Executive Summary: Boggy Serpens Raises the Stakes

Unit 42 researchers at Palo Alto Networks have published a comprehensive threat assessment detailing the accelerating evolution of Boggy Serpens, the Iranian nation-state cyberespionage group also tracked as MuddyWater. Attributed to Iran's Ministry of Intelligence and Security (MOIS), the group has dramatically matured its tactics over the past year — moving from noisy, high-volume phishing runs to a stealthier, persistence-focused operational model powered by AI-assisted malware development and Rust-based custom tooling. The assessment covers campaigns running from August 2025 through February 2026 and paints a picture of a well-resourced actor increasingly capable of sustained, multi-wave intrusion campaigns against high-value strategic targets.

Who Is Boggy Serpens?

Boggy Serpens has been active since at least 2017, operating as a subordinate element of Iran's MOIS. Its targeting footprint spans government, military, and critical infrastructure sectors across the Middle East, the Caucasus, Central and Western Asia, South America, and Europe. Recent campaigns have struck entities in Israel, Hungary, Turkey, Saudi Arabia, the UAE, Turkmenistan, Egypt, and South America — a geographic scope that underscores the group's ambition and reach.

Historically, the group was characterized by a high-volume, low-sophistication style: broad spear-phishing campaigns, heavy reliance on living-off-the-land (LOTL) tactics, and abuse of legitimate remote monitoring and management (RMM) tools such as Atera, ScreenConnect, and SimpleHelp. That playbook is changing fast.

A Significant Tactical Evolution

The most striking finding in Unit 42's assessment is how deliberately Boggy Serpens has shifted its operational priorities. Where speed once trumped stealth, the group now emphasizes long-term persistence and advanced defense evasion. Several key developments define this new posture:

  • AI-enhanced malware development: The group is integrating AI-assisted code generation into its malware development lifecycle, accelerating the production of custom implants with built-in anti-analysis capabilities.
  • Rust-based tooling: Adoption of the Rust programming language — most notably in the BlackBeard backdoor — allows the group to deploy memory-safe, harder-to-reverse-engineer binaries that complicate forensic analysis.
  • Diverse C2 mechanisms: Boggy Serpens leverages standard HTTP status codes, customized UDP-based traffic, and the Telegram API for command and control, making detection via traditional network signatures more difficult.
  • Cross-unit coordination: Early 2025 operations revealed operational overlaps with Evasive Serpens (Lyceum), a subgroup of OilRig, suggesting shared resources and intelligence coordination within the broader Iranian threat ecosystem.

The Trusted Relationship Compromise Model

Perhaps the most operationally significant shift is Boggy Serpens' adoption of a "trusted relationship compromise" model. Rather than sending phishing emails from obviously suspicious domains, the group hijacks legitimate internal accounts — often belonging to IT vendors, diplomats, or other high-credibility entities — and weaponizes the inherent trust those accounts carry.

This technique serves a dual purpose: it bypasses reputation-based email filtering and URL blocking that would flag unknown senders, and it provides a secondary social engineering prompt that makes malicious payloads appear far more convincing to the target. Once initial access is established through this method, the group deploys custom-compiled toolkits to sustain operations and maintain persistence over extended periods.

"Boggy Serpens misuses established credibility to deliver malware that evades standard reputation-based filtering... sustaining operations using custom-compiled toolkits."

Case Study: Four Waves Against a Maritime and Energy Target

Unit 42's report highlights a particularly illustrative campaign: a sustained, four-wave attack against a national marine and energy company in the Middle East, spanning August 2025 through February 2026. This campaign exemplifies the group's determination and operational patience.

The sequential nature of the assault — four distinct intrusion attempts against a single organization over roughly six months — reflects a threat actor willing to adapt and re-engage after setbacks rather than move on to softer targets. It also signals a heightened strategic interest in regional maritime and energy infrastructure, sectors that carry significant geopolitical weight in the Middle East.

Beyond maritime and energy, Boggy Serpens has expanded its targeting to encompass aviation and financial sectors, reflecting broader intelligence collection priorities tied to regional logistics and critical economic infrastructure.

LampoRAT and the Group's Malware Arsenal

The group's toolset has grown considerably more sophisticated. Key components observed in recent campaigns include:

  • LampoRAT: A remote access trojan used for persistent access and data exfiltration from compromised hosts.
  • BlackBeard backdoor: A Rust-based implant that benefits from the language's memory safety and makes static analysis significantly harder for defenders.
  • AI-generated code: Malware components incorporating AI-written code — often featuring anti-analysis and anti-debugging routines — that accelerate development timelines and reduce reliance on traditionally detectable code patterns.
  • LOTL utilities: Continued use of publicly available tools like LaZagne and CrackMapExec for credential harvesting and lateral movement within compromised networks.

Historical Context: False Flags and Psychological Warfare

Boggy Serpens is not solely a data-theft operation. In February 2023, the group targeted the Technion Israel Institute of Technology, masquerading as the DarkBit ransomware gang. The attack disrupted academic infrastructure while obscuring its state-sponsored origins behind the veneer of financially motivated cybercrime. This use of false flags and intimidation tactics adds a layer of psychological warfare to the group's already potent threat profile — and serves as a reminder that "ransomware" incidents attributed to criminal actors may not always be what they appear.

Detection and Defense Recommendations

Organizations in sectors targeted by Boggy Serpens — particularly government, energy, maritime, aviation, and finance — should prioritize the following defensive measures:

  • Monitor for account hijacking indicators: Unusual login locations, times, or activity patterns on trusted vendor and partner accounts warrant immediate investigation.
  • Deploy behavioral detection: Signature-based defenses alone are insufficient against AI-generated and Rust-based implants. Behavioral and anomaly-based detection platforms are essential.
  • Scrutinize RMM tool usage: Legitimate tools like Atera, ScreenConnect, and SimpleHelp are frequently abused; monitor for unexpected installations or usage outside of approved change windows.
  • Implement advanced email security: Solutions capable of analyzing email content, sender reputation in real time, and embedded URLs are critical given the group's spear-phishing focus.
  • Audit C2 traffic patterns: Look for anomalous use of HTTP status code-based communication, unusual UDP traffic, and unexpected outbound connections to Telegram infrastructure.

Palo Alto Networks notes that customers are protected against the threats outlined in this assessment through Cortex XDR, Cortex XSIAM, the Cortex Advanced Email Security module, Advanced WildFire, Advanced URL Filtering, and Advanced DNS Security. The Cortex AgentiX Agentic Assistant can further accelerate investigations by surfacing contextual insights and recommended response actions.

Conclusion: A Threat Actor in Ascent

Boggy Serpens represents a clear example of a nation-state threat actor that has used the lessons of its own operational history to become significantly more dangerous. The combination of social engineering sophistication, AI-accelerated malware development, Rust-based tooling, and a patient multi-wave campaign strategy positions the group as a top-tier persistent threat to organizations across the Middle East and beyond.

The shift toward trusted relationship compromises is especially concerning: it turns the very trust infrastructure that organizations rely on — vendor relationships, internal accounts, established communication channels — into an attack vector. Defenders must assume that no communication, however apparently legitimate, is beyond scrutiny.

Organizations that believe they may have been compromised by Boggy Serpens or a related actor are encouraged to contact the Unit 42 Incident Response team immediately for expert assistance.