Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-text-to-speech domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-bookmark-follow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the soledad domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-paywall domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-frontend-submission domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114
MuddyC2Go: The new C2 framework is being used by Iranian hackers against Israel – HacksByte

MuddyC2Go: The new C2 framework is being used by Iranian hackers against Israel

Iranian nation-state actors have been observed using a previously unknown command-and-control (C2) framework, known as MuddyC2Go, as part of attacks targeting Israel.

“The web component of the framework is written in the Go programming language,” Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday.

The tool has been attributed to Iranian state-sponsored hacking group Muddywater, which is affiliated with the country’s Ministry of Intelligence and Security (MOIS).

The cybersecurity firm said the C2 framework may have been put to use by the threat actor since early 2020, with recent attacks leveraging it in place of PhonyC2, another custom C2 platform from MuddyWater that came to light in June 2023 and has had its source code leaked.

Typical attack sequences seen over the past few years include sending spear-phishing emails that contain malware-laden archives or fake links that lead to the deployment of legitimate remote administration tools.

Installation of the remote administration software paves the way for the delivery of additional payloads, including PhoneyC2.

A new change in Muddywater’s methodology has since evolved into using password-protected archives to bypass email security solutions and distributing executables instead of remote administration tools.

“This executable includes an embedded PowerShell script that automatically connects to MuddyWater’s C2, eliminating the need for manual execution by the operator,” Kenin explained.

In turn, the MuddyC2Go server sends a PowerShell script, which runs every 10 seconds and waits for further commands from the operator.

Although the full extent of MuddyC2Go’s features is unknown, it is suspected to be a framework that is responsible for generating PowerShell payloads to conduct post-exploitation activities.

“We recommend disabling Powershell if it’s not needed,” Kenin said. “If it is enabled, we recommend close monitoring of PowerShell activity.”

Related posts

Warning: New secret “RustDoor” backdoor is targeting Apple macOS devices

Security expert turns out to be a scammer, used Apple’s bug to rob the company of $2.5 million

Kimsuky’s New Golang Stealer ‘Troll’ and ‘GoBear’ Backdoor Targets South Korea

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More