The Iranian-backed hacking group MuddyWater has begun utilizing a new custom malware implant named BugSleep to execute commands and steal files from compromised systems. The new campaign was uncovered by analysts at Check Point Research who identified the malware being distributed through sophisticated phishing lures.

MuddyWater, also known as Earth Vetala, Mercury, Static Kitten, and Seedworm, has a history of targeting Middle Eastern entities, particularly in Israel. First spotted in 2017, the group has expanded its operations to include cyber-espionage campaigns against government and defense entities across Central and Southwest Asia, North America, Europe, and Asia.

The latest campaign, active since February 2024, involves sending large volumes of phishing emails from compromised accounts to a wide range of targets. These emails, often disguised as invitations to webinars or online courses, direct recipients to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform. Some variants also include a custom malware loader designed to inject BugSleep into active processes of applications such as Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera.

In its previous campaigns, MuddyWater relied on legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect for maintaining access to victim networks, Check Point notes. But now, the group has shifted to the new BugSleep backdoor, which is still under active development.

The phishing campaigns have targeted an array of sectors, including government organizations, municipalities, airlines, travel agencies, and media outlets. Notably, there have been concerted efforts aimed at Israeli municipalities and various industries in Turkey, Saudi Arabia, India, and Portugal. Since February, over 50 spear-phishing emails targeting more than 10 sectors have been sent to hundreds of recipients, Check Point said.