The Water Is So Muddy That You Can’t See Clearly The Big Picture

Overview:

This post is long overdue and unlike most of my posts, this is not a technical post,

but rather a high level, strategical post, although it does contain references to

plethora of technical resources.

On March 2nd I dropped a bomb on Twitter, saying a specific certificate is used to sign

binaries by an Iranian APT:

This caused some confusion in the community and started a chain reaction of numerous reports about

related activity from multiple vendors:

However, because each vendor has its own unique telemetry, the complete picture

was not entirely seen due to the lack of connecting evidence.

This can be seen by krypt3ia’s analysis of the reports that followed my Twitter post:

While I was thinking on how to approach this and publicly share findings, a private

report was available to SentinelOne’s Wayfinder customers on March 27:

During the month of April there was only one report, not directly linked to

MuddyWater, but recently, during May, two reports were publicly shared that

summarize in high level of what was privately reported to SentinelOne’s Wayfinder

customers.

Which brings me to another issue, under reporting. MuddyWater is the most active

Iranian threat actor, yet, before my Twitter bomb, for a couple of years actually,

MuddyWater activity has not been publicly shared except a few outliers by Group-IB

and ESET. I still have some hot intel accumulated from the last couple of years that

has not been reported publicly or privately yet. However, private reporting constantly

happens, at least by GTI tracking MuddyWater as UNC3313 and UNC5667 and PwC

tracking them as Yellow Nix.

With all that said and done, this post will focus on MuddyWater activities in 2026 and

their shift in targeting, with the main focus being what was known before my March

tweet and what publicly surfaced after it.

What was known before March:

For years, MuddyWater’s main infection vector was social engineering in the form of

phishing emails that would lead to the installation of variety of RMM tools.

This kind of infection can be considered “targeted”, although in most cases the

potential victims of those social engineering attacks are not the direct targets, but

rather companies and organizations working with the real target.

Once their attack is successful, MuddyWater would try to hijack a legitimate email

address and send additional phishing emails from that compromised email. They

would do so to leverage an existing trust between their real target and the

compromised email organization.

With that in mind, I will try keep a timeline of events in ascending order, all which

lead to somewhat interesting conclusion at the end of the post.

20 Nov 2025:

Kaspersky report about Tsundere botnet, linked to a Russian-speaking cyber-crime

actor known as “koneko”.

However, “koneko” had a post selling the source code of this botnet in XSS forum:

Which means, anyone could buy and use it, including MuddyWater.

02 Dec 2025:

ESET report directly about MuddyWater activity, however this report describes

activity until March 2025. ESET’s report also highlights the groups use of

spearphishing emails leading to RMM tools.

Despite the activity being old, the report describes in detail some of the post infection

tools used by MuddyWater, most notably the go‑socks5 proxy reverse tunnel, often

named FMAPP.dll which is being sideloaded by benign executable. In addition to the

tunneling tool, ESET describe LP-Notes and CE-Notes stealers.

All those tools are still in use by MuddyWater in 2026 with some slight variations and

adjustments.

15 Jan 2026:

First report about a Deno RAT, no attribution.

Somewhere between 16-18 Jan 2026:

Second report about Deno RAT, this time named as “Smokest Stealer”

20 Jan 2026:

Enki report about a Windows “variant” of EtherRAT.

EtherRAT is the name given by Sysdig to a Linux malware implant observed in

React2Shell exploitation.

Sysdig attributed this to DPRK, this attribution is wrong, throwing a bunch of

techniques and seeing whatever sticks an maps to something is not how you do

attribution.

Having said that, the Windows “variant” is actually “Tsundere” payload that Kaspersky reported about.

20 Feb 2026:

Group-IB report about MuddyWater’s Operation Olalampo. This report highlights

activity up until the month of February 2026. The report describes newer variants of

the tools highlighted from the ESET report, go tunnel named FMAPP.dll and LP

notes credential stealer.

However, the main difference is the infection vector, instead of RMM tools, the report

describes various malicious Office documents containing macros which drop a

variety of backdoors.

02 Mar 2026 - The “Oh!” Moment:

Thanks to internal victim telemetry and internal threat intelligence, combined with

public reporting, I realized that there is two-way connection between MuddyWater

and what appears to be a cyber-crime cluster of activity. Since this is significant, but I

can’t share internal data, I tweeted about a public sample available on VirusTotal.

This followed a chain reaction from various sources about the same activity I could

not publicly share.

The cyber-crime activity included the use of “Tsundere”, a Deno based RAT and a

Python based RAT, all of which have been wrapped with MSI and/or PowerShell

loaders, which in some cases have been signed with valid certificates.

04 Mar 2026:

Thanks to OpSec mistakes, Ctrl-Alt-Intel was able to gather data about MuddyWater

activities. Most notably directly linking the use of “Tsundere” by MuddyWater.

In SentinelOne telemetry we saw the same thing in bi-directional way.

In some instances “Tsundere” infections led to hands-on activity from known

MuddyWater C2s and known MuddyWater tools.

In other cases, we saw a malicious Office documents with macros dropping the

same or slightly different backdoors as described in Operation Olalampo by Group-

IB. The hands-on activity that followed those infections from the Office documents

included manual installation of “Tsundere” payloads.

05 Mar 2026:

Symantec report about recent MuddyWater activity involving “previously unknown”

backdoors - “fakeset” and “dindoor”, signed by certificates such as “Amy Cherne”

and “Donald Gay”.

10 Mar 2026

MalwareBytes report about a Deno RAT infection with hands-on activity leading to a

Python RAT. While it might be similar to the Symantec report, this report brings some

actual technical details and show a direct connection between “dindoor” (Deno) to

“fakeset” (Python RAT, aka CastleRAT). It also shed some light on how this malware

is being spread, click-fix social engineering lure.

I previously speculated that MuddyWater used click-fix already in 2024.

However, only a year later it was publicly reported that indeed MuddyWater used this

technique.

Also on 10 Mar 2026:

CheckPoint report about the same connections as above with a more general

connections between Iranian threat actors and cyber-crime.

12 Mar 2026:

Another vendor, eSentire report what they have seen in their telemetry about

“Tsundere” and the links to MuddyWater.

16 Mar 2026:

Palo-Alto’s Unit42 describe various recent Office documents with malicious macros

used by MuddyWater. While there is no apparent connection to the cyber-crime

cluster, the reported network infrastructure has been observed in the cyber-crime

cluster as well.

17 Mar 2026:

This is most likely the most underrated report related to MuddyWater, simply

because it was not linked directly to MuddyWater.

ReliaQuest report about a ransomware operator “LeakNet” and how they added

“ClickFix” to their arsenal… Cool beans bruh.

Thanks to the unique telemetry that has been observed by ReliaQuest it is possible

now to link “LeakNet” ransomware operator to “Deno” RAT (dindoor).

But who the fuck is LeakNet ransomware? Is this RaaS being used by multiple threat

actors or is it being used exclusively by a single threat actor?

Apparently, there is not much information about this ransomware except from

ReliaQuest, which raises the question if this even a real ransomware group.

Faketivism is a staple in Iranian cyber doctrine, using numerous fake hacktivists

group as a front for ransomware and data destruction operations.

In addition, LeakNet DLS site is used to mock and make laugh of the victims,

something that was also seen done by other Iranian fake ransomware groups:

20 Mar 2026:

Krypt3ia’s high level analysis on Symantec’s short report from March 5th.

25 Mar 2026:

Despite of all the reported activity in March, what caught my eye in Krypt3ia’s report

is:

The reason for that is described in the beginning of this post and this whole post is

because of the need to connect the dots to see the big picture.

27 Mar 2026:

Private report for SentinelOne’s Wayfinder customers about observed MuddyWater

activity in S1 telemetry.

14 Apr 2026:

A report about the SEO poisoning that lead to Tsundere.

07 May 2026:

Rapid7 observed in their telemetry an intrusion with a payload signed with the “Donal

Gay” certificate, which eventually led to the deployment of Chaos ransomware. This

payload was attributed by multiple vendors both privately and publicly to be related

to MuddyWater.

Chaos is a known RaaS, the use of it might indicate that the LeakNet experiment has

failed.

11 May 2026:

The DFIR Report reports about the same SEO poisoning campaign that was

reported in April, only this time it leads to the Gentleman ransomware deployment.

12 May 2026:

Symantec finally put the final nail in the coffin of attribution, showcasing a

MuddyWater intrusion from a PowerShell script to a Node.JS script.

The reported credential harvester is a variant of the LP-Notes stealer, additionally

once again the FMAPP.dll go tunneling tool is reported.

Most notably, the domain timetrakr[.]cloud is part of the IOC list. This domain

contained PowerShell scripts to load Tsundere or DinDoor JS payloads as part of the

cyber-crime activity cluster.

Conclusion:

The conclusion below, which derived from all the above, is my own opinion and you

should take it with a grain of salt. There are plenty of technical details from a variety

of vendors in the links throughout this post which you can use and examine the

publicly available atomic indicators and artifacts.

Without any disrespect, based on the above, my conclusion is completely the opposite from Krypt3ia’s and if I use his format, it would be:

The MuddyWater Dindoor/Fakeset campaign represents an opportunistic cyber

espionage operation conducted during a period of geopolitical tension. It

demonstrates a regression toward TTPs from 2017 where they used cyber-crime

tools to “Muddy” attribution efforts.

Most significantly, the campaign illustrates a transition in social engineering skills,

from spearphishing emails with RMM tools toward more modern SE attacks such

as Ads/SEO poisoning, “ClickFix” and Microsoft Teams Vishing. The absence of

traditional indicators is a limitation of analysis and under reporting as well as a

defining characteristic of the adversary’s operational design.

In this context, MuddyWater should be assessed as an opportunistic threat actor,

however, once initial access is opportunistically obtained it can act either as

a disciplined intelligence service operator executing a coordinated access strategy

with latent escalation potential or as fake ransomware operator with destructive

intentions.

The main takeaway is that ClickFix and SEO poisoning are completely opportunistic,

a threat actor can’t control who may fall victim to those lures that are spread across

compromised websites or Bing search results.

If we combine it with the multiple reports that link MuddyWater to ransomware

deployment, the big picture is rather grim.

MuddyWater has been aggressively targeting North America and other geo-locations

under the disguise of cyber-crime operations for at least several months. The

Maltego graph shown several lines above, is probably just a small blip in the muddied water.

Defenders should revisit their reports about contained intrusions, “that” insignificant

“ClickFix” case that nobody bothered to properly investigate might have been

actually conducted by MuddyWater.

I am not saying that the cyber-crime cluster == MuddyWater, but there is definitely a strong connection, perhaps "koneko", or some other Russian speaking cyber criminals are working directly with MuddyWater.

LeakNet ransomware is a big red flag, it feels the same as Pay2Key, which also mocked it victims.
After all I was one of the people who linked Pay2Key to Fox Kitten.
Pay2Key was opprotunistic and targeted mostly Israeli targets, LeakNet is the same, but mostly target the U.S.A.

With all that said, the only other conclusion is that “sharing is caring”, without

information sharing, even if it not always accurate, such connections and links are

not possible as each vendor contain a unique telemetry, which is only a small piece

of the puzzle.