Iranian threat group Boggy Serpens' cyberespionage evolves with AI-enhanced malware and refined social engineering. Unit 42 details their persistent targeting.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 presents a comprehensive threat assessment of Boggy Serpens (MuddyWater), an Iranian nation-state cyberespionage group attributed to MOIS. Over the past year, the group has evolved from high-volume, low-sophistication phishing to a more targeted 'trusted relationship compromise' model, hijacking legitimate government and corporate email accounts to bypass spam filters. A sustained four-wave campaign against a UAE marine and energy company from August 2025 to February 2026 illustrates their persistence. The group's toolset has matured significantly, now including Rust-based backdoors (BlackBeard, LampoRAT), a custom HTTP backdoor (Nuso), and the UDP-based UDPGangster. Evidence of AI-assisted malware development is noted, including emoji-based status strings in LampoRAT's code. The report includes full IOCs, PDB paths, C2 infrastructure, and technical appendices covering VBA macro builders and backdoor internals.

Boggy Serpens Threat Assessment

Campaigns, Phishing Themes and Documents Analysis

Appendix B: Deconstructing the Phoenix and UDPGangster VBA Builders

Appendix C: BlackBeard, a Backdoor Written in Rust