Iran-linked MuddyWater APT deployed new BugSleep backdoor in recent campaigns

Iran-linked MuddyWater APT deployed new BugSleep backdoor in recent campaigns

The Iranian-backed hacking group MuddyWater has begun utilizing a new custom malware implant named BugSleep to execute commands and steal files from compromised systems. The new campaign was uncovered by analysts at Check Point Research who identified the malware being distributed through sophisticated phishing lures.

MuddyWater, also known as Earth Vetala, Mercury, Static Kitten, and Seedworm, has a history of targeting Middle Eastern entities, particularly in Israel. First spotted in 2017, the group has expanded its operations to include cyber-espionage campaigns against government and defense entities across Central and Southwest Asia, North America, Europe, and Asia.

The latest campaign, active since February 2024, involves sending large volumes of phishing emails from compromised accounts to a wide range of targets. These emails, often disguised as invitations to webinars or online courses, direct recipients to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform. Some variants also include a custom malware loader designed to inject BugSleep into active processes of applications such as Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera.

In its previous campaigns, MuddyWater relied on legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect for maintaining access to victim networks, Check Point notes. But now, the group has shifted to the new BugSleep backdoor, which is still under active development.

The phishing campaigns have targeted an array of sectors, including government organizations, municipalities, airlines, travel agencies, and media outlets. Notably, there have been concerted efforts aimed at Israeli municipalities and various industries in Turkey, Saudi Arabia, India, and Portugal. Since February, over 50 spear-phishing emails targeting more than 10 sectors have been sent to hundreds of recipients, Check Point said.

Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025