The latest threat report from Hunt.io, published by Tr1sa111 on March 11, 2026, lays out a comprehensive timeline of the MuddyWater intrusion chain, an Iranian‑linked APT group. The report, titled Clearing the Water: Unmasking an Attack Chain of MuddyWater, is a valuable resource for security analysts seeking to understand the attackers’ methodology and to strengthen defenses against similar campaigns.
The investigation began when Huntress analysts identified a set of indicators from a March 4 blog post that highlighted MuddyWater infrastructure. By cross‑referencing these indicators against historical data, they uncovered a January 24 incident involving an Israeli customer. The incident began with RDP access from the IP 173.16.10.1, followed by the use of OpenSSH to establish a tunnel to the attacker-controlled host 162.0.230.185.
Within minutes of the SSH tunnel, the attackers launched a legitimate Fortemedia application (FMAPP.exe) from C:\Users\Public\Downloads. That executable, while genuine, performed DLL side‑loading by loading a malicious FMAPP.dll from the same folder. The DLL connected to the command‑and‑control server at 157.20.182.49. The attackers verified the DLL’s operation with tasklist | findstr FMAPP and pinged the C2 IP to confirm connectivity.
Throughout the timeline, the actors displayed several telltale behaviors. They typed commands manually, evidenced by typos such as net groups /do and net localgroup adminstraots. They switched between cmd.exe and PowerShell, opening a new PowerShell session from Explorer to create a cleaner process tree. They also conducted reconnaissance against local and domain groups, using commands like net localgroup Administrators, net user, and nltest /domain_trusts to map the environment’s privileged accounts.
The attackers’ use of SSH tunnels was particularly notable. The first tunnel forwarded port 10841, while a subsequent tunnel forwarded port 8585. These tunnels allowed the adversaries to covertly communicate with the C2 server while bypassing outbound filtering. The attackers paused between tunnel setups to verify functionality, suggesting a methodical approach to maintain persistence.
Indicators of compromise (IOCs) identified in the report include:
- IP addresses: 173.16.10.1 (RDP), 162.0.230.185 (SSH), 157.20.182.49 (C2)
- Username: asuedulimit (used in SSH)
- File paths:
C:\Users\Public\Downloads\FMAPP.exe(legitimate),C:\Users\Public\Downloads\FMAPP.dll(malicious) - Hashes: FMAPP.exe SHA‑256 e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b, FMAPP.dll SHA‑256 589ecb0bb31adc6101b9e545a4e5e07ae2e97d464b0a62242a498e613a7740b6
Given the sophistication of MuddyWater’s tactics, analysts should adopt a layered detection strategy. The following bullet points outline actionable recommendations:
- Monitor RDP sessions for unusual login times and source IPs. Implement RDP session recording and enforce MFA for remote access.
- Detect SSH tunnel creation by tracking
ssh.exeexecutions with forward options (-R) and monitor for outbound connections on uncommon ports. - Implement DLL side‑loading detection in execution monitoring tools. Flag legitimate executables that load DLLs from non‑standard directories.
- Use file integrity monitoring to alert on the creation of suspicious DLLs in download folders.
- Deploy network segmentation and micro‑segmentation to limit lateral movement from compromised endpoints to critical servers.
- Enable host‑based intrusion detection systems that flag reconnaissance commands such as
net localgroup,nltest, andwhoami /priv. - Maintain an updated IOC feed and integrate it into SIEM for automated correlation with event logs.
- Conduct regular phishing awareness training to reduce the likelihood of credential compromise that could enable RDP access.
- Apply least‑privilege principles to local and domain group membership to reduce the impact of compromised accounts.
In summary, the Hunt.io report provides a granular view of MuddyWater’s attack lifecycle, from initial RDP compromise to final C2 communication via DLL side‑loading. By understanding each step and adopting the outlined defensive measures, organizations can detect similar threats earlier, reduce dwell time, and mitigate the risk of data exfiltration or sabotage.

