--- title: "The Latest Iran-aligned Hacker Phishing Campaign Targeting Middle Eastern Countries | Phish Protection" description: "Iran-aligned hacker group, MuddyWater’s latest phishing campaign deploying the new Syncro remote administration tool is causing all kinds of trouble." image: "https://phishprotection.com/og/blog/latest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries.png" canonical: "https://phishprotection.com/blog/latest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries/" --- Quick Answer Iran-aligned hacker group, MuddyWater’s latest phishing campaign deploying the new S\*\*yncro remote administration tool\*\* is causing all kinds of trouble. This text shares details about the phishing campaign, who \[MuddyWater\](https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html) is, the hacker group’s previous attacks, the latest changes, Syncro’s capabilities, how the attack campaign works, and how to protect against it. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20Latest%20Iran-aligned%20Hacker%20Phishing%20Campaign%20Targeting%20Middle%20Eastern%20Countries&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries%2F&title=The%20Latest%20Iran-aligned%20Hacker%20Phishing%20Campaign%20Targeting%20Middle%20Eastern%20Countries "Share on Reddit") [ ](mailto:?subject=The%20Latest%20Iran-aligned%20Hacker%20Phishing%20Campaign%20Targeting%20Middle%20Eastern%20Countries&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/01/email-phishing-protection-2378.jpg) Iran-aligned hacker group, MuddyWater’s latest phishing campaign deploying the new S**yncro remote administration tool** is causing all kinds of trouble. This text shares details about the phishing campaign, who [MuddyWater](https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html) is, the hacker group’s previous attacks, the latest changes, Syncro’s capabilities, how the attack campaign works, and how to protect against it. There is a novel phishing campaign utilizing legitimate corporate accounts for [phishing emails](/content/protection-from-phishing/how-to-stop-phishing-emails/). MuddyWater, a hacking group associated with Iran’s MOIS (Ministry of Intelligence and Security), has been using compromised email accounts from genuine organizations for a large-scale phishing campaign that is paired with a **remote administration tool**. The group has used similar tools in the past but has changed its tactics multiple times, coming to its most severe one. Here is everything you need to know about the **MuddyWater phishing campaign** and its RAT, Syncro. ### Who is MuddyWater? Also known as **Boggy Serpens**, Earth Vetala, Seedworm, and Cobalt Ulster, MuddyWater is a hacker group that primarily targets the Middle East and surrounding nations like India. The hacker group has been causing trouble since 2017, and its [threat actors](/blog/threat-actors-using-phishing-as-a-service-phaas/) are known for their slowly evolving **PowerShell-based backdoor** that is continually incremented in its capability from time to time. The hacker group has also targeted the USA in the past, along with Central and West Asian countries. ![Email phishing protection](https://media.mailhop.org/phishprotection/images/2023/01/email-phishing-protection-2378.jpg) ### MuddyWater’s Previous Attacks _MuddyWater has been conducting significant [spear-phishing campaigns](https://www.bbc.com/news/technology-53607374) in the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan_. These included: - **_Phishing Emails:_**As Earth Vetala, the hacking group sent spear-phishing emails and lure documents. These documents and phishing emails contained URLs (Uniform Resource Locators) that led the victims to file-sharing services. - \_ \_ **_Malicious URLs:_**These malicious URLs were linked to legitimate **file-sharing services** from where the threat actors distributed their [RAT (Remote Administration Tool)](https://www.mcafee.com/learn/what-is-rat/), Screen Connect. - **_MuddyWater RAT:_**MuddyWater’s previous RAT, ScreenConnect, posed as a legitimate application for managing enterprise systems remotely for system administrators. ScreenConnect encompassed data encoding, [email parsing](https://sigparser.com/posts/what-is-email-parsing/#:~:text=is%20email%20parsing%3F-,Email%20parsing%20is%20the%20process%20of%20using%20software%20to%20look,for%20humans%2C%20not%20for%20machines.), file and registry copy, HTTP/S (Hypertext Transfer Protocol Secure) connection support, native command line, and process and file execution capabilities. However, researchers at Trend Micro[identified](https://www.trendmicro.com/en%5Fus/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html)multiple threat indicators and discovered that the threat actors were using **post-exploration tools** for password dumping. These passwords were tunneled to a threat actor-controlled C2 (Command and Control) server using open-source tools, and additional infrastructure on targeted systems was established for persistent presence. The threat actors could extract credentials from the following. Chrome Chromium Firefox Opera Internet Explorer Outlook Furthermore, the PowerShell backdoor could: Analyze Skype connectivity Download and install Skype Encoded communication with its C2 server Execute commands sent from the C2 server Gather [MFA (Multi-Factor Authentication)](https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661) settings Gather the currently logged-on user and OS version ### MuddyWater’s Latest Phishing Campaign The threat research team at Deep Instinct has been closely[analyzing](https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks)the cybercriminal group’s latest phishing campaign that has been targeting _Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates._ - \*\* \*\* **Phishing** The latest phishing activity was observed in October and is notable for the threat actors due to the usage of a new RAT named **Syncro**. Just like the previous one, the latest MuddyWater phishing campaign utilizes compromised legitimate corporate accounts. However, these phishing emails contain a new lure in the form of an **HTML (Hyper Text Markup Language).