Boggy Serpens, also known as MuddyWater, is an Iranian nation-state cyberespionage group that has been active since at least 2017. Subordinate to the Ministry of Intelligence and Security (MOIS), Boggy Serpens primarily targets government, military, and critical infrastructure sectors in regions such as the Middle East, the Caucasus, Central and Western Asia, South America, and Europe. Early campaigns were characterized by high-volume, low-sophistication spear phishing attacks using LOTL tactics. However, the group has since adopted a more adaptive approach focusing on trusted relationship compromises and multi-wave targeted attacks against key organizations.
The latest activities of Boggy Serpens demonstrate significant improvements in their technical capabilities. They utilize AI-enhanced malware implants that include anti-analysis techniques for long-term persistence. Additionally, the group employs sophisticated social engineering tactics to gain access through hijacked accounts, bypassing reputation-based blocking and deploying secondary prompts to deliver payloads.
A notable case study involves a sustained campaign against an UAE national marine and energy company, which saw four distinct waves of attacks from August 2025 through February 2026. The group utilized HTTP status codes, customized UDP traffic, and the Telegram API for command and control (C2), along with mature development techniques like AI-generated code and Rust-based tools such as BlackBeard backdoor.
Palo Alto Networks recommends protection against these threats using their advanced security solutions, including Cortex XDR, XSIAM, Advanced WildFire, Advanced URL Filtering, and Advanced DNS Security.