MuddyWater
MuddyWater is referenced in the provided content as malware associated with multiple reporting contexts. Microsoft-linked reporting states that malware-signing-as-a-service infrastructure operated by the financially motivated actor Fox Tempest was directly linked to dozens of malware families, including MuddyWater. In that context, signed malware was used in follow-on attacks such as ransomware, phishing, SEO poisoning, and malicious advertising, and affected sectors including healthcare, education, government, and financial services, with heavy targeting reported in the United States, France, India, and China. Separately, Group-IB reporting cited in the content says the MuddyWater APT launched a campaign dubbed Operation Olalampo, using Telegram bots for command-and-control and deploying new malware variants including the Rust backdoor CHAR, the downloaders GhostFetch and HTTP_VIP, and GhostBackDoor, primarily impacting organizations in the Middle East and North Africa (MENA). The content also notes a CISA report stating that MuddyWater leveraged a specific command, but the command itself is not provided in the supplied material. No high-confidence infection vector or standalone indicators of compromise for MuddyWater are included in the provided content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Fox Tempest’s operation — which included an authenticated portal and a drag-and-drop feature for rapid code signing — was directly linked to dozens of malware families, including Oyster, Lumma Stealer, MuddyWater, and Vidar.
Fox Tempest’s operation — which included an authenticated portal and a drag-and-drop feature for rapid code signing — was directly linked to dozens of malware families, including Oyster, Lumma Stealer, MuddyWater, and Vidar.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Defense Impairment
1 techniqueThe group operated as an enabler “upstream in the malware and ransomware supply chain” — not conducting attacks directly, but selling a malware-signing-as-a-service (MSaaS) offering that allowed cybercriminals to disguise malware as legitimate, trusted software. | The certificates allowed attackers to disguise malicious software as legitimate applications, helping malware bypass security filters.
IOCs tracked for this family
21 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware/tool family listed as deployed through Fox Tempest’s malware-signing service using fraudulent certificates.
A named malware/tooling family cited as linked to Fox Tempest’s fraudulent code-signing infrastructure.
Iran-nexus APT activity described as deploying multiple new malware components and using Telegram bots for C2 in a MENA-focused campaign.
Referenced in multiple contexts as using Windows command-line for discovery (e.g., domain user enumeration) and as associated with use of the Small Sieve Python backdoor; also referenced as performing PE injection for defense evasion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.