Group-IB analyzed a new campaign in the MENA region and attributed it to the Iranian APT MuddyWater. The attackers' core tactics remain consistent for this group, but researchers identified new malware variants.

One notable sample is the CHAR backdoor, which uses a Telegram bot as its C2 channel. Such approach became widespread last year: leveraging the Telegram API helps disguise C2 traffic as legitimate while reducing infrastructure costs. However, if researchers discover the bot's username, it can reveal valuable insights into malicious activity: for example, Group‑IB extracted it from a malware sample and analyzed the executed commands.

Interestingly, the new backdoor contained traces of code generated with the help of AI. This once again shows how AI enables threat actors to rapidly expand their arsenal with trending attack techniques.

💬 Discuss

MuddyWater APT deploys new techniques — not without the help of AI