Iranian Threat Actor MuddyWater Deploys New DarkBeatC2 Command-and-Control (C2) Infrastructure for Attacks

Iranian threat actor MuddyWater has recently been linked to a new command-and-control infrastructure dubbed DarkBeatC2, adding to its growing arsenal of tools for cyber attacks. This group, also known as Boggy Serpens, Mango Sandstorm, and TA450, is believed to be associated with Iran’s Ministry of Intelligence and Security (MOIS), with a history of spear-phishing attacks since 2017.

The latest attack campaign involves spear-phishing emails containing links or attachments hosted on services like Egnyte, leading to the deployment of Atera Agent software on compromised systems. It has been revealed that compromised email accounts from educational institutions in Israel, like Rashim, have been used to distribute these malicious links.

Furthermore, there are suspicions of collaboration between different Iranian threat activity clusters, such as MuddyWater and Storm-1084 (DarkBit), to execute destructive wiper attacks against Israeli entities. The connections between these groups have raised concerns about potential collaborations between MOIS and IRGC to maximize harm on Israeli organizations.

In another development, Iranian threat actor Peach Sandstorm has been using a backdoor called FalseFont to target the aerospace and defense sectors. This highly targeted backdoor tricks victims into installing malware by mimicking legitimate human resources software, capturing credentials and sensitive information.

Overall, these revelations highlight the sophisticated and persistent nature of Iranian cyber threat actors in pursuing malicious activities, emphasizing the importance of robust cybersecurity measures to defend against such attacks.