Sunday, May 25, 2025
HomeCyber AttackHackers Exploiting Legitimate RMM Tools With BugSleep Malware

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Published on

SIEM as a Service

Follow Us on Google News

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has escalated its phishing campaigns in Middle East countries, specifically Israel.

In their approach, they use already compromised email accounts to spread malicious content across various sectors.

Predawn churning of curd formed overnight using fresh cow milk. Made freshly in small batches.

- Advertisement - Google News

Recent attacks have featured generic, English-language lures such as webinar invitations, which promote reuse on a wider scale.

Cybersecurity researchers at CheckPoint recently identified that MuddyWater hackers have been deploying legitimate RMM with BugSleep malware.

Hackers Exploiting RMM Tools

The BugSleep is a custom backdoor that uses legitimate Remote Management Tools (RMMs).

Their strategies are becoming more sophisticated with customized lures for certain industries and Malicious files hosted on legitimate file-sharing services like Egnyte that show how adaptable they can be while keeping their MuddyWater signatures intact.

MuddyWater new infection chain (Source – CheckPoint)

MuddyWater, a hacker group, is said to have been using Egnyte subdomains for cyber attacks involving phishing and aimed at various industries in different countries.

They have also introduced new BugSleep malware to replace certain legal uses of remote monitoring and management (RMM) tools.

Notable phishing campaigns (Source – CheckPoint)

BugSleep applies evasion techniques, encrypts communications, and can carry out multiple commands from its C&C server.

The malware has signs of ongoing development including different versions and some coding inconsistencies while using process injection for persistence, scheduled tasks, and attempts to evade EDR solutions.

Due to these implementation lapses, BugSleep poses a significant threat, especially for organizations based in Israel, Turkey, Saudi Arabia, India, and Portugal, which may have connections to operations conducted in Azerbaijan and Jordan.

Map of targeted countries (Source – CheckPoint)

The group’s enhanced phishing campaigns have been encouraged by the introduction of BugSleep.

Besides this, MuddyWater’s increased activity in the Middle East, especially in Israel, demonstrates their persistence and evolving tactics, researchers said.

Targeting diverse sectors like municipalities, airlines, and media, the group has simplified its lures, shifting from highly customized to generic themes in English. 

This alteration will enable broader regional impact rather than specific targeting with more attacks in volume, indicating their strategy adjustment.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...