maltiverse
- e61b2ed360052a256b3c8761f09d185dad15c67595599da3e587c2c553e83108 → Investigate in Maltiverse
- a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79 → Investigate in Maltiverse
- c23bac59d70661bb9a99573cf098d668e9395a636dc6f6c20f92c41013c30be8 → Investigate in Maltiverse
File Hashes for Operation Olalampo (SHA-1)
- 62ED16701A14CE26314F2436D9532FE606C15407 — FMAPP.dll reverse SOCKS5 module
Filesystem Artifacts
- Cybersecurity.doc — RustyWater initial lure document
- CertificationKit.ini — RustyWater dropper file
- reddit.exe — RustyWater Rust PE implant
- MSI installers signed by ‘Amy Cherne’ (Dindoor) and ‘Donald Gay’ Fakeset)
Telegram C2 (Olalampo)
- Bot username: stager_51_bot
- Bot display name: Olalampo
Network Fingerprints (Dindoor)
- HTTP response header pattern: Via: 1.1 Caddy + X-Request-Id
- C2 URL path includes a hard-coded JWT segment encoding campaign metadata
- 16-character hexadecimal victim ID derived from username + hostname + RAM + OS release
As an investigation starting point, a Maltiverse search across MuddyWater-tagged indicators provides a ‘pivot starter’ for threat hunting. This query reveals the broader infrastructure cluster as it evolves day-to-day.
What Does This 2026 Shift Mean for Defenders?
The 2026 MuddyWater pivot is part of a broader pattern. State actors are diversifying into runtimes like Rust and Deno to outflank standard security. We see the same approach in the Lazarus Group’s Go and Rust experimentation and in APT36’s AI-generated implants. This means defenders must move from asking what runtime a binary uses to prioritizing tracking active network behavior, catching the attackers even when they disguise their malware as normal developer tools.
For Security Operations Center (SOC) teams, the message is direct. MuddyWater is evolving its attacks in weeks. Defenses must adapt just as fast:
- Hunt for unexpected runtimes and rapid network connections
Flag newly installed developer tools like deno.exe, python.exe, or rustc.exe that open outbound TLS connections within sixty seconds of first execution. A Deno binary on a non-developer corporate laptop is a major red flag. - Monitor advanced execution chains and error handling
Block unapproved Microsoft Installers (MSIs). Specifically, flag the combination of a WiX-built MSI, an uncommon signer, and a child process invoking deno.exe or python.exe. Additionally, monitor for Vectored Exception Handler (VEH) installations in newly launched binaries to catch evasion attempts. - Track behavioral network signals and data exfiltration
Bring threat intelligence to the network edge. Monitor outbound DNS queries, TLS SNI (website routing data), and JA3 hashes (encrypted connection fingerprints). Investigate unusual HTTPS traffic to api.telegram.org. Furthermore, look for anomalous Rclone traffic. Repeated long-lived TLS sessions to S3-compatible cloud storage endpoints from non-developer hosts is a strong post-infection signal. - Hunt against active Indicators of Compromise (IoCs)
Use the IoCs above and the Maltiverse relations graph to uncover hidden attacker infrastructure. Do not wait for quarterly vendor reports to update defenses.
Ready to Upgrade Your Threat Intelligence? Stay ahead of emerging threats like the MuddyWater. Maltiverse provides real-time visibility and actionable indicators to secure your enterprise. Open a free Maltiverse account today.