MuddyWater Follow-Up: April 2026

Where We Left Off

Our deep dive published March 6th documented MuddyWater as an Iranian state APT under MOIS, primarily using phishing for initial access, PowerShell loaders, and the KeyC2 framework for command and control. At the time, they were targeting Israeli organizations and Middle Eastern governments.

A lot has changed in four weeks.

The Rust Pivot

The biggest development: MuddyWater has fundamentally retooled. They’ve moved away from PowerShell and VBS loaders, their signature for years, and rebuilt their toolkit in Rust.

The new flagship implant is called RustyWater, also tracked as Archer RAT and RUSTRIC. It’s a Rust-based remote access trojan with asynchronous command and control, anti-analysis checks for VMs and sandboxes, and registry persistence. It’s modular, low-noise, and cross-platform. This is not an incremental upgrade, it’s a generational shift in capability. CloudSEK first identified RustyWater in a January 2026 spear-phishing campaign, and Palo Alto Networks’ Unit 42 confirmed further deployment in March (CloudSEK, 2026; Unit 42, 2026).

Alongside RustyWater, they’ve deployed CHAR, another Rust-based backdoor, first disclosed by Group-IB in February 2026 as part of Operation Olalampo (Group-IB, 2026). And CHAR is where things get interesting, because researchers found emoji debug strings in the compiled code. That’s extremely rare in human-authored code. The strong assessment is that AI models generated parts of CHAR’s codebase, and the operators didn’t fully clean the output before shipping it (Dark Reading, 2026).

This is one of the first confirmed cases of a state-level APT using AI to write malware.

Operation Olalampo

Their main campaign this year is called Operation Olalampo, first observed January 26th and disclosed by Group-IB in February 2026 (Group-IB, 2026). It targets diplomatic, maritime, financial, and telecom organizations across the Middle East and North Africa. The attack chain starts with spear-phishing using Office documents with macros, which drop either RustyWater or the GhostFetch downloader. GhostFetch then pulls GhostBackDoor for persistent access.

Command and control runs through Telegram bots, not new for MuddyWater, but combined with the Rust implants, it’s a much harder detection problem than their old PowerShell chains.

Hitting US Infrastructure

Since early February, MuddyWater has compromised networks belonging to a US bank, a US airport, a US software company with Israeli operations serving the defense and aerospace industries, and multiple NGOs in the US and Canada (Symantec, 2026; SC World, 2026; The Register, 2026).

They deployed two new backdoors in these attacks. Dindoor, written in JavaScript and executed via Deno, a legitimate JavaScript and TypeScript runtime, was found on the networks of the US bank, a Canadian non-profit, and the Israeli arm of the US software company. Fakeset, a Python-based backdoor, was found at the US airport and a US non-profit. Both were signed with digital certificates: Dindoor with one issued to “Amy Cherne,” Fakeset with certificates issued to “Amy Cherne” and “Donald Gay,” the latter previously linked to MuddyWater malware families Stagecomp and Darkcomp (Symantec, 2026).

At the software company, they attempted data exfiltration using Rclone to a Wasabi S3 bucket. Security experts have warned that persistent access in airport networks could potentially disrupt passenger processing, baggage handling, or cargo logistics.

This activity escalated directly after US and Israeli strikes on Iran. The correlation is not subtle.

New Attack Vectors

Our March 6th article documented phishing as the primary entry vector. Since then, Huntress documented MuddyWater using RDP for initial access, a completely different approach (Huntress, 2026). The post-access chain goes RDP to SSH tunnel for C2, then DLL side-loading using the legitimate Fortemedia application FMAPP.exe with a malicious FMAPP.dll. Operators opened fresh PowerShell windows from Explorer to disguise their sessions as legitimate interactive use.

Expanded Infrastructure

In March 2026, eSentire’s Threat Response Unit published a major advisory after discovering MuddyWater’s operational infrastructure through exposed open directories (eSentire, 2026). These revealed their full tradecraft: tools, exploits, scan results, C2 details, and targeting information.

New C2 frameworks include ArenaC2, a Python-based HTTPS framework, and PersianC2, which is HTTP-based. These join KeyC2, which we documented in March. The group is also incorporating the Russian-origin Tsundere botnet, which uses “EtherHiding” to retrieve C2 servers from the Ethereum blockchain.

New CVEs being exploited include Citrix NetScaler, SmarterTools SmarterMail, React2Shell, N-Central, BeyondTrust, Langflow, and n8n. New tunneling tools include Neo-reGeorg and Resocks. Their preferred hosting infrastructure runs through AS152485, Hosterdaddy Private Limited, with domains registered through NameCheap.

The Bottom Line

MuddyWater in April 2026 is a fundamentally different animal than MuddyWater in January. They’ve rebuilt their toolkit in a memory-safe language that’s harder to detect and analyze. They’re using AI to write malware. They’ve moved from targeting Middle Eastern governments to embedding backdoors in US banks and airports. And all of this is happening in the context of an active shooting war between the US and Iran.

The old MuddyWater was a mid-tier espionage group with decent tradecraft. The new MuddyWater is an offensive cyber unit operating in wartime conditions with modern tools and apparent AI augmentation. Act accordingly.

FTRCRP Investigation Follow-Up, April 4, 2026 Previous coverage: MuddyWater: Inside Iran’s Cyber War Machine

References

CloudSEK (2026) ‘Reborn in Rust: MuddyWater evolves tooling with RustyWater implant’. Available at: https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant

Dark Reading (2026) ‘Iran MuddyWater new malware as tensions mount’. Available at: https://www.darkreading.com/threat-intelligence/iran-muddywater-new-malware-tensions-mount

eSentire (2026) ‘Iranian APT MuddyWater exposed’. Available at: https://www.esentire.com/security-advisories/iranian-apt-muddywater-exposed

Group-IB (2026) ‘MuddyWater: Operation Olalampo’, 23 February. Available at: https://www.group-ib.com/blog/muddywater-operation-olalampo/

Huntress (2026) ‘MuddyWater attack chain’. Available at: https://www.huntress.com/blog/muddywater-attack-chain

SC World (2026) ‘Iranian APT group MuddyWater targets multiple US companies’. Available at: https://www.scworld.com/news/iranian-apt-group-muddywater-targets-multiple-us-companies

Symantec (2026) ‘Seedworm APT group activity following U.S. and Israeli military strikes on Iran’, Broadcom Security. Available at: https://www.broadcom.com/support/security-center/protection-bulletin/seedworm-apt-group-activity-following-u-s-and-israeli-military-strikes-on-iran

The Hacker News (2026a) ‘MuddyWater launches RustyWater RAT’. Available at: https://thehackernews.com/2026/01/muddywater-launches-rustywater-rat-via.html

The Hacker News (2026b) ‘MuddyWater targets MENA organizations’. Available at: https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html

The Register (2026) ‘Iran intelligence backdoored US bank, airport networks’, 5 March. Available at: https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

Unit 42 (2026) ‘Threat brief: March 2026 escalation’, Palo Alto Networks. Available at: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/

Report compiled from open-source intelligence. All claims verified against primary sources where available.

FTRCRP Threat Intelligence