AI-Enhanced Cyberespionage — Multi-Wave Campaign Against Critical Infrastructure
Iranian threat group Boggy Serpens — also tracked as MuddyWater, G0069, and TA450 — has significantly escalated its cyberespionage operations from April 2025 through March 2026. The group is attributed with high confidence to Iran's Ministry of Intelligence and Security (MOIS) and has demonstrated a marked evolution in tradecraft: moving from high-volume, noisy phishing operations to precision multi-wave campaigns against diplomats, maritime operators, energy companies, and financial institutions. Most significantly, the group has integrated AI-generated code and Rust-based implants into its toolchain, dramatically accelerating custom malware development and complicating detection and reverse engineering.
Boggy Serpens is an Iranian state-sponsored cyber espionage group active since 2017. Its mission is intelligence collection in support of Iran's Ministry of Intelligence and Security — targeting government ministries, diplomatic missions, energy infrastructure, maritime operators, and financial institutions across the Middle East, Europe, Central Asia, and the Americas.
What changed in 2025 is not the target profile — it is the operational sophistication. The group shifted from noisy, high-volume phishing to precision multi-wave campaigns built on compromised trusted accounts, AI-assisted malware development, and custom implants designed specifically to defeat behavioral detection and evade reverse engineering.
The defining operation of this reporting period was a six-month, four-wave campaign against a UAE-based marine and energy company with strategic links to regional energy supply chains. Each wave was tailored to a different business unit — engineering, finance, operations — demonstrating a specific mandate to penetrate the organization at every level.
| Sector | Risk Level | Why Targeted | Observed Activity |
|---|---|---|---|
| Government & Diplomatic | CRITICAL | Intelligence collection; diplomatic access; policy intelligence | Compromised ministry accounts; fabricated diplomatic invitations |
| Energy & Maritime | CRITICAL | Strategic infrastructure disruption; energy supply chain intelligence | Four-wave sustained campaign against UAE marine and energy company |
| Aviation | HIGH | Critical infrastructure access; national security implications | Confirmed targeting across Middle East aviation sector |
| Financial Services | HIGH | Financial intelligence; sanctions evasion support | Active targeting confirmed in Middle East financial sector |
| Telecommunications | MEDIUM | Communication interception; network access for lateral expansion | Historical targeting consistent with current operational profile |
The 2026 Unit 42 Global Incident Response Report documents that 65% of all initial access in major incidents was driven by identity-based techniques — stolen credentials, token abuse, and account compromise — consistent with Boggy Serpens' core methodology. Organizations that have not implemented phishing-resistant MFA and behavioral email analytics are systematically exposed to this actor's primary attack chain.
Boggy Serpens (MITRE ATT&CK G0069) is an Iranian advanced persistent threat group assessed with high confidence to be a subordinate element of Iran's Ministry of Intelligence and Security (MOIS). Also tracked as MuddyWater, Seedworm, TA450, Earth Vetala, MERCURY, and Mango Sandstorm, the group has been active since at least 2017 with consistent targeting of government, diplomatic, telecommunications, energy, and financial sector organizations across the Middle East, Asia, Africa, Europe, and North America.
The group's historical tradecraft relied heavily on living-off-the-land (LotL) techniques, abusing legitimate remote monitoring and management (RMM) tools including Atera, ScreenConnect, SimpleHelp, and PDQ RMM, alongside public post-exploitation utilities including LaZagne and CrackMapExec. From 2025 forward, Unit 42 and Group-IB analysis documents a deliberate shift toward custom-compiled toolkits, including Rust-based backdoors, UDP-based implants, and AI-assisted malware development — a maturation that significantly complicates detection and incident response.
The following technique table maps observed Boggy Serpens TTPs to MITRE ATT&CK Enterprise v18 (October 2025), sourced from Unit 42 Threat Assessment and Group-IB analysis of the October 2025 Phoenix backdoor campaign.
