A sophisticated Iranian nation-state threat actor, identified as Boggy Serpens (also known as MuddyWater), has significantly intensified its cyberespionage activities. The group, believed to be linked to Iran’s Ministry of Intelligence and Security (MOIS), is conducting sustained and targeted attacks against diplomatic missions, critical infrastructure including energy companies and maritime operators, and financial institutions. This escalation marks a notable evolution in the group’s strategy and technical capabilities since its emergence around 2017.
Boggy Serpens: Evolving Tactics in Cyber Espionage
Previously, Boggy Serpens was characterized by aggressive, high-volume spear-phishing campaigns that prioritized speed over stealth. These operations often leveraged “living-off-the-land” tactics, misusing legitimate remote monitoring and management tools such as Atera, ScreenConnect, and SimpleHelp, in conjunction with public utilities like LaZagne and CrackMapExec. While these earlier methods were broad and less refined, recent analyses by Unit 42 reveal a decisive shift toward a more calculated approach centered on long-term persistence and the compromise of trusted relationships.
The group is now developing custom implants using Rust, a memory-safe programming language that poses challenges for reverse engineering. Furthermore, Boggy Serpens has integrated generative AI into its development processes, enabling the faster creation of new malware families. Intelligence from early 2025 indicates potential coordination with another Iranian threat group, Evasive Serpens (also known as Lyceum), suggesting shared resources within the Iranian cyber threat ecosystem.
The operational reach of these campaigns is extensive, with targets identified in Israel, Hungary, Turkey, Saudi Arabia, the UAE, Turkmenistan, Egypt, and across South America. Sectors affected include government, aviation, maritime, and finance. A particularly striking example of the group’s persistence was observed in a four-wave attack against a UAE-based marine and energy company with ties to Saudi Aramco, spanning from August 2025 to February 2026.
In August 2025, Boggy Serpens exploited a compromised email account at the Omani Ministry of Foreign Affairs. From this compromised account, they disseminated fabricated diplomatic invitations for a purported “Sustainable Peace” seminar to embassies and international organizations globally. This strategy highlights the group’s adeptness at exploiting legitimate channels for malicious intent.
Two-Tiered Social Engineering and Macro Delivery
A key factor making these campaigns difficult to thwart is an infection chain employing a two-stage deception model. This model simultaneously exploits automated email filters and human trust. The initial stage utilizes hijacked legitimate email accounts from governmental agencies or corporations. Emails sent from these authenticated internal sources typically receive a low spam confidence level (SCL -1), allowing them to bypass standard spam filters. This tactic was observed in attacks against a telecommunications provider in Turkmenistan and various Israeli organizations, where messages detailing “Cybersecurity Guidelines” or HR-related information were sent directly from within the victim organization’s email infrastructure.
The second stage is initiated when a recipient opens an attached document. These attachments often appear as blurred Word files, forged Excel financial reports, or fake airline tickets. The files present a deceptive message, claiming to have been created in an older version of Microsoft Office and prompting the user to click “Enable Content.” Upon user interaction, a Visual Basic for Applications (VBA) macro silently executes in the background. This macro drops a malicious payload and then clears the initial blur, revealing a seemingly legitimate document underneath, thereby creating a sense of normalcy for the victim.
Forensic analysis has uncovered two parallel VBA builder tracks associated with a single development team. The Phoenix Lineage is responsible for delivering full backdoors, including BugSleep and the recently identified Nuso HTTP backdoor. The UDPGangster Operations, conversely, deploys a lighter backdoor transmitted over UDP. Crucially, both tracks share an identical decryption key and the file path novaservice.exe, confirming their common origin within the same development pipeline.
Organizations are strongly advised to implement stringent macro execution policies across all Microsoft Office environments. Deploying behavioral endpoint monitoring solutions capable of detecting drop-and-execute activities is also recommended. To mitigate the risk of account hijacking, multi-factor authentication should be enforced for all email accounts. Email security controls that assess behavioral and thematic anomalies, rather than relying solely on sender reputation, are vital for identifying internal phishing campaigns.
Furthermore, regular threat hunting activities focused on detecting UDP-based beaconing, process injection events, and non-standard registry key modifications can aid in identifying active infections before persistent access is fully established. Continuous vigilance and adaptation of defensive measures are crucial in countering the evolving threat posed by Boggy Serpens and similar state-sponsored cyberespionage groups.