Boggy Serpens Threat Assessment

    Tuesday, March 17, 2026 In: Threat Research Print

    Date: 03/17/2026

    Severity: High

    Summary

    Boggy Serpens (also known as MuddyWater), an Iranian state-linked threat group associated with MOIS, continues to conduct cyberespionage campaigns targeting diplomatic entities and critical infrastructure sectors such as energy, maritime, and finance. The group relies heavily on social engineering and compromised trusted accounts to infiltrate high-value targets, often executing multi-wave attacks to maintain persistence. Its evolving capabilities include AI-enhanced malware, Rust-based tools like the BlackBeard backdoor, and the use of legitimate services such as Telegram for command-and-control, highlighting a blend of traditional tactics and modern tooling for sustained espionage operations.

    Indicators of Compromise (IOC) List

    URLs/Domains

    bootcamptg.org

    codefusiontech.org

    maxisteq.org

    miniquest.org

    Netivtech.org

    nomercys.it.com

    promoverse.org

    reminders.trahum.org

    screenai.online

    stratioai.org

    IP Address

    157.20.182.75

    64.7.198.12

    46.101.36.39

    159.198.68.25

    159.198.66.153

    Hash

    c3afd5ce1ca50a38438bb5026cca27bfbf2d8e786e03f323adceb8ad17517eca

    52d8fb9a11920f27b9a3b43f27c275767a57cdffc95af94b7b66433506287314

    b2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122

    1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1

    4db3645f678fb519b9f529dde41f77944754f574f16a9a845c22d3703da5bed0

    2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0

    23f3a98befdff13c802eed32eea754018b8b525ec0dd3afce8459a0287df74ec

    69e038b9f3a228f09059bc1ce92b1c5c49396bb70987a38df0fdb39eed380b22

    84e665a0dfbff74b4c356bfa282c7c253ae3411a8f4d58bfe121c8411c52552c

    6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d

    7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53

    f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f

    0ce54a5a6f061b158e3891aadd03773d0bae220b0316e84fc042a741924b3525

    167d5ab70f55c100e51833fbfea44048095889c162e1330df0631423fc547409

    4d2958d93d4650fc4a70f70663fe6943e8c11d61b2824512da296e8fd84e5bb9

    156b325231742a73ded4104fbde1c55ad3913d2eaf09b5194ef74c81ee3ba393

    cc2ec568f978f328b6de112670a1b35ca1f9db377ff32cb9d313a5b2ac3c127b

    7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58

    0be499354dc498248d27f6d186eb3bb75a607ae4a2c0a6734c76f1a1b7b1d316

    81a6e6416eb7ab6ce6367c6102c031e2ae2730c3c50ab9ce0b8668fec3487848

    47bb271c34210f52e3e08339a0c83688d9e9aa5c7cfc45b3e4bdffd1753f6cb2

    1b9e6fe4b03285b2e768c57e320d84323ac9167598395918d56a12e568b0009a

    9c207c51c448f96eaae91241a39c8bb85e2307f2d2a99244763a53176cf4c02f

    c91413ad7c94c0e2694862b9d671d1204873bf65576ba2cb91fbd562a4ccf79b

    668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e

    5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839

    a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79

    1bcd8d7dc7bed5873bbdd2822e84e19773a33d659b16587ca9dc6db204447a86

    fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430

    8d2227f2c53d7e22a57e12c45cecdd43dbec08dbc3ab93e74e6df52cdf80548b

    5323a573e3f423b69ef965dadb3c059879d718b1c9052038ef749868cf361891

    File names

    C:\Users\win10\Desktop\phonix\phoenix\x64\Release\phoenix.pdb

    Char.pdb

    C:\Users\nuso\source\repos\http_vip\http_vip\f*ckAnalyzor.pdb

    C:\Users\nuso\source\repos\http_last_ver\http_last_ver\f*ckAnalyser.pdb

    D:\phonix\phoenixV3\phoenixV3\phoenixV2\x64\Release\phoenix.pdb

    C:\Users\win10\Desktop\phoenixV4\phoenixV3\phoenixV2\x64\Release\phoenix.pdb

    C:\Users\win10\Desktop\phoenixV4\phoenixV3\phoenixV2\x64\Debug\phoenix.pdb

    C:\Users\piper\source\repos\udp_3.0 - Copy\x64\release_86\udp_3.0.pdb

    C:\Users\gangster\source\repos\udp_3.0 - Copy - Copy\x64\release_86\udp_3.0.pdb

    C:\Users\SURGE\source\repos\udp_3.0 - Copy\x64\release_86\udp_3.0.pdb

    Keys

    kqdkc83pe81zmq709c4npejvto9eg20e

    jfdghkjfdgklhjdfhgsfd09g9045jlkdfjlkgedfg5949045dfjgdflgljkdfgdf

    Encryption IV

    ft3mqb65h4hc

    Telegram Bot

    8398566164:AAEJbk6EOirZ_ybm4PJ-q8mOpr1RkZx1H7Q

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "reminders.trahum.org" or siteurl like "reminders.trahum.org" or url like "reminders.trahum.org" or domainname like "nomercys.it.com" or siteurl like "nomercys.it.com" or url like "nomercys.it.com" or domainname like "Netivtech.org" or siteurl like "Netivtech.org" or url like "Netivtech.org" or domainname like "promoverse.org" or siteurl like "promoverse.org" or url like "promoverse.org" or domainname like "maxisteq.org" or siteurl like "maxisteq.org" or url like "maxisteq.org" or domainname like "bootcamptg.org" or siteurl like "bootcamptg.org" or url like "bootcamptg.org" or domainname like "screenai.online" or siteurl like "screenai.online" or url like "screenai.online" or domainname like "stratioai.org" or siteurl like "stratioai.org" or url like "stratioai.org" or domainname like "miniquest.org" or siteurl like "miniquest.org" or url like "miniquest.org" or domainname like "codefusiontech.org" or siteurl like "codefusiontech.org" or url like "codefusiontech.org"

