The cyberespionage group Boggy Serpen (aka MuddyWater) linked to Iran’s Ministry of Intelligence and Security (MOIS), is continuing to target critical sectors such as energy, maritime, finance, and diplomacy across the Middle East and other regions.
In its previous campaigns, the group relied on large-scale spear phishing attacks focused on speed rather than stealth and used “living-off-the-land” (LOTL) techniques abusing legitimate tools like Atera, ScreenConnect, and SimpleHelp. The attackers also used well-known utilities such as LaZagne and CrackMapExec to steal credentials and move inside networks.
Recent activity shows that Boggy Serpens is becoming more advanced. The group is now using AI-assisted malware that includes anti-analysis features, helping it stay hidden in compromised systems for longer periods.
By taking over trusted accounts (often belonging to diplomats or IT providers) the attackers can send phishing emails that appear legitimate and bypass security filters. Victims are then tricked into opening malicious attachments.
One of the group’s recent campaigns targeted a national marine and energy company in the UAE. Researchers at PAN’s Unit42 observed four waves of attacks between August 2025 and February 2026. In the operation, Boggy Serpens deployed tools like the Rust-based BlackBeard backdoor and a remote access trojan called LampoRAT (Olalampo). Analysis of the malware code indicates that the threat actor used generative AI to speed up development.
For command-and-control (C&C), the group uses a mix of techniques, including HTTP status codes, custom UDP traffic, and the Telegram API. This helps to hide communication between infected systems and attacker-controlled servers.
The group also uses a “trusted relationship compromise” approach. Instead of attacking from outside, it abuses real internal accounts to send malware.
The group’s phishing technique often involves Microsoft Word or Excel documents that appear blurred. The file claims it was created in an older version of the software and asks the user to click “Enable Content.” Once clicked, a VBA macro removes the blur to show a normal document, while secretly running malicious code in the background.
Analysis shows the group uses a VBA-based tool to generate the payloads. The threat actor split its operations into separate tracks to handle different types of targets: Phoenix Lineage, delivering fully-fledged backdoors, and UDPGangster Operations, delivering a more lightweight, less advanced backdoor.
Although mainly focused on espionage, Boggy Serpens has also carried out disruptive attacks. In 2023, it targeted the Technion Israel Institute of Technology while pretending to be a ransomware group.
The group has expanded its targets to include aviation, maritime, and financial organizations in countries such as Israel, Turkey, Saudi Arabia, the UAE, Egypt, and others. It also uses a custom web platform to manage and automate large phishing campaigns.