** The threat actors have been posing as Egyptian hosting service providers and organizations, Israeli Healthcare, and more. Since the HTML attachment is not an archive or executable, it does not raise any victim’s suspicions, as HTML is overlooked while preparing the workforce for phishing education and [phishing awareness training](https://www.rapid7.com/solutions/phishing-awareness-training/#:~:text=Phishing%20awareness%20training%20educate). - \*\* \*\* **Syncro** Syncro is a highly sophisticated RAT that allows MuddyWater’s threat actors to take control of the **victim’s devices remotely**. However, MuddyWater is not the only threat actor utilizing this tool. Syncro has been observed in Luna Moth and BatLoader campaigns as well. Syncro is a platform packed with features aimed at helping \[MSPs (Managed Service Providers)\](.) run their businesses. Syncro provides MSPs with an agent for device management that comes installed with a customized MSI file and a customer ID and also comes with a 21-day trial offer that allows you to choose the subdomain. The trial version comes with a **GUI (Graphical User Interface)**, allowing the actor complete control over any device via RAT, a terminal with SYSTEM privileges, remote desktop access, task and service managers, and more. With Syncro, threat actors can deploy multiple backdoors, [exfiltrate data](https://digitalguardian.com/blog/what-data-exfiltration), and hand off access to other threat actors, making it a significant threat. ### How does MuddyWater’s Phishing Campaign Work The phishing campaign works in three key steps, which are: - **_Targeted Emails:_**MuddyWater’s latest phishing campaign follows in the footsteps of its previous one, with threat actors practicing [social engineering](https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html) and sending malicious phishing emails to targeted individuals. - **_Malicious Attachments:_**Once the victim is approached, the threat actors send a **phishing link** to a legitimate dropbox, an HTML file connected to the cloud server, or malicious attachments leading the victim to OneHub. - **\_ZIP Downloads: \_**All these cloud servers or document dropboxes contain a malicious ZIP file that extracts an **MSI Windows Installer** that deploys Syncro on their machines. ### How to Protect Against the MuddyWater Phishing Campaign? Along with the analysis, Deep Instinct’s researchers also shared how it would be best for security teams, organizations, and individuals to monitor their machines for **remote desktop solutions** that are uncommon in the enterprise since they are abused more than their common counterparts. Additionally, it would be best to provide the best phishing training to the workforce and executives alike. Here are a few ways you can ensure that your clients and the organizations are safe from phishing emails and social engineering: ![Phishing email prevention](https://media.mailhop.org/phishprotection/images/2023/01/phishing-email-prevention-4507.jpg) - **_SSL Certificates:_**Using an [SSL (Secure Sockets Layer) certificate](https://www.geeksforgeeks.org/secure-socket-layer-ssl/) can allow organizations to secure all incoming and outgoing traffic, which means all information is protected from eavesdropping and cannot be used for social engineering. - **_Securely Hosted Payments:_**One of the best practices for 2023 and beyond is reducing risks to customer financial information by using payment gateways with the latest **PCI DSS and ISO 27001 certifications**. So even if your customers receive phishing emails targeted towards stealing their financial information, they are protected. - **_Adequate Staff Education:_**Educating employees is critical since they make or break any organization. Proper staff training , phishing awareness, practice simulations, and **regular seminars** sharing the latest revelations and phishing tactics enforce the idea in the workforce, making them better at identifying and steering clear phishing emails. ### Final Words The latest MuddyWater phishing campaign is novel, and the targeted organizations need to learn for [phishing protection](/). Not just from the ongoing threat but from future ones. With various social engineering methods and **malicious payload deployment**, the latest MuddyWater phishing campaign will surely harm many more. However, the first step in stopping any threat is knowing how it works and how it can damage you. With that covered, it would be best to follow the above guidelines to strengthen the organization against phishing attacks, and invest in **automated tools and technologies** and cyber insurance, to be prepared for the worst-case scenario since there are significant chances of any organization facing a [cyberattack](https://www.cisco.com/c/en%5Fin/products/security/common-cyberattacks.html), especially phishing . ## Topics [ Cybersecurity ](/tags/cybersecurity/)[ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 5m American Airlines Suffers Employee Email Data Breach, Personal Information at Risk Oct 4, 2022 ](/blog/american-airlines-suffers-employee-email-data-breach-personal-information-risk/)[ Intermediate 5m BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign Jan 18, 2023 ](/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/)[ Intermediate 5m Find Out About the Latest Case of Threat Actors Utilizing Phishing-as-a-Service to Steal $120,000 Feb 20, 2023 ](/blog/find-out-about-the-latest-case-of-threat-actors-utilizing-phishing-as-a-service-to-steal-120000/)[ Intermediate 5m GoDaddy Customers Beware: Hackers Have Been Stealing Source Code for Years Mar 6, 2023 ](/blog/godaddy-customers-beware-hackers-have-been-stealing-source-code-for-years/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"The Latest Iran-aligned Hacker Phishing Campaign Targeting Middle Eastern Countries","description":"Iran-aligned hacker group, MuddyWater’s latest phishing campaign deploying the new Syncro remote administration tool is causing all kinds of trouble.","url":"https://phishprotection.com/blog/latest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries/","datePublished":"2023-01-04T13:17:34.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-01-04T13:17:34.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/latest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries/"},"articleSection":"intermediate","keywords":"Cybersecurity, Phishing, Phishing Awareness","wordCount":1238,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/01/email-phishing-protection-2378.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"The Latest Iran-aligned Hacker Phishing Campaign Targeting Middle Eastern Countries","item":"https://phishprotection.com/blog/latest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries/"}]} ```