Update: MuddyWater Refines Tooling and Tradecraft in Targeted Espionage Operations
Recent analysis shows that MuddyWater, an Iran-aligned APT also tracked as Mango Sandstorm and TA450, has significantly upgraded its technical capability during a campaign targeting critical infrastructure, government, academic, and technology organizations in Israel and Egypt. Researchers observed the group shifting away from its historically noisy, operator-driven activity toward a more deliberate, controlled toolset, including the newly identified Fooder loader and the MuddyViper backdoor. Fooder relies on reflective loading, custom delay loops inspired by the Snake game, and staged decryption meant to degrade automated analysis. MuddyViper provides full operator control, enabling system reconnaissance, credential theft, browser-data extraction, file operations, reverse shells, and persistence establishment. These tools were deployed alongside credential stealers and customized reverse-tunneling components, indicating the group’s continued reliance on modular implants tailored for long-term access. This campaign also highlighted operational overlap with Lyceum, suggesting potential cooperation or initial-access brokering within the broader Iran-aligned ecosystem. Consistent spearphishing leading to RMM tool installation remained the primary entry vector, reinforcing MuddyWater’s predictable targeting pattern across government and infrastructure environments. However, the adoption of Windows CNG-based cryptography, reflective loaders, and multi-stage data theft workflows demonstrates a clear effort to harden implants and reduce detection. The group’s evolving sophistication, combined with its focus on Israeli and regional critical sectors, positions MuddyWater as a persistent and maturing espionage threat. Mitigation requires strict attachment controls, behavioral EDR tuned for reflective loaders and tunneling tools, and network monitoring for abnormal process-to-network activity that aligns with MuddyWater’s toolset and execution flow.
Calendly-Themed Phishing Campaign Targets Google Workspace and Facebook Business Ad Accounts
Researchers uncovered a long-running, multi-variant phishing campaign that uses highly tailored Calendly-themed lures to compromise Google Workspace and Facebook Business accounts associated with digital ad management. The actor uses a multi-stage social engineering flow to bypass email scanners, beginning with recruiter-themed outreach that only later delivers a phishing link disguised as a Calendly meeting request. The campaign employs multiple evasion methods, including Attacker-in-the-Middle (AiTM) toolkits, domain-restricted login challenges, Browser-in-the-Browser (BITB) overlays, anti-VPN/anti-proxy blocking, and dynamic page rendering that reveals malicious elements only to pre-selected victims. These techniques allow the attacker to capture session tokens and credentials for downstream business systems tied to Google SSO. Additional variants show the same operator recycling infrastructure to target Facebook Business Manager accounts, layering BITB pop-ups and anti-analysis logic to frustrate analyst inspection. The campaign’s objective appears to be the takeover of business advertising accounts, which can be repurposed for malvertising, identity-based initial access, and monetized resale of compromised account infrastructure. With malvertising activity rapidly increasing across Google Search and major social platforms, the expansion of this campaign highlights a broader criminal ecosystem interest in hijacking ad-management access to deliver malicious content at scale. Organizations should have strict phishing resistance (FIDO2, domain allowlisting), AI/ML detection tuned for AiTM and BITB patterns, and continuous monitoring of Google Ads and Business Manager account changes, especially new admin additions and MCC linkages.
Matanbuchus v3.0: Continued Evolution of a Lightweight Downloader in Ransomware-Adjacent Campaigns
Zscaler analysts have identified version 3.0 of Matanbuchus, a C++ downloader offered as a Malware-as-a-Service platform since 2020, now updated with Protocol Buffers and expanded anti-analysis features. The malware’s deployment flow continues to rely on a dedicated loader that fetches and executes a main module capable of tasking, payload delivery, and hands-on keyboard functionality. Recent intrusions show actors abusing remote assistance tools to manually stage Matanbuchus, followed by DLL sideloading to initiate the downloader module. Once active, the malware decrypts a shellcode loader, retrieves the main module, and launches it, using extensive obfuscation, junk code, and dynamic API hashing to evade static analysis. As observed in multiple campaigns, Matanbuchus is increasingly paired with commodity stealers and remote access tools, aligning its operational footprint with ransomware affiliates who favor lightweight modular loaders. The main module provides persistence via scheduled tasks, per-host mutexes, and randomized storage paths derived from system identifiers, enabling stable, long-term access. Network communication is fully serialized through Protobuf structures encrypted with ChaCha20, supporting a flexible command set that includes payload execution, process enumeration, system reconnaissance, shell command execution, and targeted injection techniques. Registration with the command server includes security product discovery, privilege checks, domain information, and system metadata, enabling operators to tailor workloads to the environment. The addition of an expiration date in the configuration provides operational control, preventing uncontrolled spread and signaling more careful tradecraft than in earlier releases. Combined with tasking that supports executable, DLL, MSI, and shellcode delivery across multiple injection pathways, Matanbuchus continues to function as a reliable, low-complexity loader ideal for ransomware staging and post-compromise actions.
