Boggy Serpens Threat Assessment

Summary

Unit 42 reports that Iranian threat group Boggy Serpens (also known as MuddyWater, attributed to MOIS) is evolving its cyberespionage operations with AI-enhanced malware, Rust-based tools, and refined social engineering tactics targeting diplomatic, energy, maritime, and financial sectors across the Middle East and globally. The group has shifted from high-volume noisy campaigns to stealthy persistent operations using trusted relationship compromises, with four documented attack waves against a UAE marine and energy company between August 2025 and February 2026.

Full text

Threat Research CenterThreat ResearchCybercrime Cybercrime Boggy Serpens Threat Assessment 19 min read Related ProductsAdvanced DNS SecurityAdvanced URL FilteringAdvanced WildFireCloud-Delivered Security ServicesCortexCortex XDRCortex XSIAMUnit 42 Incident Response By:Unit 42 Published:March 16, 2026 Categories:CybercrimeNation-State CyberattacksThreat Actor GroupsThreat Research Tags:Advanced Persistent ThreatBoggy SerpensC2LampoRATMalwareMuddyWaterNation-stateRemote Access TrojanSpear Phishing Share Executive Summary We have been tracking ongoing cyberespionage campaigns by the threat group Boggy Serpens, also known as MuddyWater. Attributed to the Iranian Ministry of Intelligence and Security (MOIS), the group consistently targets diplomatic and critical infrastructure – including energy, maritime and finance – across the Middle East and other strategic targets around the world. We provide a comprehensive threat assessment of Boggy Serpens’ activities over the last year. Our analysis reveals a highly adaptable threat actor that has refined its operational strategy to focus on trusted relationship compromises and multi-wave targeting of key strategic organizations. While social engineering remains its defining trait, the group is also increasing its technological capabilities. Its diverse toolset includes AI-enhanced malware implants that incorporate anti-analysis techniques for long-term persistence. This combination of social engineering and rapidly developed tools creates a potent threat profile. Boggy Serpens primarily leverages hijacked accounts to wage its attacks, targeting high-profile victims like diplomats and IT vendors. The attackers exploit this access to bypass reputation-based blocking and utilize a secondary social engineering prompt to deliver malware. The group’s determination is best exemplified by a sustained campaign against a national marine and energy company in the UAE. We outline four distinct waves of attack against this single entity from August 2025 through February 2026, demonstrating the group’s attempts to infiltrate regional maritime infrastructure. To maintain access, the group has matured its development approach, employing AI-generated code, and Rust-based tools like the BlackBeard backdoor to rapidly deploy custom implants. Additionally, the group leverages standard HTTP status codes, customized user diagram protocol (UDP)-based traffic, and the Telegram API for command and control (C2). Palo Alto Networks customers are better protected against the threats discussed in this article through Cortex XDR and XSIAM, the Cortex Advanced Email Security module, Advanced WildFire, Advanced URL Filtering and Advanced DNS Security. Cortex’s AgentiX Agentic Assistant can assist investigations by providing context and insights, as well as recommendations for actions to take. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team. Related Unit 42 Topics Boggy Serpens, Advanced Persistent Threat (APT), Malware, Cybercrime, Cyberespionage, RAT Boggy Serpens Overview Boggy Serpens is an Iranian nation-state cyberespionage group active since at least 2017. Assessed to be a subordinate element of the MOIS, the group has primarily targeted government, military and critical infrastructure sectors across the Middle East, the Caucasus, Central and Western Asia, South America and Europe. Early campaigns by this group were characterized by a high-volume, low-sophistication operational style. Boggy Serpens favored speed over stealth, frequently launching noisy and widespread spear phishing campaigns. These campaigns heavily relied on living-off-the-land (LOTL) tactics, abusing legitimate remote monitoring and management (RMM) tools like Atera, ScreenConnect and SimpleHelp, alongside publicly available utilities such as LaZagne and CrackMapExec. Recent campaigns reflect the group’s prioritization of long-term persistence, stealthier tactics, techniques and procedures (TTPs) and advanced defense evasion techniques. This is evidenced by its adoption of the Rust programming language and the integration of AI-assisted techniques into its malware development lifecycle. Boggy Serpens is likely benefiting from a significant influx of resources and cross-unit coordination. Early 2025 operations highlighted operational overlaps with Evasive Serpens, also known as Lyceum (a subgroup of OilRig), indicating shared resources and intelligence coordination within the Iranian threat landscape. While the group’s focus remains cyberespionage, Boggy Serpens has conducted disruptive operations in the past. In February 2023, the group targeted the Technion Israel Institute of Technology, masquerading as the DarkBit ransomware gang. The operation disrupted academic infrastructure under the guise of financial crime, masking its state-sponsored origins. This tactic introduced an additional dimension of psychological warfare through false flags and intimidation. Over the last year, Boggy Serpens has implemented a more effective “trusted relationship compromise” model to bypass perimeter defenses. This technique relies on hijacking legitimate internal accounts. Boggy Serpens misuses established credibility to deliver malware that evades standard reputation-based filtering. Once access is established, the group sustains operations using custom-compiled toolkits. The group’s targeting has expanded beyond government entities to encompass the maritime, aviation and financial sectors, reflecting a heightened interest in regional logistics and critical economic infrastructure. Recent campaigns have struck entities in Israel, Hungary, Turkey, Saudi Arabia, the UAE, Turkmenistan, Egypt and South America. These attacks demonstrate an ability to pivot between sectors while conducting multiple, consecutive attacks against different targets. Figure 1 shows a chronological overview of the phishing campaigns and specific regional entities targeted throughout the last year that we attribute with high confidence to Boggy Serpens. Figure 1. Identified Boggy Serpens campaigns from April 2025 to February 2026. Campaigns, Phishing Themes and Documents Analysis Our analysis of Boggy Serpens phishing activity in 2025 and early 2026 reveals a significant shift in Boggy Serpens’ tradecraft, characterized by tailored social engineering lures and the deployment of specialized toolkits for mass email distribution and account exploitation. Persistent Targeting of Critical Infrastructure A defining example of Boggy Serpens’ recent operations is the targeting of an energy and marine services company in the UAE. The organization is a high-value industrial entity with significant ties to the local sovereign establishment. Beyond its domestic significance, the company serves as a critical node in the regional energy supply chain, maintaining a long-term strategic partnership with Saudi Aramco – another known target of Iranian state cyber operations. Compromising these assets grants the actor a potential foothold within vital energy networks across the UAE and Saudi Arabia, enabling continued reconnaissance and access. Over a six-month period, we observed four distinct attack waves targeting this UAE-based entity, each using lures customized to different internal departments. This persistence suggests a specific mandate to infiltrate regional maritime and engineering infrastructure. Wave 1: Engineering Theme – Aug. 16, 2025 The initial campaign targeted project engineers using industry-specific terminology for subsea pipelines. The lure document was blurred in order to deceive targets into clicking “Enable Content,” thereby triggering the execution of the embedded macro. Figure 2 shows the document. Figure 2. Lure document containing engineering terms to mimic a status update. Wave 2: Financial Deception – Jan. 30, 2026 Shifting its focus to the finance and supply chain departments, in a subsequent attack the group deployed an Excel file

Indicators of Compromise

• malware — BlackBeard
• malware — LampoRAT
• mitre_attack — T1566.002
• mitre_attack — T1199
• mitre_attack — T1071.001
• mitre_attack — T1571