MuddyWater Hackers Using Custom Malware With Multi-Stage Payloads and Uses Cloudflare to Mask Fingerprints

Since early 2025, cybersecurity teams have observed a marked resurgence in operations attributed to MuddyWater, an Iranian state–sponsored advanced persistent threat (APT) actor.

Emerging initially through broad remote monitoring and management (RMM) exploits, the group has pivoted to highly targeted campaigns employing custom malware backdoors and multi-stage payloads designed to evade detection.

Rather than relying solely on off-the-shelf tools, the adversary has expanded its arsenal to include bespoke implants such as BugSleep, StealthCache, and the Phoenix backdoor.

These components work in concert to establish covert footholds, extract sensitive data, and mask infrastructure using commercial services at scale.

Attack vectors continue to center on spear-phishing emails embedding malicious Microsoft Office documents.

Victims receive decoy documents laced with VBA macros that drop and execute secondary payloads from Cloudflare-protected domains.

Infected hosts then reach out to command-and-control (C2) servers hosted across mainstream and bulletproof providers—ranging from AWS and DigitalOcean to Stark Industries—before shifting communication behind Cloudflare proxies to obscure origin IPs.

Group-IB analysts noted that Cloudflare’s reverse-proxy service dramatically increases the difficulty of tracking active C2 endpoints, as all traffic appears to originate from shared Cloudflare hosts.

Initial loader

Upon execution, the initial loader (commonly named wtsapi32.dll) decrypts and injects the StealthCache backdoor into legitimate processes.

StealthCache establishes a pseudo-TLV protocol over HTTPS, sending and receiving encrypted commands at endpoint /aq36 and reporting errors at /q2qq32.

Group-IB analysts identified custom XOR routines that dynamically derive decryption keys from the victim’s device and username strings, thwarting sandbox analysis when executed on mismatched hosts.

In its latest operational phase, MuddyWater’s multi-stage approach has delivered a trio of payloads: an initial VBA dropper, a loader such as Fooder, and a feature-rich backdoor like StealthCache.

Upon receiving a command code, StealthCache executes actions ranging from interactive shells to file exfiltration:

// Decrypt function snippet
void decrypt_payload(uint8_t *buffer, size_t size, const char *key) {
    for (size_t i = 0; i < size; ++i) {
        buffer[i] ^= key[i % strlen(key)];
    }
}

Subsequently, the Phoenix backdoor is deployed from the loader’s memory space. Phoenix registers with its C2 via /register, then periodically posts beacons to /imalive and polls /request for further instructions.

This modular design enables seamless command updates and payload swaps without writing to disk, reinforcing persistence and minimizing forensic artifacts.

By leveraging Cloudflare to mask true server endpoints and integrating dynamic decryption keyed to host identifiers, MuddyWater has crafted a resilient, multi-stage infection chain that remains elusive to network defenders.

Continuous monitoring of Cloudflare-associated domains, alongside vigilant analysis of unique mutex names and C2 URL patterns, is essential for preempting new campaigns and safeguarding critical infrastructure.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free