A sophisticated cyber campaign, exhibiting strong operational similarities to the notorious MuddyWater threat group, has been identified conducting extensive scans on over 12,000 internet-exposed systems across various regions. This widespread reconnaissance was followed by highly targeted attacks against critical sectors in the Middle East, including aviation, energy, and government entities. Confirmed data theft has been reported from at least one Egyptian aviation organization, raising significant concerns about regional cybersecurity resilience.
The operation, which appears to have commenced in early February 2025, coincided with a noticeable escalation in geopolitical tensions across the Middle East. Researchers at Oasis Security meticulously detailed the attack’s multi-stage progression, which involved initial vulnerability reconnaissance, followed by selective credential harvesting, and ultimately culminating in full data exfiltration. This structured approach underscores the advanced planning and execution characteristic of sophisticated state-sponsored or highly organized cybercriminal groups.
The initial scanning phase leveraged at least five newly disclosed zero-day vulnerabilities (CVEs) affecting a broad spectrum of systems. These included critical infrastructure components such as web applications, email servers, IT management platforms, and workflow automation tools. The specific vulnerabilities exploited were CVE-2025-54068 (Laravel Livewire RCE), CVE-2025-52691 (SmarterMail RCE), CVE-2025-68613 (n8n RCE), CVE-2025-9316 (Unauthenticated Session ID Generation in RMM systems), and CVE-2025-34291 (Langflow RCE). The exploitation of these recent vulnerabilities highlights the attackers’ access to timely exploit information.
Oasis Security researchers traced the attacker-controlled infrastructure back to a server located in the Netherlands, identified by the IP address 157.20.182.49. A significant volume of server-side files was collected from this infrastructure, revealing modular Command and Control (C2) components, operational scripts, and clear evidence of coordinated scanning activities. The timing of this large-scale scanning operation, launching just weeks before heightened regional tensions, strongly suggests a strategic intent to gather intelligence and prepare for potential disruptive actions.
Modular C2 Infrastructure for Resilient Operations
A key technical aspect of this campaign was the attackers’ deployment of a modular C2 infrastructure, meticulously designed for resilience and adaptability. Oasis Security’s analysis revealed a multi-layered architecture built with various programming languages and communication protocols. This design aimed to ensure continued operation and difficult disruption, even if parts of the C2 network were discovered by security professionals.
The C2 setup featured Python-based controllers, namely `tcp_serv.py` and `udp_3.0.py`, alongside Go-based binaries such as `server` and `client.exe`. The `tcp_serv.py` controller was configured to listen for inbound connections on TCP port 5009, while its UDP counterpart utilized similar structural patterns. Both controllers consistently employed a distinct custom packet header format identified as `
More sophisticated HTTP-based controllers were also part of the infrastructure, managing encrypted client sessions through API-like endpoints. These endpoints included `/command`, `/result`, `/signup`, and `/feed`. The Go-based `ex-server` binary was responsible for AES (CTR mode)-encrypted data exchanges via the `/signup` and `/feed` endpoints. Individual infected hosts were tracked using cookie-based `cid` values.
These communication patterns bear a strong resemblance to MuddyWater’s ArenaC2 framework, significantly reinforcing the attribution assessment made by Oasis Security. This technical alignment points to a shared lineage of tools and techniques, common among advanced persistent threat (APT) groups.
Following the extensive reconnaissance, the threat actors shifted their focus to credential-based intrusion methods. Attackers initiated Outlook Web Access (OWA) brute-force attacks, utilizing custom tools such as `owa.py` and multi-threaded attack software like Patator. These tools were employed for targeted username enumeration against specific organizations, further narrowing their efforts within the already identified network perimeters.
These credential harvesting efforts were primarily concentrated on entities located in Egypt, Israel, and the United Arab Emirates. In a confirmed instance, an Egyptian firefighting enterprise experienced successful theft of employee credentials. Additionally, administrator account lists were recovered from a targeted organization within the UAE. This indicates a successful breach of initial access controls and a move towards gaining elevated privileges within targeted networks.
The operation progressed beyond mere access attempts into confirmed data exfiltration, specifically targeting an aviation organization based in Egypt. Approximately 200 staged files were discovered within attacker-controlled directories. These files contained sensitive information, including passport and visa records, payroll and salary data, credit card details, and confidential internal corporate documents. The breadth of data exfiltrated suggests a motive of espionage or financial gain.
While the primary focus was on the Middle East, additional targeting was identified across entities in Portugal and India. This suggests that the campaign’s reach and objectives extended beyond its immediate regional focus, underscoring a broader strategic interest or a wider net cast for potential future exploitation. The inclusion of these geographically disparate targets indicates a complex and far-reaching cyber operation.
Organizations exposed to any of the five exploited CVEs are strongly advised to apply available security patches without delay. Furthermore, a thorough review of OWA access logs for any signs of brute-force activity is a critical immediate step. Security teams should also consider blocking outbound traffic on port 5009, monitoring for encrypted HTTP connections to unrecognized endpoints, and auditing internal file directories for bulk staging behaviors that might indicate ongoing data collection efforts in preparation for exfiltration. Continuous monitoring and proactive threat hunting remain paramount in defending against such sophisticated threats.