Cyber Espionage Campaign Possibly “MuddyWater” Targets Middle East and Central Asia

A new campaign with the similarities of MuddyWater spotted targetting organizations in Pakistan, Turkey, and Tajikistan. Attackers use various social engineering methods to trick the victims into enabling macros and activate payloads.

Security researchers from TrendMicro spotted the campaign says that “we can assume that there is a connection between these new attacks and the MuddyWater campaign”.

With this campaign, the attacker tries to impersonate government organizations of Tajikistan and the campaign uses similar obfuscation method as like MuddyWater.

In some lure documents payloads were directly embedded inside and some documents contain links that download the malicious payload.

Also Read Active Business Phishing Campaign Targeting Fortune 500 Companies to Steal Financial Assets

MuddyWaterMuddyWater

One the payload executes it creates two malicious scripts in the ProgramData directory, obfuscated Visual Basic script(VBS_VALYRIA.DOCT) that executes the obfuscated PowerShell script(TROJ_VALYRIA.PS).

The Obfusticated PowerShell divided into three parts

1. Contains encryption keys and few websites that serve as proxies.
2. Second part the standard RSA encryption.
3. Contains the backdoor function. It communicates with the C&C server and can perform following actions such as clean, reboot, shutdown, screenshot, and upload.

The backdoor collects the infected machine information such as the Operating System name, architecture, domain, network adapter configuration, and username. Communication with C&C server done via XML messages.

Researchers said the attackers “are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: “Stop!!! I Kill You, Researcher.”

How to stay safe – Business Phishing Campaign

1. Have a unique Email address.
2. Do not open any attachments without proper validation.
3. Don’t open emails voluntary emails.
4. Use Spam filters & Antispam gateways.
5. Never respond to any spam emails.
6. verify the vendor.
7. Implement Two-factor Authentication

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago