The antivirus says “everything is legitimate,” but a hacker from Tehran is already viewing the desktop through a Rust Trojan.
The Iranian group Boggy Serpens, better known as MuddyWater, has noticeably changed its operating style over the past year . While its early campaigns were primarily associated with mass phishing, high-profile emails, and relatively simple techniques, analysts now face a different adversary. The group continues to rely on social engineering, but has added more sophisticated network persistence, new malicious tools, and even signs of being developed using generative AI. The targeting is particularly alarming: diplomatic structures and critical sectors, including energy, maritime infrastructure, and finance, remain the focus.
Boggy Serpens is linked to the Iranian Ministry of Intelligence and Security. The group's activity has been traced back to at least 2017. Over the years, its operators have attacked government agencies, military organizations, and companies in sensitive sectors in the Middle East, the Caucasus, Central and Western Asia, South America, and Europe. However, the new operations are particularly marked by a shift from brute force to more patient and targeted infiltration.
Researchers note that the key element of the strategy is compromising trusted connections. Instead of breaching the external perimeter from suspicious addresses and obvious malicious domains, attackers are increasingly hijacking legitimate internal accounts and sending malicious emails from them . This scheme offers several advantages. The email comes from a known sender, passes through some trust filters, and appears to the victim as normal internal correspondence. At the next stage, a second layer of deception is introduced—a document with a convincing cover story intended to encourage the employee to execute the malicious code.
Over the past year, the group has used this approach in more than 15 attacks worldwide. One notable incident occurred in August 2025, when the attackers exploited a compromised email account at the Omani Ministry of Foreign Affairs and used it to send documents to other foreign affairs agencies. The messages were disguised as official diplomatic correspondence. In another instance, on January 6, 2026, the attackers carried out a targeted operation against a major telecom provider in Turkmenistan. An internal company account was used to distribute the file Cybersecurity.doc. A similar scheme was also used in November 2025 against Israeli organizations, where the group used hijacked internal email accounts to distribute decoys disguised as webinar invitations and personnel documents.
The problem for defenders in this scheme is quite specific. When an email is sent from a genuine internal account, spam filters often fail to detect it as typical spam. The study cites an SCL rating of -1 for such messages. This level of trust effectively helps the email bypass standard filtering, because the system considers the sender authenticated and legitimate.
Boggy Serpens' phishing documents have also changed. The group is increasingly moving away from generic lures and toward emails and attachments tailored to a specific department, position, or work context. This approach is particularly evident in the campaign against the national maritime and energy company in the UAE. Between August 2025 and February 2026, researchers recorded four separate waves of attacks against the same organization. This level of persistence suggests not a random attempt, but a targeted mission to infiltrate regional maritime and engineering infrastructure.
The first wave occurred on August 16, 2025, and targeted project engineers. The malicious document used specialized language related to underwater pipelines. The file itself was blurred, enticing the victim to click the "Enable Content" button, thereby activating an embedded macro . This is an old but still effective technique: the employee sees a seemingly corrupted document, receives a clear visual explanation of the problem, and then executes the malicious code, hoping to simply open the contents.
The second wave, recorded on January 30, 2026, targeted the financial and logistics sectors. This time, the attackers used an Excel file mimicking the company's internal financial records. The bait included links to Engineering, Construction & Marine Services, the local currency AED, and plausible transaction codes like "Payroll Payments via WPS." In other words, the document didn't just look like an accounting document—it was filled with details that made it a natural investment for someone in finance or procurement.
That same day, a third wave occurred, this time using a more personalized approach. The attackers sent a fake Air Arabia flight booking confirmation in Word document format to someone associated with the company. The decoy contained the passenger's name, flight route, and Corporate Fare category. This level of detail was unlikely to have been a coincidence. Researchers believe the data could have been collected during a previous compromise, for example, through stolen emails, business itineraries, or internal documents. It's particularly telling that the airline ticket was sent as a Word file, not a standard PDF. While the social engineering in this email appeared sophisticated, the technical delivery method created additional red flags for attentive users or automated sandboxing. In this wave, the group deployed a new malware family, GhostBackDoor, previously described by Group-IB.
The fourth wave followed on February 11, 2026. This time, an Excel file named "Consumption Report (Jan 21 2025 - Feb 20 2026).xls" was used. The general pattern with the lure and macros remained recognizable, but during the final stage of infection, the group was already delivering a different payload module—the Nuso family. This is a proprietary HTTP backdoor used for reconnaissance and remote command execution, but its internal logic differs significantly from earlier Boggy Serpens tools.
Nuso is interesting for several reasons. Instead of the usual import table through which Windows programs typically obtain the addresses of the necessary API functions, the malware dynamically calculates these addresses during execution. This technique is inconvenient for analysts and security tools, as it makes the code less transparent. Even more unusual is its control via HTTP response codes. In normal web traffic, codes like 200, 404, or 500 simply describe the request status. In Nuso, these values are transformed into commands. For example, 201 and 204 launch a remote shell, 210 and 222 change the command-and-control server polling interval, and 350 and 404 stop execution. System information is sent over HTTP or HTTPS, but packaged in non-standard headers like X-Computer-Name and X-Username, with additional transformations.
Using the metadata of debug PDB paths, researchers also traced the evolution of Nuso. The second and third versions feature the user profile "nuso," and filenames show a shift from the erroneous "Analyzor" to the more accurate "Analyser." This may seem like a small detail, but it's useful for attribution: it suggests a single developer maintains and refines the codebase over time.
In addition to Nuso, Boggy Serpens' arsenal includes Phoenix, UDPGangster, BlackBeard, and LampoRAT. Research shows that the group maintains parallel development pipelines and doesn't rely on a single tool. This approach increases campaign resilience: if one track is discovered and some indicators are detected, another can continue to operate.
The mass mailing platform deployed by the operators on their own infrastructure deserves special attention. On October 3, 2025, analysts discovered a Python server web interface running on port 5000 at IP address 157.20.182[.]75. This interface allowed users to upload recipient lists, specify the sender address, email subject, HTML message body, SMTP server settings, attach attachments, view the results, and initiate sending. This tool demonstrates that the group's phishing operations have long since ceased to be a rudimentary operation using a single email client. This demonstrates a fully-fledged mailing orchestration system, fine-tuned for specific campaigns.
Regarding malicious documents, the group has developed a two-stage deception scheme. First, the attackers hijack an internal or trusted account to prevent the victim from suspecting a trick from the sender. Then, the attachment is opened, where the user is prompted to click Enable Content or Enable Editing. The document is intentionally displayed blurry and accompanied by a message claiming to have been created in an older version of Word or Excel. Once the user activates the macro, the overlay disappears, the document becomes readable, and the malicious payload simultaneously runs in the background. The instant "fix" of the document acts as a psychological deception: the user sees the problem as if it has been resolved and is less likely to realize that the next stage of infection has already begun.
Forensic analysis revealed that these documents are backed by a robust VBA builder, which the group has used repeatedly. Researchers identify two lines of development: Phoenix Lineage, which delivers fully functional backdoors, and UDPGangster Operations, which employs lighter, simpler implants. Despite the differences in payload, important overlaps were found between the tracks—the same decryption key and the same novaservice.exe path. This set of coincidences links both lines of development to a common team.
In early versions of the macros, the payload was hidden not directly in the code, but in the properties of interface elements, such as UserForm1.TextBox1, as a hexadecimal string. The script then extracted and decoded the contents, wrote the file under an innocuous .log or .txt extension, quickly renamed it to .exe, and launched it via the Windows API. This technique helps bypass some simple checks for writing executable files. Later versions added their own encryption, launching via WMI or CreateProcessW instead of standard shells, and primitive but effective delays. One variant, for example, ran the processor through over 100 million operations using nested mathematical loops. Such code is inconsequential to humans, but an automated sandbox might simply tire of waiting and terminate the analysis before the malware could move on to the next stage.
UDPGangster operates in parallel and also entered the campaigns through Microsoft Office documents with VBA macros. The family's main feature is its use of UDP communication instead of the more common HTTP or HTTPS. This protocol often fits less well into standard network control models and allows for more unconventional control. The malware can receive commands, steal data, and load new modules. Additionally, it contains anti-analytics checks to prevent it from running in research environments.
Using PDB paths, researchers were able to associate individual UDPGangster variants with specific geographies and sectors. One sample targeted aviation in Israel and contained a path with the "gangster" profile. Another was associated with the financial sector in Azerbaijan and contained the "piper" profile. A third belonged to the Israeli telecom sector and bore the name "surge." This level of detail isn't conclusive, but it does provide a rare glimpse into the internal organization of the campaigns and how developers or operators tag builds for different purposes.
A particularly valuable part of the study was observing live operator activity within a controlled test environment. Approximately 12 hours after establishing the first heartbeat connections to the command and control server, the attacker began manually interacting with the simulated victim. Around 7:30 AM CST, which corresponds to 5:00 PM Tehran time, a command with the 0x0A byte prefix arrived at the host. This created a named pipe, through which a shell was then launched. Manual reconnaissance followed: nslookup ad, ipconfig /all, viewing the C:\users directory and a specific user's desktop, and the Quser command. This sequence demonstrates an important point: after the automated infection, a human is involved, assessing the host's value in real time, rather than simply relying on a pre-written script. The researchers also noticed a packet with the 0x0B byte, for which the malware version analyzed lacked a function. There are two possible explanations: either the operator made an input error, or another assembly with a different set of commands was involved in the work.
Another new tool in the group's arsenal is LampoRAT, also known as Olalampo. This is a Rust-based remote access Trojan used in a recent campaign against a UAE-based maritime and energy company. The sample disguised itself as avp.exe, a Kaspersky Anti-Virus process, and even included the "Kaspersky" string in the file's metadata. LampoRAT doesn't appear to be a complex malware monstrosity. It's essentially a lightweight command shell executor. After infection, the program accesses a hardcoded Telegram bot token , waits for a command, passes it to the task manager, and executes it via the command line: cmd.exe /e:ON /v:OFF /d /c <payload>. The result is then returned to the attacker's chat via the Telegram Bot API.
