MuddyWater-Style Hackers Scan 12,000 Systems Before Hitting Middle East Critical Sectors
By Threat Intelligence Unit
Incident Overview
A threat actor employing tactics similar to the MuddyWater group conducted wide-scale scanning of more than 12,000 internet-exposed systems before executing focused attacks on critical infrastructure across the Middle East. Confirmed victims span aviation, energy, and government sectors in Egypt, Israel, and the UAE, with additional exposure observed in Portugal and India.
Attack Techniques
The campaign weaponized five recently disclosed CVEs for opportunistic scanning and initial access:
- CVE-2025-54068 — Laravel Livewire RCE
- CVE-2025-52691 — SmarterMail RCE
- CVE-2025-68613 — n8n RCE
- CVE-2025-9316 — Unauthenticated Session ID Generation in RMM systems
- CVE-2025-34291 — Langflow RCE
Operators followed up with brute-force attacks against Outlook Web Access using custom tooling (owa.py) and multi-threaded utilities such as Patator. Command-and-control infrastructure hosted in the Netherlands relied on a modular stack of Python and Go controllers, AES-CTR encrypted channels, and a custom packet header format consistent with MuddyWater's ArenaC2 framework.
Impact
Approximately 200 staged files recovered from attacker infrastructure contained passport and visa records, payroll and salary data, credit card details, and internal corporate documents — including credentials successfully stolen from an Egyptian firefighting organization and data taken from an Egyptian aviation entity.
Recommendations
- Apply patches immediately for all five exploited CVEs
- Review OWA access logs for brute-force activity indicators
- Block outbound traffic on TCP port 5009 and monitor for encrypted HTTP connections to unrecognized endpoints
- Audit internal directories for bulk file staging behaviors
- Adopt a preemptive response model built around attacker infrastructure and operational patterns