Threat Intelligence, Critical Infrastructure Security

Extensive MuddyWater-like attack campaign against Middle Eastern critical infrastructure detailed

Iran Flag Digital Binary Code Cyberpunk Technology Concept

Multiple aviation, energy, government, and other critical infrastructure organizations across the Middle East have been targeted by a threat group akin to Iranian state-backed operation MuddyWater in a massive reconnaissance and data exfiltration campaign that commenced in early February, according to GBHackers News.

Attackers harnessed five security vulnerabilities including the SmarterMail remote code execution flaw, tracked as CVE-2025-52691, and the Langflow RCE bug, tracked as CVE-2025-34291 to infiltrate over 12,000 internet-exposed systems before launching brute-force intrusions aimed at Outlook Web Access in a bid to achieve persistence and siphon data, a report from Oasis Security revealed. Initially scattered targeting of Middle Eastern entities eventually led to more focused attacks against the region's aviation and energy industries, with the threat operation having pilfered passport and visa records, payroll details, credit card information, and corporate files from an Egyptian aviation firm.

Further analysis of the campaign revealed its command-and-control infrastructure to be hosted on a Netherlands-based IP, as well as feature controllers and binaries resembling previous MuddyWater tradecraft.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds