The cyberespionage group referred to as MuddyWater has hit over 130 victims in 30 organizations from late September to mid-November, Symantec security researchers said in a report published Monday.
Highly active over the past several months, MuddyWater was first detailed in 2017, when it was mainly focused on targets in Iraq and Saudi Arabia. Numerous attacks were linked to the group this year, when security researchers also noticed that the actor expanded its target list.
In late November, Trend Micro found a new PowerShell-based backdoor strikingly similar to malware employed by MuddyWater. Symantec too has noticed the new backdoor, and has named it Powemuddy.
The threat actor, which Symantec refers to as Seedworm, has been focused on gathering intelligence on targets in the Middle East, as well as in Europe and North America.
Over the past year, the cyber-spies have constantly updated the Powermud (Powerstats) backdoor and other tools, to avoid detection. The security researchers also discovered a GitHub repository used to store the actor’s scripts, and post-compromise tools used to exploit victim machines.