Hackers affiliated with MuddyWater are employing custom malware with multi-stage payloads, and they are concealing their digital footprints by leveraging Cloudflare.
MuddyWater, an Iranian state-sponsored advanced persistent threat (APT) actor, has seen a resurgence in operations since early 2025. This cyber threat group, known for its custom-developed backdoors and multi-stage payloads, has been linked to Iran and is associated with other entities like OilRig (APT34).
The group's recent operations have been marked by a shift from broad remote monitoring and management (RMM) exploits to highly targeted campaigns. MuddyWater now employs custom malware backdoors and multi-stage payloads, including the feature-rich StealthCache backdoor.
The Stealthy StealthCache Backdoor
StealthCache, one of MuddyWater's bespoke implants, is a modular backdoor that communicates with command-and-control (C2) servers hosted across mainstream and bulletproof providers, such as AWS, DigitalOcean, and even Stark Industries. Upon receiving a command code, StealthCache executes actions ranging from interactive shells to file exfiltration.
The initial loader, wtsapi32.dll, decrypts and injects the StealthCache backdoor into legitimate processes. Custom XOR routines in StealthCache dynamically derive decryption keys from the victim's device and username strings, thwarting sandbox analysis. This modular design enables seamless command updates and payload swaps without writing to disk, reinforcing persistence and minimizing forensic artifacts.
StealthCache establishes a pseudo-TLV protocol over HTTPS for encrypted command transmission and reporting. Communication with C2 servers is then obscured behind Cloudflare proxies to hide origin IPs.
MuddyWater's Multi-Stage Approach
MuddyWater's multi-stage approach now includes a trio of payloads: an initial VBA dropper, a loader like Fooder, and StealthCache. Victims receive decoy documents laced with VBA macros that drop and execute secondary payloads from Cloudflare-protected domains.
The adversary has expanded its arsenal to include other bespoke implants such as BugSleep and the Phoenix backdoor. The Phoenix backdoor is deployed from the loader's memory space, registers with its C2, and periodically posts beacons and polls for further instructions.
Group-IB analysts noted that Cloudflare's reverse-proxy service increases the difficulty of tracking active C2 endpoints. Continuous monitoring of Cloudflare-associated domains is essential for preempting new MuddyWater campaigns and safeguarding critical infrastructure. Unique mutex names and C2 URL patterns should be closely analysed to detect new MuddyWater operations.
Attack vectors centre on spear-phishing emails embedding malicious Microsoft Office documents.
Protecting Against MuddyWater
Given the stealthy nature of MuddyWater's operations, it is crucial for organisations to stay vigilant and implement robust cybersecurity measures. This includes monitoring Cloudflare-associated domains, analysing unique mutex names and C2 URL patterns, and maintaining up-to-date antivirus software.
By understanding the tactics, techniques, and procedures (TTPs) of MuddyWater, organisations can better protect themselves against this persistent threat actor. Continuous monitoring and adaptation of security measures will be key in the ongoing battle against advanced persistent threats like MuddyWater.
