Extensive MuddyWater-Like Attack Campaign Against Middle Eastern Critical Infrastructure Detailed
By Threat Intelligence Unit
Incident Overview
SC Media reports on Oasis Security's analysis of an extensive operation employing tactics consistent with the Iran-linked MuddyWater group. The campaign began in early February 2025 with broad reconnaissance against more than 12,000 internet-exposed systems before narrowing to selective intrusions against critical infrastructure across Egypt, Israel, the UAE, Portugal, and India.
Attack Techniques
Operators weaponized five recently disclosed CVEs — affecting Laravel Livewire (CVE-2025-54068), SmarterMail (CVE-2025-52691), n8n (CVE-2025-68613), an RMM platform's session ID generation flaw (CVE-2025-9316), and Langflow (CVE-2025-34291) — and followed up with brute-force attacks against Outlook Web Access. Command-and-control infrastructure hosted in the Netherlands relied on Python and Go controllers, AES-CTR encrypted channels, and a custom packet header format consistent with MuddyWater's ArenaC2 framework.
Impact
Roughly 200 staged files recovered from attacker infrastructure contained passport and visa records, payroll and salary data, credit card details, and internal corporate documents — including credentials stolen from an Egyptian firefighting organization and data taken from an Egyptian aviation entity.
Recommendations
- Patch the five exploited CVEs across affected products
- Review OWA logs for brute-force activity and unusual encrypted HTTP egress
- Block outbound traffic on TCP port 5009 and audit internal directories for bulk file staging
- Build preemptive detection around attacker infrastructure and operational patterns