Boggy Serpens Targets Diplomats and Critical Infrastructure in Multi-Wave Espionage Campaign

A well-resourced Iranian nation-state group known as Boggy Serpens — also tracked as MuddyWater — has sharply escalated its cyberespionage operations, running sustained and targeted campaigns against diplomatic missions, energy companies, maritime operators, and financial institutions.

Attributed to Iran’s Ministry of Intelligence and Security (MOIS), the group has been active since at least 2017, but its recent campaigns reflect a clear evolution in both strategy and technical capability.​

For much of its history, Boggy Serpens favored noisy, high-volume spear phishing operations that prioritized speed over stealth.

The group relied on living-off-the-land tactics, abusing remote monitoring and management tools such as Atera, ScreenConnect, and SimpleHelp, alongside public utilities like LaZagne and CrackMapExec.

Those early campaigns were broad and unsophisticated — but that operational style has since given way to something far more calculated.​

Unit 42 analysts identified a decisive shift in the group’s behavior, noting that Boggy Serpens has moved toward a model centered on long-term persistence and trusted relationship compromise.

The group now builds custom implants using Rust — a memory-safe language that complicates reverse engineering — and has integrated generative AI into its development pipeline to produce new malware families faster.

Early 2025 operations also revealed coordination with Evasive Serpens, known as Lyceum, pointing to shared resources within the Iranian threat ecosystem.​

The campaign’s reach has been wide. Boggy Serpens has struck organizations in Israel, Hungary, Turkey, Saudi Arabia, the UAE, Turkmenistan, Egypt, and South America, across government, aviation, maritime, and financial sectors.

A four-wave attack against a UAE-based marine and energy company linked to Saudi Aramco — spanning August 2025 through February 2026 — is the starkest example of the group’s persistence.

In August 2025, the group also exploited a compromised mailbox at the Omani Ministry of Foreign Affairs to send fabricated diplomatic invitations posing as a “Sustainable Peace” seminar to embassies and international organizations worldwide.​

What makes these campaigns especially difficult to stop is an infection chain built on a two-stage deception model that exploits both automated filters and human trust at the same time.​

The first stage relies on hijacked legitimate email accounts at government agencies or corporations.

Messages sent from these accounts receive a negative spam confidence level (SCL -1) because they originate from authenticated internal senders, allowing them to bypass spam filters.

This tactic was used against a telecommunications provider in Turkmenistan and Israeli organizations, where the group sent “Cybersecurity Guidelines” and HR-themed attachments directly from within the victim’s own email environment (Figure 9).​

The second stage activates when a target opens the attached document — typically a blurred Word file, a forged Excel financial report, or a fake Air Arabia airline ticket.

The file displays a message claiming it was created in an older version of Microsoft Office and asks the user to click “Enable Content.”

When that happens, a VBA macro executes silently in the background, drops a payload, and then clears the blur to reveal a convincing, legitimate-looking document underneath — making the interaction feel completely normal to the victim.​

Forensic analysis uncovered two parallel VBA builder tracks tied to a single development team: the Phoenix Lineage, delivering full backdoors including BugSleep and the newly identified Nuso HTTP backdoor, and the UDPGangster Operations, deploying a lighter backdoor over UDP.

Both share an identical decryption key and the novaservice.exe file path, confirming they originate from the same pipeline.​

Organizations should enforce strict macro execution policies across all Microsoft Office environments and deploy behavioral endpoint monitoring capable of detecting drop-and-execute activity.

Multi-factor authentication must be applied to all email accounts to reduce account hijacking exposure. Email controls that assess behavioral and thematic anomalies — beyond sender reputation alone — are critical for catching internal phishing campaigns.

Regular threat hunting for UDP-based beaconing, process injection events, and non-standard registry key modifications can help identify active infections before persistent access becomes fully established.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.