A research unveiling MuddyWater latest C2 Framework named PhonyC2 by Deep Instinct Threat Lab.

Executive summary:

• Deep Instinct’s Threat Research team has identified a new C2 (command & control) framework
• The C2 framework is custom-made, continuously in development, and has been used by the MuddyWater group since at least 2021
• The framework is named PhonyC2 and was used in the attack on the Technion Institute
• PhonyC2 is currently used in an active PaperCut exploitation campaign by MuddyWater
• PhonyC2 is similar to MuddyC3, a previous C2 framework created by MuddyWater

MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection, as can be seen throughout the blog and in the investigation of the leaked code of PhonyC2. MuddyWater uses social engineering as its’ primary initial access point so they can infect fully patched systems. Organizations should continue to harden systems and monitor for PowerShell activity.

The PhonyC2 source code "PhonyC2.zip" - Password "infected23".

Full Details of the Research at Deep Instinct Blog Site

The code provided is offered as-is and is intended for educational or informational purposes only. The user assumes all responsibility for the use of this code and any consequences that may arise from its use. The creator of this code and its affiliates cannot be held liable for any damages or losses resulting from the use of this code.