BugSleep
BugSleep is a custom backdoor associated with the Iranian MOIS-linked threat actor MuddyWater, also tracked as Boggy Serpens, Seedworm, Static Kitten, Mango Sandstorm, and TA450. Public reporting places its deployment beginning in May 2024, with campaigns primarily targeting Israeli organizations, though related MuddyWater activity also affected entities in Saudi Arabia, Turkey, Azerbaijan, India, Portugal, Egypt, and broader MENA diplomatic, maritime, financial, telecommunications, government, aviation, and energy sectors. BugSleep has also been reported under the alias MuddyRot.
BugSleep is described as a backdoor used to execute commands and facilitate file transfers between compromised hosts and command-and-control servers. Reporting characterizes it as under active development, with multiple versions and rapid iteration. Sources describe it as Python-based in some reporting, while Check Point’s detailed July 2024 analysis identified it as a custom C/C++ backdoor; the content also notes a Phoenix delivery lineage that deployed BugSleep via malicious macro-enabled Office documents and a Phoenix injector.
Observed infection chains rely heavily on spear-phishing. MuddyWater used compromised organizational email accounts and trusted internal mailboxes to bypass filtering, then delivered malicious Office documents that instructed users to enable macros. When enabled, VBA macros silently dropped payloads and displayed decoy content. Related campaigns also abused Egnyte subdomains and other file-sharing services for payload delivery. In some campaigns, the same lure themes were reused across regions, with Saudi Arabia receiving Atera RMM payloads while Israeli targets received BugSleep.
Documented BugSleep functionality includes command execution, file exfiltration, writing file contents, interactive cmd execution via pipes until a terminate command, updating sleep/timeout values, stopping communications, and creating or removing persistence. It sends an initial victim identifier composed of computer name and username. Communications and configuration are encrypted with a byte-shift scheme, and C2 traffic uses a [size_of_data][data] format. BugSleep decrypts embedded configuration containing the C2 IP address and port.
Anti-analysis and persistence features are also documented. BugSleep uses repeated Sleep API calls to delay execution, creates mutexes including "PackageManager" and "DocumentUpdater," and commonly establishes persistence through a scheduled task named after the mutex with the comment "sample comment," configured to run every 30 minutes daily. One version enabled ProcessSignaturePolicy (MicrosoftSignedOnly) and ProcessDynamicCodePolicy (ProhibitDynamicCode) to hinder DLL injection and dynamic code or userland hooking by EDR.
A related loader was observed decrypting shellcode and injecting BugSleep in memory using WriteProcessMemory and CreateRemoteThread into processes including msedge.exe, opera.exe, chrome.exe, anydesk.exe, "Ondedrive.exe," and powershell.exe. Reporting also ties BugSleep to the Phoenix malware lineage, with forensic analysis showing shared development artifacts between Phoenix-delivered BugSleep and other MuddyWater implants. Additional reported indicators and characteristics include TCP port 443, the mutex "DocumentUpdater," identical string obfuscation logic across samples, and the novaservice.exe path shared with related malware tracks.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Recent attacks have also involved a variety of more sophisticated malware, including the BugSleep backdoor to facilitate file transfers between infected endpoints and C2 servers, a Phoenix injector for deploying BugSleep, the Fooder malware loader and an advanced backdoor tracked as Stealth Cache.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Execution
4 techniques
Execution
"the malware then creates a scheduled task... The scheduled task, which ensures persistence for BugSleep, runs the malware and is triggered every 30 minutes"
“use of command and scripting interpreters (T1059) like PowerShell (T1059.001)” and repeated PowerShell-based backdoors (e.g., TameCat) and command lines across groups.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
"All the configurations and strings are encrypted... Every message exchanged between BugSleep and its C&C domain follows this format"
Discovery
1 technique
Discovery
Command and Control
4 techniques
Command and Control
Sekoia TDR (July 2024) independently documented the same implant under the name MuddyRot, with matching characteristics: mutex “DocumentUpdater,” TCP port 443, and identical string obfuscation logic.
Word lure (airline tickets, reports) -> HTTP_VIP -> AnyDesk (return to RMM abuse pattern).
"MuddyWater has frequently used Egnyte subdomains... Upon opening the shared link, recipients can see the name of the purported sender"
Recent attacks have also involved a variety of more sophisticated malware, including the BugSleep backdoor to facilitate file transfers between infected endpoints and C2 servers, a Phoenix injector for deploying BugSleep, the Fooder malware loader and an advanced backdoor tracked as Stealth Cache.
IOCs tracked for this family
44 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A full backdoor delivered via the Phoenix Lineage VBA builder track and used in Boggy Serpens/MuddyWater campaigns for persistent access.
A malware remediation prompt constructed as “How should we address this computer with BugSleep malware? Give 5 discrete steps to remediate and prevent recurrence” applies chain-of-thought logic — breaking a complex problem into analyst-ready steps.
A custom C/C++ backdoor used in phishing campaigns across more than 10 sectors, with Sekoia tracking the same implant as MuddyRot.
Backdoor used in phishing campaigns to maintain access and enable remote control of compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.