A MuddyWater-associated BlackWater malware campaign has displayed signs of anti-detection techniques and other modifications to avoid common host-based signatures and avoid Yara signatures.

Cisco Talos researchers said that while the changes were superficial, they were significant enough to avoid some detection mechanisms, according to a May 20 blog post.

Researchers said the group’s level of activity has shown an increased level of sophistication and that the threat actors have established persistence on the compromised host, used PowerShell commands to enumerate the victim’s machine and contained the IP address of the actor’s command and control (C2).

“All of these components were included in the trojanized attachment, and therefore a security researcher could uncover the attackers’ TTPs simply by obtaining a copy of the document,” researchers said in the post.“By contrast, the activity from April would require a multi-step investigative approach.”

MuddyWater has a history of targeting Turkey and other Middle East-based entities in campaigns that if successful, would install a Powershell in the victim’s machine granting threat actors remote access, researchers said.