A cyber campaign bearing the hallmarks of the Iran-linked group widely known as MuddyWater has probed more than 12,000 internet-facing systems before moving against selected targets in the Middle East, with aviation, energy and government organisations among the sectors drawn into the operation. Investigators say the activity progressed from broad reconnaissance to confirmed data theft, underscoring how quickly opportunistic scanning can turn into focused espionage when exposed digital assets are left unpatched or weakly protected.
The operation, disclosed by Oasis Security and amplified across cyber threat reporting on 15 April, is notable for both its scale and discipline. Researchers said the attackers weaponised at least five newly disclosed vulnerabilities to map vulnerable systems across web applications, mail servers, remote management platforms and workflow tools. Rather than attempting to compromise every exposed machine they found, the operators appear to have narrowed their effort to higher-value organisations after the initial scan, a pattern that threat analysts increasingly associate with state-aligned campaigns seeking intelligence value rather than indiscriminate disruption.
According to the technical findings, the campaign combined vulnerability exploitation with brute-force attacks on Outlook Web Access, using custom scripts and widely known offensive tools to test usernames and passwords against enterprise email systems. That mix matters because it broadens the attackers’ chances of entry. Even where a target may have patched one exposed service, weak credentials or insufficient login controls can still open a second door. Oasis said credential harvesting was observed against organisations in Egypt, Israel and the United Arab Emirates, with account lists and credential pairs recovered from attacker-controlled infrastructure.
Researchers said confirmed exfiltration occurred at an aviation organisation in Egypt, where stolen material included passport and visa records, payroll and salary data, credit-card information and internal corporate documents. About 200 files were identified in directories linked to the attackers, suggesting a structured staging process before data was moved out. That level of organisation points to a campaign built around collection and persistence rather than a smash-and-grab intrusion, and it raises fresh concern for industries that sit close to transport, energy supply and the machinery of government in a region already carrying elevated geopolitical risk.
Attribution remains careful rather than absolute. Oasis described the activity as consistent with MuddyWater tradecraft, not as a definitive public naming. That distinction is important. Cyber attribution often rests on overlapping infrastructure, coding patterns, operational timing and victimology rather than a single decisive marker. Still, the overlap is substantial enough to draw attention. The researchers cited newly identified command-and-control components, including Python- and Go-based controllers, custom communications formats and techniques that they said align with patterns previously associated with MuddyWater’s ArenaC2 framework.
MuddyWater has long been tracked by Western governments and major security firms as an Iran-linked espionage actor. A joint advisory from CISA, the FBI, NSA and partners in 2022 described MuddyWater as a government-sponsored group conducting cyber espionage and other malicious operations. Microsoft has also linked the actor it previously tracked as Mercury to Iran’s Ministry of Intelligence and Security, noting a history of exploiting unpatched internet-facing systems, stealing credentials and moving laterally inside victim networks. Those older assessments do not prove responsibility for this campaign, but they provide the strategic and technical backdrop against which the new findings are being judged.
Timing has sharpened concern. Oasis said the campaign began in early February, before the latest surge in regional tensions. Reuters reported this month that hacking groups controlled by Iran had stepped up operations since late February, targeting mainly critical infrastructure and telecommunications companies in the Gulf, while separate reporting and official alerts have pointed to wider pressure on infrastructure operators tied to the regional conflict. The convergence of cyber activity with geopolitical strain does not, by itself, establish motive, but it does reinforce the view that cyber reconnaissance is being woven into a broader contest over leverage, access and preparedness.
For governments and businesses across the Middle East, the lesson is less about one named group than about a method that is becoming harder to ignore. Large-scale vulnerability scanning, rapid exploitation of newly disclosed flaws, credential attacks against email portals and modular command infrastructure have become a repeatable pipeline. Energy companies, aviation operators and public agencies are especially exposed because their systems tend to be both internet-connected and operationally sensitive. When those sectors are hit, the damage goes beyond data loss, touching supply chains, border management, payroll systems and public trust.
The operation, disclosed by Oasis Security and amplified across cyber threat reporting on 15 April, is notable for both its scale and discipline. Researchers said the attackers weaponised at least five newly disclosed vulnerabilities to map vulnerable systems across web applications, mail servers, remote management platforms and workflow tools. Rather than attempting to compromise every exposed machine they found, the operators appear to have narrowed their effort to higher-value organisations after the initial scan, a pattern that threat analysts increasingly associate with state-aligned campaigns seeking intelligence value rather than indiscriminate disruption.
According to the technical findings, the campaign combined vulnerability exploitation with brute-force attacks on Outlook Web Access, using custom scripts and widely known offensive tools to test usernames and passwords against enterprise email systems. That mix matters because it broadens the attackers’ chances of entry. Even where a target may have patched one exposed service, weak credentials or insufficient login controls can still open a second door. Oasis said credential harvesting was observed against organisations in Egypt, Israel and the United Arab Emirates, with account lists and credential pairs recovered from attacker-controlled infrastructure.
Researchers said confirmed exfiltration occurred at an aviation organisation in Egypt, where stolen material included passport and visa records, payroll and salary data, credit-card information and internal corporate documents. About 200 files were identified in directories linked to the attackers, suggesting a structured staging process before data was moved out. That level of organisation points to a campaign built around collection and persistence rather than a smash-and-grab intrusion, and it raises fresh concern for industries that sit close to transport, energy supply and the machinery of government in a region already carrying elevated geopolitical risk.
Attribution remains careful rather than absolute. Oasis described the activity as consistent with MuddyWater tradecraft, not as a definitive public naming. That distinction is important. Cyber attribution often rests on overlapping infrastructure, coding patterns, operational timing and victimology rather than a single decisive marker. Still, the overlap is substantial enough to draw attention. The researchers cited newly identified command-and-control components, including Python- and Go-based controllers, custom communications formats and techniques that they said align with patterns previously associated with MuddyWater’s ArenaC2 framework.
MuddyWater has long been tracked by Western governments and major security firms as an Iran-linked espionage actor. A joint advisory from CISA, the FBI, NSA and partners in 2022 described MuddyWater as a government-sponsored group conducting cyber espionage and other malicious operations. Microsoft has also linked the actor it previously tracked as Mercury to Iran’s Ministry of Intelligence and Security, noting a history of exploiting unpatched internet-facing systems, stealing credentials and moving laterally inside victim networks. Those older assessments do not prove responsibility for this campaign, but they provide the strategic and technical backdrop against which the new findings are being judged.
Timing has sharpened concern. Oasis said the campaign began in early February, before the latest surge in regional tensions. Reuters reported this month that hacking groups controlled by Iran had stepped up operations since late February, targeting mainly critical infrastructure and telecommunications companies in the Gulf, while separate reporting and official alerts have pointed to wider pressure on infrastructure operators tied to the regional conflict. The convergence of cyber activity with geopolitical strain does not, by itself, establish motive, but it does reinforce the view that cyber reconnaissance is being woven into a broader contest over leverage, access and preparedness.
For governments and businesses across the Middle East, the lesson is less about one named group than about a method that is becoming harder to ignore. Large-scale vulnerability scanning, rapid exploitation of newly disclosed flaws, credential attacks against email portals and modular command infrastructure have become a repeatable pipeline. Energy companies, aviation operators and public agencies are especially exposed because their systems tend to be both internet-connected and operationally sensitive. When those sectors are hit, the damage goes beyond data loss, touching supply chains, border management, payroll systems and public trust.
Topics
Technology