    Detection Query 2 :

    dstipaddress IN ("159.198.68.25","64.7.198.12","46.101.36.39","159.198.66.153","157.20.182.75") or srcipaddress IN ("159.198.68.25","64.7.198.12","46.101.36.39","159.198.66.153","157.20.182.75")

    Detection Query 3 :

    sha256hash IN ("f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f","81a6e6416eb7ab6ce6367c6102c031e2ae2730c3c50ab9ce0b8668fec3487848","668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e","5323a573e3f423b69ef965dadb3c059879d718b1c9052038ef749868cf361891","7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53","0be499354dc498248d27f6d186eb3bb75a607ae4a2c0a6734c76f1a1b7b1d316","6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d","5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839","84e665a0dfbff74b4c356bfa282c7c253ae3411a8f4d58bfe121c8411c52552c","2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0","52d8fb9a11920f27b9a3b43f27c275767a57cdffc95af94b7b66433506287314","69e038b9f3a228f09059bc1ce92b1c5c49396bb70987a38df0fdb39eed380b22","c91413ad7c94c0e2694862b9d671d1204873bf65576ba2cb91fbd562a4ccf79b","4db3645f678fb519b9f529dde41f77944754f574f16a9a845c22d3703da5bed0","1bcd8d7dc7bed5873bbdd2822e84e19773a33d659b16587ca9dc6db204447a86","b2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122","156b325231742a73ded4104fbde1c55ad3913d2eaf09b5194ef74c81ee3ba393","0ce54a5a6f061b158e3891aadd03773d0bae220b0316e84fc042a741924b3525","a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79","167d5ab70f55c100e51833fbfea44048095889c162e1330df0631423fc547409","9c207c51c448f96eaae91241a39c8bb85e2307f2d2a99244763a53176cf4c02f","4d2958d93d4650fc4a70f70663fe6943e8c11d61b2824512da296e8fd84e5bb9","c3afd5ce1ca50a38438bb5026cca27bfbf2d8e786e03f323adceb8ad17517eca","8d2227f2c53d7e22a57e12c45cecdd43dbec08dbc3ab93e74e6df52cdf80548b","1b9e6fe4b03285b2e768c57e320d84323ac9167598395918d56a12e568b0009a","47bb271c34210f52e3e08339a0c83688d9e9aa5c7cfc45b3e4bdffd1753f6cb2","1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1","23f3a98befdff13c802eed32eea754018b8b525ec0dd3afce8459a0287df74ec","7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58","cc2ec568f978f328b6de112670a1b35ca1f9db377ff32cb9d313a5b2ac3c127b","fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430")

    Detection Query 4 :

    resourcesname like "Windows Security" AND eventtype = "4663" AND objectname IN ("C:\Users\win10\Desktop\phonix\phoenix\x64\Release\phoenix.pdb","Char.pdb","C:\Users\nuso\source\repos\http_vip\http_vip\f*ckAnalyzor.pdb","C:\Users\nuso\source\repos\http_last_ver\http_last_ver\f*ckAnalyser.pdb","D:\phonix\phoenixV3\phoenixV3\phoenixV2\x64\Release\phoenix.pdb","C:\Users\win10\Desktop\phoenixV4\phoenixV3\phoenixV2\x64\Release\phoenix.pdb","C:\Users\win10\Desktop\phoenixV4\phoenixV3\phoenixV2\x64\Debug\phoenix.pdb","C:\Users\piper\source\repos\udp_3.0 - Copy\x64\release_86\udp_3.0.pdb","C:\Users\gangster\source\repos\udp_3.0 - Copy - Copy\x64\release_86\udp_3.0.pdb","C:\Users\SURGE\source\repos\udp_3.0 - Copy\x64\release_86\udp_3.0.pdb")

    Detection Query 5 :

    technologygroup = "EDR" AND objectname IN ("C:\Users\win10\Desktop\phonix\phoenix\x64\Release\phoenix.pdb","Char.pdb","C:\Users\nuso\source\repos\http_vip\http_vip\f*ckAnalyzor.pdb","C:\Users\nuso\source\repos\http_last_ver\http_last_ver\f*ckAnalyser.pdb","D:\phonix\phoenixV3\phoenixV3\phoenixV2\x64\Release\phoenix.pdb","C:\Users\win10\Desktop\phoenixV4\phoenixV3\phoenixV2\x64\Release\phoenix.pdb","C:\Users\win10\Desktop\phoenixV4\phoenixV3\phoenixV2\x64\Debug\phoenix.pdb","C:\Users\piper\source\repos\udp_3.0 - Copy\x64\release_86\udp_3.0.pdb","C:\Users\gangster\source\repos\udp_3.0 - Copy - Copy\x64\release_86\udp_3.0.pdb","C:\Users\SURGE\source\repos\udp_3.0 - Copy\x64\release_86\udp_3.0.pdb")

    Reference:    

    https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/


    Tags

    MalwareThreat ActorAPTMuddyWaterIranCyber EspionageCritical InfrastructureEnergyFinancial ServicesSocial EngineeringAIRust MalwareBackdoorTelegramTransportation Systems

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.