Connect with us

Hi, what are you looking for?



Iran-Linked APT Abuses Slack in Attacks on Asian Airline

The Iran-linked advanced persistent threat (APT) actor MuddyWater was observed deploying a backdoor that abuses Slack on the network of an Asian airline, IBM Security X-Force reports.

The Iran-linked advanced persistent threat (APT) actor MuddyWater was observed deploying a backdoor that abuses Slack on the network of an Asian airline, IBM Security X-Force reports.

Also referred to as MERCURY, Seedworm, Static Kitten, and ITG17, the hacking group is mainly focused on targets in the Middle East and other parts of Asia.

IBM X-Force discovered that MuddyWater managed to compromise the unnamed Asian airline’s network in October 2019, with the observed activity continuing in 2021 as well.

The adversary deployed a PowerShell backdoor called Aclip, which leverages a Slack messaging API for command and control (C&C) operations, including communication and data transmission, IBM’s security researchers note.

Given that in many instances multiple Iranian hacking groups gained access to the same victim’s environment, IBM X-Force notes that other adversaries might have been involved in this operation as well, especially with Iranian state-sponsored threat actors targeting the airline industry – mainly for surveillance purposes – for at least half a decade.

In the observed incident, a Windows Registry Run key was used to persistently execute a batch script that in turn runs a script file (the Aclip backdoor) using PowerShell. The malware, which receives commands via attacker-created Slack channels, can take screenshots, gather system information, and exfiltrate files.

By using Slack for communication purposes, the adversary ensures that the malicious traffic blends in with normal network traffic. The collaboration application has been abused for similar purposes by other malware families as well.

Advertisement. Scroll to continue reading.

After being notified of the malicious activity, Slack launched an investigation into the matter and took down the reported Slack workspaces.

“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.

Based on custom tools that were used in the attack, TTP overlaps, employed infrastructure, and MuddyWater’s previous targeting of the transportation sector, IBM’s researchers are confident that the threat actor is behind the activity.

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: ‘WIRTE’ Attacks Targeting Middle Eastern Governments Linked to Hamas Cyberspies

Related: Apparent Iran-Linked Hackers Breach Israeli Internet Firm

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.