The Iran-linked advanced persistent threat (APT) actor MuddyWater was observed deploying a backdoor that abuses Slack on the network of an Asian airline, IBM Security X-Force reports.
Also referred to as MERCURY, Seedworm, Static Kitten, and ITG17, the hacking group is mainly focused on targets in the Middle East and other parts of Asia.
IBM X-Force discovered that MuddyWater managed to compromise the unnamed Asian airline’s network in October 2019, with the observed activity continuing in 2021 as well.
The adversary deployed a PowerShell backdoor called Aclip, which leverages a Slack messaging API for command and control (C&C) operations, including communication and data transmission, IBM’s security researchers note.
Given that in many instances multiple Iranian hacking groups gained access to the same victim’s environment, IBM X-Force notes that other adversaries might have been involved in this operation as well, especially with Iranian state-sponsored threat actors targeting the airline industry – mainly for surveillance purposes – for at least half a decade.
In the observed incident, a Windows Registry Run key was used to persistently execute a batch script that in turn runs a script file (the Aclip backdoor) using PowerShell. The malware, which receives commands via attacker-created Slack channels, can take screenshots, gather system information, and exfiltrate files.
By using Slack for communication purposes, the adversary ensures that the malicious traffic blends in with normal network traffic. The collaboration application has been abused for similar purposes by other malware families as well.
After being notified of the malicious activity, Slack launched an investigation into the matter and took down the reported Slack workspaces.
“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.
Based on custom tools that were used in the attack, TTP overlaps, employed infrastructure, and MuddyWater’s previous targeting of the transportation sector, IBM’s researchers are confident that the threat actor is behind the activity.
Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign
Related: ‘WIRTE’ Attacks Targeting Middle Eastern Governments Linked to Hamas Cyberspies
Related: Apparent Iran-Linked Hackers Breach Israeli Internet Firm

More from Ionut Arghire
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
Latest News
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
