Sophos Identifies Phishing Campaign Linked to MuddyWater Group
/ 1 min read
Sophos MDR tracks Iranian threat actor MuddyWater’s phishing campaign. Sophos has identified a new phishing campaign linked to the Iranian group MuddyWater, also known as TA450, which aims to steal credentials by enticing targets to download a legitimate remote management tool, Atera. The campaign was first detected in November when Sophos blocked credential dumping attempts targeting an organization in Israel. The attackers used a phishing email to direct victims to a shared document, leading to the download of a compressed installer for Atera, which was registered with a compromised email. Following installation, the threat actors executed commands to dump credentials and create a backup of the SYSTEM registry. Sophos continues to monitor this activity for further developments.