Iran's MuddyWater group, affiliated with the Iranian Ministry of Intelligence, is using a new command and control system called MuddyC2Go to launch cyber attacks against Israel. The Go programming language was used to create the MuddyC2Go web component, which was replaced by their other development, PhonyC2, which was not released as open source until June 2023.
MuddyWater is known for sending phishing emails containing malicious links and attachments, and has shifted its strategies to use password-protected archives to evade email scanners and spread malware using a PowerShell script to connect to MuddyC2Go. The system generates malicious PowerShell scripts for post-hack actions, though its exact function is still unknown.
MuddyWater has been targeting Israeli businesses in the energy, logistics, and telecommunications industries for years, and its attacks are currently aimed at Israeli institutions. The group uses N-able's Advanced Monitoring Agent tool and Storyblok's hosting service to implement a multi-stage infection.
The ongoing cyber conflict between Iran and Israel has led to accusations of attacking vital infrastructure. Other well-known Iranian hacking groups include APT33, APT34, APT35, the Lazarus Group, and the Moses Staff. MuddyWater's adoption of the MuddyC2Go command and control system demonstrates a shift in strategy and an intense focus on penetrating defenses.