Cybersecurity researchers at Oasis Security have uncovered a highly sophisticated, multi-stage espionage campaign targeting critical infrastructure across the Middle East and North Africa (MENA) region. The campaign — bearing strong tactical and technical fingerprints of the Iranian-linked threat group MuddyWater (also tracked as MERCURY or Seedworm) — involved the automated scanning of more than 12,000 internet-exposed systems as part of a structured reconnaissance-to-exfiltration operation, with at least one confirmed data theft from an Egyptian aviation organization.
Campaign Overview: From Mass Scanning to Surgical Exfiltration
The operation follows a methodical three-phase attack chain that researchers describe as characteristic of mature, state-sponsored threat actors:
- Phase 1 — Mass Reconnaissance: Broad, automated scanning of over 12,000 internet-exposed systems across the MENA region, exploiting at least five recently disclosed CVEs to identify vulnerable targets. The scanning activity used attacker-controlled infrastructure traced to a server in the Netherlands (IP: 157.20.182.49).
- Phase 2 — Credential Harvesting: Targeted credential collection operations against organizations identified as high-value during the reconnaissance phase, particularly those in aviation, energy, and government sectors.
- Phase 3 — Data Exfiltration: Focused, targeted theft of sensitive data from compromised networks, with confirmed exfiltration of approximately 200 files from an Egyptian aviation enterprise, including passport records and payroll data.
Attribution: MuddyWater’s Signature Tactics
Oasis Security’s threat intelligence team assessed with moderate-to-high confidence that the campaign is linked to MuddyWater based on several converging indicators. The campaign’s command-and-control (C2) communications patterns closely align with MuddyWater’s known ArenaC2 framework — a proprietary C2 infrastructure the group has used in previous campaigns against Israeli, Turkish, and U.S. government targets.
Additionally, the use of Rust-based implants — a relatively new addition to MuddyWater’s toolset documented by Rescana researchers in separate reporting — was observed in the initial access phase, reflecting the group’s ongoing capability modernization. Previous MuddyWater campaigns relied heavily on .NET and PowerShell-based tools; the adoption of memory-safe languages like Rust complicates detection by security products trained primarily on traditional malware families.
The campaign’s timeline — beginning in early February 2026, a period of heightened geopolitical tension across the Middle East — is also consistent with historical patterns of MuddyWater activity during regional escalations.
Sectors Targeted: Aviation, Energy, Government
The targeting priorities identified by Oasis Security align directly with Iran’s strategic intelligence collection objectives:
- Aviation: Confirmed compromise of an Egyptian aviation organization; aviation sector data (passenger manifests, flight routing, personnel records) has significant counterintelligence value
- Energy: Multiple energy sector organizations in the Gulf region were identified as targets of active intrusion attempts
- Government: Several MENA government networks were included in the scanning and credential harvesting phases
The theft of passport and payroll records from the Egyptian aviation target is particularly notable, as this type of data enables adversaries to identify individuals who may be subjects of surveillance interest, or to create fraudulent travel documents.
Weaponized CVEs: Five Newly Disclosed Vulnerabilities
Rather than relying on a single entry vector, the campaign exploited at least five recently disclosed CVEs during its initial scanning phase — a hallmark of well-resourced threat actors with rapid vulnerability weaponization capabilities. While Oasis Security has not publicly identified all five CVEs to prevent further exploitation, the use of multiple fresh vulnerabilities suggests the group maintains a team dedicated to quickly incorporating public proof-of-concept exploits into their offensive toolkit.
This approach is consistent with broader trends in state-sponsored threat actor behavior, where the gap between a CVE’s public disclosure and its weaponization has shrunk from months to days in 2025-2026.
Implications for Critical Infrastructure Operators
The campaign highlights several enduring vulnerabilities in critical infrastructure security postures:
- Exposed management interfaces: The scanning phase specifically targeted internet-facing management and operational systems, suggesting many organizations still maintain unnecessarily broad external attack surfaces
- Patch lag: The rapid weaponization of newly disclosed CVEs means organizations that fail to patch within days — not weeks — remain vulnerable to exploitation by well-resourced actors
- Limited detection of novel implants: Rust-based malware continues to evade many endpoint detection and response (EDR) solutions, underscoring the need for behavioral detection capabilities beyond signature-based approaches
Recommended Defensive Measures
Organizations operating in sectors targeted by this campaign — particularly aviation, energy, and government entities in the MENA region — should take the following immediate actions:
- Audit and minimize internet-facing attack surfaces, especially management interfaces and operational technology systems
- Implement emergency patching procedures for all five CVEs weaponized in this campaign (contact Oasis Security or sector-specific ISACs for the full list)
- Hunt for ArenaC2 indicators of compromise within network traffic logs, focusing on C2 beacon patterns associated with MuddyWater’s known infrastructure
- Deploy behavioral EDR solutions capable of detecting Rust-based implants and memory injection techniques
- Review access to personnel records and passport data for signs of unauthorized access or bulk data access consistent with exfiltration
CISA and sector-specific agencies in the U.S., Europe, and the Gulf Cooperation Council (GCC) have been briefed on the campaign’s indicators of compromise. Affected organizations in the MENA region are encouraged to contact their national CERTs for additional technical support and threat intelligence sharing.