| Technique ID | Tactic | Technique Name | Observed Implementation | Freq |
|---|---|---|---|---|
| T1566.001 | Initial Access | Phishing: Spearphishing Attachment | Macro-laden Excel and Word documents; lures tailored to target department and geography | HIGH |
| T1078 | Initial Access | Valid Accounts | Compromised government and corporate mailboxes used as trusted senders; Omani MFA mailbox used to target 100+ embassies | HIGH |
| T1059.001 | Execution | PowerShell | POWERSTATS first-stage backdoor; VBA macros dropping PS-based loaders | HIGH |
| T1059.005 | Execution | Visual Basic | Dual VBA builder tracks — Phoenix Lineage and UDPGangster Operations sharing identical decryption key and novaservice.exe path | HIGH |
| T1053.005 | Persistence | Scheduled Task / Job | Scheduled tasks used for persistence across victim environments following initial compromise | HIGH |
| T1071.001 | Command & Control | Application Layer Protocol: Web Protocols | BlackBeard communicates via standard HTTP status codes for tasking; data embedded in headers | HIGH |
| T1095 | Command & Control | Non-Application Layer Protocol | UDPGangster uses UDP channels for command execution, data exfiltration, and payload delivery — bypassing TCP-focused defenses | HIGH |
| T1483 / T1132 | Command & Control | Domain Generation / Encoding | Telegram API used for C2 communications in select campaigns; data encoding in HTTP headers | MED |
| T1041 | Exfiltration | Exfiltration Over C2 Channel | Data exfiltration via established C2 channels — HTTP, UDP, and Telegram API | HIGH |
| T1027 | Defense Evasion | Obfuscated Files or Information | Rust-based tooling (BlackBeard) uses memory-safe constructs to hinder reverse engineering; AI-generated code incorporates anti-analysis techniques | HIGH |
| T1219 | Command & Control | Remote Access Software | Historical: Atera, ScreenConnect, SimpleHelp, PDQ RMM abused for LotL persistence; decreasing frequency in 2025–26 | MED |
The group's toolchain expanded significantly over this reporting period, with three newly identified malware families representing a departure from earlier reliance on public RMM tools and PowerShell-based loaders. The integration of Rust as an implementation language and AI-assisted code generation marks a meaningful capability development milestone.
| Name | Also Known As | Language | C2 Protocol | Primary Function | Status |
|---|---|---|---|---|---|
| BlackBeard | — | Rust | HTTP (status codes for tasking; data in headers) | Backdoor; persistence; lateral movement. Anti-analysis via Rust memory-safe constructs. | NEW 2025 |
| Nuso | HTTP_VIP | Unknown | Custom HTTP | Custom HTTP backdoor; deployed in Wave 4 of UAE campaign. Distinct payload family introduced mid-campaign. | NEW 2026 |
| UDPGangster | — | Unknown | UDP | Command execution; data exfiltration; payload delivery via UDP. Bypasses TCP-focused network defenses. | NEW 2025 |
| GhostBackDoor | — | Unknown | Unknown | Backdoor deployed in UAE campaign alongside Nuso. Limited public technical documentation. | NEW 2026 |
| Phoenix | — | VBA / loader | HTTP | Full backdoor delivered via Phoenix Lineage VBA builder track. Shares decryption key with UDPGangster — common development pipeline. | Active |
| LampoRAT | CHAR | Unknown | Unknown | Remote access trojan in active toolset. Limited public technical documentation. | Active |
| POWERSTATS | — | PowerShell | HTTP / HTTPS | First-stage backdoor; hallmark Boggy Serpens tool since 2017. Continued use alongside newer custom tooling. | Legacy · Active |
On October 3, 2025, Unit 42 identified IP 157.20.182[.]75 hosting a
unique web-based Python server on port 5000 assessed to be the group's custom
mass email delivery platform. This infrastructure enables operators to automate
large-scale phishing operations while maintaining granular control over sender
identities and target lists — a significant capability formalization compared to
earlier ad-hoc phishing operations.
Group-IB analysis of the October 2025 Phoenix backdoor campaign identified C2
domain screenai[.]online, registered August 17, 2025 via NameCheap,
resolving to 159[.]198[.]36[.]115 behind Cloudflare infrastructure.
The C2 was active for approximately five days before takedown, consistent with
Boggy Serpens' pattern of short, tightly controlled attack windows. The server
initially ran on Uvicorn before switching to Apache — indicating active
management and operational security awareness during the campaign window.
| Indicator | Type | Context |
|---|---|---|
| 157.20.182[.]75 | IP Address | Mass email delivery platform — Python server port 5000, observed October 2025 |
| screenai[.]online | Domain | Phoenix backdoor C2 — August 2025, active ~5 days |
| 159[.]198[.]36[.]115 | IP Address | Real IP behind screenai[.]online Cloudflare infrastructure — NameCheap ASN |
| novaservice.exe | File Path | Shared file path across Phoenix Lineage and UDPGangster — confirms common development pipeline |
| Consumption Report (Jan 21 2025 – Feb 20 2026).xls | Filename | Wave 4 lure document delivering Nuso HTTP backdoor — UAE marine/energy target |
Note: IOCs are defanged per TLP:WHITE conventions. Restore brackets before use in detection tooling. Additional IOCs available in the Unit 42 Boggy Serpens Threat Assessment published March 2026.
novaservice.exe process creation — shared across Phoenix Lineage and UDPGangster toolchainsAll technical content is sourced from publicly available threat research. No proprietary or classified data is reproduced. All IOCs are defanged per TLP:WHITE conventions.