Attacks by Iranian state-backed threat group MuddyWater, also known as Mango Sandstorm and Mercury,
against Israeli research institute Technion, as well as PaperCut servers have involved the utilization of the PhonyC2 post-exploitation command-and-control framework, according to The Hacker News
While PhonyC2 had similarities with MuddyWater's previous MuddyC3 framework, attackers have implemented continuous updates to the new framework and its tactics, techniques, and procedures, a report from Deep Instinct revealed. Attackers have used PhonyC2 to "generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'intrusion kill chain,'" said researcher Simon Kenin. However, initial access to compromised machines is crucial for the execution of the PowerShell payloads, noted Deep Instinct Threat Research Team Leader Mark Vaitzman. "Some of the generated payloads connect back to the operator C2 to allow persistence," added Vaitzman, who also cited MuddyWater's use of other C2 frameworks in attacks.