Diplomats and Critical Infrastructure Targeted In Boggy Serpens Spy Campaign

Boggy Serpens, also known as MuddyWater, is a cyberespionage group that is currently running hacking campaigns against targets all over the world. This threat group is connected to the Iranian Ministry of Intelligence and Security (MOIS) and regularly attacks important infrastructure and diplomatic organizations. Their main targets are the energy, maritime, and finance sectors in the Middle East and other parts of the world.

A thorough analysis reveals that the group has become very flexible by focusing on breaking trusted relationships to get into strategic organizations. Changing strategies and accounts Hijacking Boggy Serpens gets around standard security measures by taking over the real internal accounts of high-profile victims. Once they have access to these accounts, the attackers send emails that get past security filters because they look like they come from trusted sources.

For instance, in August 2025, the group hacked into an email account for the Omani Ministry of Foreign Affairs and sent fake seminar invitations to foreign embassies. The group's determination is clear from the fact that they keep attacking a national marine and energy company in the United Arab Emirates. Paloaltonetworks found Boggy Serpens campaigns from April 2025 to February 2026.

Boggy Serpens launched four separate attacks on this group, each using fake documents that were made for a specific department, like finance or engineering. To help with these big operations, the threat actors made a custom web-based platform that could send out a lot of emails at once while keeping the identities of the senders secret.

Lure document that looks like a status update and has engineering terms in it (Source: paloaltonetworks) Using New Tools and AI Boggy Serpens is quickly upgrading its technical tools to keep hidden access to infected networks, but social engineering is still its main method. The group is no longer using software that is available to the public; instead, they are writing advanced custom implants. In their most recent cyberespionage operations, the threat actors have used a number of new types of malware: Malware Main Function of Family Important Technical Features BlackBeard is a backdoor that uses Rust.

Made with a memory-safe language to make it harder to analyze security and avoid being found. LampoRAT is a remote access trojan that pretends to be antivirus software and uses the Telegram API to send commands.

Nuso Custom HTTP Backdoor A very hard-to-find tool that uses standard HTTP status codes to run commands on other computers. UDPGangster Lightweight backdoor uses a custom UDP-based communication protocol to get around traditional network defenses. There is a lot of evidence that Boggy Serpens is using AI to speed up the process of making its malware.

Researchers found different signs in the malware's code and in Palo Alto Networks' use of visual emojis for status reporting. This is a common default output of large language models. Boggy Serpens has made a very dangerous threat profile by combining hijacked trusted accounts, advanced new backdoors, and AI-assisted coding. Instead of just using standard email filters, organizations now need to watch for strange behavior at endpoints.