Threat Group Disrupts Middle East Critical Sectors in Cyber Reconnaissance Operation
Cybersecurity researchers have identified a persistent threat group operating with high fidelity to the tradecraft of MuddyWater. This actor recently executed a massive operational campaign focused on critical infrastructure within the Middle East, specifically targeting sectors such as aviation, energy, and government agencies.
According to data obtained by Oasis Security, the perpetrators conducted an extensive network sweep, scanning over 12,000 internet-facing endpoints before transitioning to targeted exploitation phases. This initial reconnaissance phase culminated in the successful extraction of sensitive information from multiple organizations.
Tactical Workflow and Weaponized Vulnerabilities
The cybercriminals employed a disciplined, multi-phased methodology. The operation commenced with mass vulnerability assessments and progressed through to confirmed data exfiltration. A key component of their arsenal involved weaponizing five distinct Common Vulnerabilities and Exposures (CVEs) that had been recently disclosed.
Oasis Security researchers noted that these exploits were deployed against web applications, email infrastructure, and workflow automation tools. Following the initial broad mapping of the digital footprint, the group utilized brute-force techniques to compromise user credentials. Specifically, they utilized custom Python scripts, such as owa.py, alongside multi-threaded utilities like Patator to attack Outlook Web Access (OWA).
These credential harvesting efforts were pivotal to the campaign’s second stage, allowing the attackers to establish persistent footholds within the victim networks. To maintain control, the group deployed custom controllers, including tcp_serv.py listening on port 5009 and udp_3.0.py, both utilizing specific binary header structures for command and control.
Image: TCP-based C2 controller (tcp_serv.py) using a custom header structure (Source: Oasis).Advanced C2 Infrastructure Revealed
Deep forensic analysis of the adversary’s digital footprint uncovered a complex Command and Control (C2) architecture. The primary infrastructure was identified at IP address 157.20.182.49, registered in the Netherlands. This server hosted a suite of modular controllers developed in both Python and Go.
The C2 framework demonstrated significant sophistication in handling traffic across multiple protocols, including TCP, HTTP, and UDP. Evidence pointed to encrypted communication channels designed to evade detection. Notable technical characteristics observed included:
- AES Encryption: Secure communication via CTR-mode encryption over HTTP endpoints like
/commandand/feed. - Session Management: Utilization of cookie-based identifiers to track and manage active client sessions.
- Custom Headers: Observation of proprietary binary header formats, such as , integrated across various controller modules.
While Python-based servers accepted inbound connections from compromised machines, Go-based binaries like ex-server were tasked with managing operational directives and encrypted payload distribution. These patterns closely align with previous operations attributed to the MuddyWater collective, particularly the ArenaC2 framework.
Image: Logic associated with the /feed endpoint of ex-server (Source: Oasis).Exploited Vulnerabilities and Targets
The threat actor demonstrated a preference for leveraging zero-day and recently patched vulnerabilities. The campaign utilized five primary CVEs to penetrate diverse platforms:
- CVE-2025-54068: Remote Code Execution (RCE) in Laravel Livewire, targeting web applications.
- CVE-2025-52691: RCE in SmarterMail, specifically compromising email server infrastructure.
- CVE-2025-68613: RCE in n8n, affecting workflow automation tools.
- CVE-2025-9316: Session ID flaw impacting remote management systems.
- CVE-2025-34291: RCE in Langflow, threatening AI workflow frameworks.
Although the initial scanning phase was region-agnostic, the exploitation phase showed a clear geographic bias, prioritizing aviation and energy entities in the Middle East. The impact was severe; researchers confirmed the theft of approximately 200 files from an Egyptian aviation provider. This data dump included high-value assets such as passport records, visa information, payroll data, and sensitive credit card details.
Image: Evidence of successful credential harvesting via OWA brute-force attacks against an Egyptian firefighting enterprise(Source: Oasis).Strategic Implications
Oasis Security emphasizes that this operation underscores a shifting threat landscape. Modern threat actors are increasingly integrating automated reconnaissance, credential theft, lateral movement, and data exfiltration into seamless, strategic pipelines. The campaign timeline suggests activity began in early February, coinciding with rising geopolitical tensions in the region.
The structured nature of the attack, combined with shared technical indicators with known MuddyWater-linked activity, strongly suggests state-sponsored interests, likely Iranian. The group’s reliance on resource-efficient tools and modular C2 infrastructure highlights a refined evolution of cyber tactics specifically designed to target critical regional infrastructure without triggering immediate, overwhelming digital signatures.