Iranian hacker group MuddyWater has expanded its operations to countries such as Azerbaijan, Portugal, Turkey, Saudi Arabia, and India, using newly developed malware.

According to a detailed report by cybersecurity firm Check Point, MuddyWater has employed BugSleep malware to allow hackers to execute remote commands and transfer files between infected systems and their servers with targets including government organizations, media outlets, and travel agencies.

International organizations, including the US Cybersecurity and Infrastructure Security Agency, have attributed MuddyWater to Iran's ministry of intelligence. MuddyWater, also known as APT34 and OilRig, has been active for several years, focusing on cyber-espionage against private and governmental organizations in the Middle East and Western countries.

Their activities are characterized by a mix of strategic intelligence gathering and disruptive cyberattacks, aiming to further Iran's geopolitical interests.

The primary and most successful method of the new malware so far, also targeting countries such as Israel and Saudi Arabia, has been through phishing emails.

Since February 2024, over 50 such emails have been distributed to hundreds of recipients, crafted to deceive recipients into clicking malicious links or downloading infected attachments.

Cybersecurity company Sekoia has also highlighted a surge in MuddyWater's activities. One of the significant findings from Sequoia's investigation is a shift in the hackers' tactics.

Instead of embedding infected links directly in the text of phishing emails, MuddyWater now places these malicious links in PDF files attached to the emails, an attempt to bypass security filters that scrutinize email contents for suspicious links.

Iran has a long history of using cyberattacks, not least on its archenemy, Israel, targeting entities like the Israel Electric Corporation.

These attacks have stepped up since the outbreak of the Gaza war. In November, just weeks after the war began, a group going by the name of “Cyber Toufan” targeted Israeli companies and organizations and dumped huge troves of data online that it claims to have stolen.

Israel's National Institute for Security Studies says Iran was one of the first countries to develop a national cyber strategy. It has developed the institutions and infrastructure to ensure its proxy war could disrupt, sabotage and even destroy civil and commercial targets, critical national infrastructure and military capabilities.