A well-resourced Iranian nation-state group known as Boggy Serpens \u2014 also tracked as MuddyWater \u2014 has sharply escalated its cyberespionage operations, running sustained and targeted campaigns against diplomatic missions, energy companies, maritime operators, and financial institutions. <\/p>\n
Attributed to Iran\u2019s Ministry of Intelligence and Security (MOIS), the group has been active since at least 2017, but its recent campaigns reflect a clear evolution in both strategy and technical capability.\u200b<\/p>\n
For much of its history, Boggy Serpens favored noisy, high-volume spear phishing operations that prioritized speed over stealth. <\/p>\n
The group relied on living-off-the-land tactics, abusing remote monitoring<\/a> and management tools such as Atera, ScreenConnect, and SimpleHelp, alongside public utilities like LaZagne and CrackMapExec. <\/p>\n Those early campaigns were broad and unsophisticated \u2014 but that operational style has since given way to something far more calculated.\u200b<\/p>\n Unit 42 analysts identified a decisive shift<\/a> in the group\u2019s behavior, noting that Boggy Serpens has moved toward a model centered on long-term persistence and trusted relationship compromise. <\/p>\n The group now builds custom implants using Rust \u2014 a memory-safe language that complicates reverse engineering \u2014 and has integrated generative AI into its development pipeline to produce new malware families faster. <\/p>\n Early 2025 operations also revealed coordination with Evasive Serpens, known as Lyceum, pointing to shared resources within the Iranian threat ecosystem.\u200b<\/p>\n The campaign\u2019s reach has been wide. Boggy Serpens has struck organizations in Israel, Hungary, Turkey, Saudi Arabia, the UAE, Turkmenistan, Egypt, and South America, across government, aviation, maritime, and financial sectors<\/a>. <\/p>\n A four-wave attack against a UAE-based marine and energy company linked to Saudi Aramco \u2014 spanning August 2025 through February 2026 \u2014 is the starkest example of the group\u2019s persistence. <\/p>\n In August 2025, the group also exploited a compromised mailbox at the Omani Ministry of Foreign Affairs to send fabricated diplomatic invitations posing as a \u201cSustainable Peace\u201d seminar to embassies and international organizations worldwide.\u200b<\/p>\n What makes these campaigns especially difficult to stop is an infection chain built on a two-stage deception model that exploits both automated filters and human trust at the same time.\u200b<\/p>\n The first stage relies on hijacked legitimate email accounts at government agencies or corporations. <\/p>\n Messages sent from these accounts receive a negative spam confidence level (SCL -1) because they originate from authenticated internal senders, allowing them to bypass spam filters. <\/p>\n This tactic was used against a telecommunications provider in Turkmenistan and Israeli organizations, where the group sent \u201cCybersecurity Guidelines\u201d and HR-themed attachments directly from within the victim\u2019s own email environment\u00a0(Figure 9)<\/em>.\u200b<\/p>\n The second stage activates when a target opens the attached document \u2014 typically a blurred Word file, a forged Excel financial report, or a fake Air Arabia airline ticket. <\/p>\n The file displays a message claiming it was created in an older version of Microsoft Office and asks the user to click \u201cEnable Content.\u201d <\/p>\n When that happens, a VBA macro executes silently in the background, drops a payload, and then clears the blur to reveal a convincing, legitimate-looking document underneath \u2014 making the interaction feel completely normal to the victim.\u200b<\/p>\n Forensic analysis uncovered two parallel VBA builder tracks tied to a single development team: the Phoenix Lineage, delivering full backdoors including BugSleep and the newly identified Nuso HTTP backdoor, and the UDPGangster Operations, deploying a lighter backdoor over UDP. <\/p>\n Both share an identical decryption key and the\u00a0 Organizations should enforce strict macro execution policies across all Microsoft Office environments and deploy behavioral endpoint monitoring capable of detecting drop-and-execute activity. <\/p>\n Multi-factor authentication<\/a> must be applied to all email accounts to reduce account hijacking exposure. Email controls that assess behavioral and thematic anomalies \u2014 beyond sender reputation alone \u2014 are critical for catching internal phishing campaigns. <\/p>\n Regular threat hunting for UDP-based beaconing, process injection events, and non-standard registry key modifications can help identify active infections before persistent access becomes fully established.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Boggy Serpens Targets Diplomats and Critical Infrastructure in Multi-Wave Espionage Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9sumaxf7DnH1SSNH0iLhTbN5KFhbbErfBWhlHLejOLuH_ZUkmjD1J4cNFiSb3HNkIyY7NqdHNmatG06csuELLkn160KVlq3xA-fLeh0E_hTOJJ0BQrMyjb7dDWFSO68lF_zBPXTCCOd9jZ2x_qBLjsixcDnlk2FoNSQiFxe4y_Ivw1-62SJPuxUitV9Y\/s16000\/The%2520infection%2520chain%2520%28Source%2520-%2520Unit%252042%29.webp?ssl=1\")
![\"An](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjE4rVKPOqpiMWhMWH6jdJcNqlwi7OUoyrOAeZHf5wLkdAL3cTx39T9URh9UTuqKkL7B3Hyhv1nWsXV3yFcfoeyDdyypMlDHaIbjQ99BD2hfijC58d6onKN9DXgA2LGJV0lrNqzE1G3Z58kJc4A0L8_CLq8-jiudBrcgK3vDDk5AeVC8of7yntZ0_aQAps\/s16000\/An%2520email%2520sent%2520from%2520a%2520compromised%2520email%2520account%2520to%2520foreign%2520embassies%2C%2520government%2520ministries%2520and%2520international%2520organizations%2520%28Source%2520-%2520Unit%252042%29.webp?ssl=1\")
Two-Tiered Social Engineering and Macro Delivery<\/strong><\/h2>\n
![\"Correlation](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcZf2ickaT7EYmyCP23ALmtMMaZ9iPcKjluwbc0w4FLhn37tOYXd-gBogkzgbZZZvZlQu5TiOPq2_AojaANlBeU34eOrpRcTvBQaT-6szAXioy-G-9S7X_SzKPGx6QWp41EZh4kb44yHUsxLXyb5qVX2UZBYKM3n5rJrxrdF46rLTgF-P-695YJjAZEf4\/s16000\/Correlation%2520and%2520shared%2520artifacts%2520among%2520campaigns%2520%28Source%2520-%2520Unit%252042%29.webp?ssl=1\")
novaservice.exe<\/code>\u00a0file path, confirming they originate from the same pipeline.\u200b<\/p>\n