Iran’s state-sponsored threat actor, MuddyWater, has deployed a newly identified command-and-control (C2) framework called MuddyC2Go in recent cyber attacks on the telecommunications sector in Egypt, Sudan, and Tanzania. Symantec’s Threat Hunter Team, part of Broadcom, has been monitoring the activity, referring to the actor as Seedworm, also known as Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.

Active since at least 2017, MuddyWater is believed to be linked to Iran’s Ministry of Intelligence and Security (MOIS), with a focus on entities in the Middle East. MuddyC2Go, a Golang-based replacement for PhonyC2, is used to establish remote access to victim systems automatically, facilitated by a PowerShell script connecting to Seedworm’s C2 server.

While the complete capabilities of MuddyC2Go are not fully known, recent intrusions in November 2023 have indicated its use alongside tools like SimpleHelp and Venom Proxy, as well as a custom keylogger and other publicly available tools. The attack chain typically involves phishing emails and exploiting vulnerabilities in unpatched applications for initial access, followed by reconnaissance, lateral movement, and data collection.

In a specific case targeting a telecommunications organization, the MuddyC2Go launcher was executed, establishing contact with an actor-controlled server. Legitimate remote access software such as AnyDesk and SimpleHelp was also deployed. The threat actor utilizes a combination of custom, living-off-the-land, and publicly available tools to prolong detection and achieve strategic goals.

Symantec emphasized the group’s ongoing innovation and toolset development to remain covert, emphasizing the persistent use of PowerShell and related scripts. Organizations are advised to stay vigilant against suspicious PowerShell activities on their networks.

Meanwhile, a group called Gonjeshke Darande, linked to the Israeli Military Intelligence Directorate, claimed responsibility for disrupting gas pumps in Iran as a response to perceived aggression. The cybersecurity landscape continues to witness geopolitical tensions manifesting in cyber operations, underscoring the importance of robust defense measures.