This command and control channel is convenient for two reasons. First, malicious traffic is mixed with regular HTTPS traffic to Telegram. Second, attackers don't need to deploy their entire infrastructure stack for each small command. The name of the bot itself is also interesting: stager_51_bot. In offensive operations, a stager typically refers to a lightweight initial module that is designed to gain a foothold and then pull in other components. The number 51 may indicate a series of similar bots, distributed across campaigns or targets.
Analysts also found another curious trace in LampoRAT—the possible use of generative AI during development. The command dispatcher contains strings with emojis like
CD to and 
CD error:. This style is unusual for typical malicious code. Malware authors typically choose simple ASCII markers like [+] or ERROR: to avoid unnecessary uniqueness and display issues. However, large language models often insert visual icons by default when generating command-line interfaces or Telegram bots. For the researchers, this artifact was a strong indirect indication that Boggy Serpens uses generative AI to more quickly assemble new variants of its malicious tools.
The shift to Rust is also evident in BlackBeard, another backdoor from the group. Israel's National Cyber Directorate has already tracked this tool as a separate family. The choice of Rust here isn't just a matter of fashion. A memory-safe language complicates some typical reverse engineering techniques while simultaneously helping to release new builds faster. In the case of BlackBeard, the intermediate C++ loader already contains traces linking it to the Phoenix family. The loader then decrypts the final Rust payload using an XOR key and executes it in memory using process hollowing, where the malicious code is injected into a legitimate process.
BlackBeard's final payload first scans the %PROGRAMDATA% directory for over 15 security products. The malware then contacts the stratioai[.]org domain via the reqwest Rust library, encrypts system data with AES-256-GCM, and transmits it in the Expires HTTP header. Commands are again transmitted via HTTP status codes. Values 201 and 202 force the malware to dump decrypted content to C:\ProgramData\WebDeepPlayer.scr, and status code 418 terminates the attack. Persistence is achieved via a dummy .wdlp extension in the registry at HKCU\Software\Classes.wdlp, which is linked to WebDeepPlayer.scr. After this, the Oregon.wdlp file in startup is sufficient for the infection to reappear after a reboot.
The overall conclusion of the report is quite stark. Boggy Serpens can no longer be described as a group that relies solely on the volume of emails and the simplicity of its tactics. Over the past year, the operators have significantly improved their technical capabilities, established parallel development pipelines, started using Rust, added features of AI acceleration, expanded their mass mailing infrastructure, and focused on compromising trusted relationships. At the same time, their targets remain strategic: diplomacy, energy, maritime logistics, finance, aviation, and telecom.
This profile is particularly dangerous because the group is able to combine three elements that, taken separately, pose a serious risk. First, they employ credible social engineering, precisely tailored to the department, position, and work context. Second, they employ stealthy and flexible malicious tools designed to persist online. Third, they employ the hijacking of legitimate accounts, which undermines the traditional trust model in corporate email. As long as a company relies solely on sender reputation and basic spam filters, this scheme will continue to work.
Therefore, protecting against Boggy Serpens requires a deeper look. You'll need to evaluate not only the sender's address, but also behavioral anomalies, process chains, macro execution, file writing and renaming, memory injections, suspicious UDP connections, and non-standard HTTP scenarios. Otherwise, the next stage of infection will occur before the infrastructure even realizes the email was suspicious.
The Iranian group Boggy Serpens, better known as MuddyWater, has noticeably changed its operating style over the past year . While its early campaigns were primarily associated with mass phishing, high-profile emails, and relatively simple techniques, analysts now face a different adversary. The group continues to rely on social engineering, but has added more sophisticated network persistence, new malicious tools, and even signs of being developed using generative AI. The targeting is particularly alarming: diplomatic structures and critical sectors, including energy, maritime infrastructure, and finance, remain the focus.
Boggy Serpens is linked to the Iranian Ministry of Intelligence and Security. The group's activity has been traced back to at least 2017. Over the years, its operators have attacked government agencies, military organizations, and companies in sensitive sectors in the Middle East, the Caucasus, Central and Western Asia, South America, and Europe. However, the new operations are particularly marked by a shift from brute force to more patient and targeted infiltration.
Researchers note that the key element of the strategy is compromising trusted connections. Instead of breaching the external perimeter from suspicious addresses and obvious malicious domains, attackers are increasingly hijacking legitimate internal accounts and sending malicious emails from them . This scheme offers several advantages. The email comes from a known sender, passes through some trust filters, and appears to the victim as normal internal correspondence. At the next stage, a second layer of deception is introduced—a document with a convincing cover story intended to encourage the employee to execute the malicious code.
Over the past year, the group has used this approach in more than 15 attacks worldwide. One notable incident occurred in August 2025, when the attackers exploited a compromised email account at the Omani Ministry of Foreign Affairs and used it to send documents to other foreign affairs agencies. The messages were disguised as official diplomatic correspondence. In another instance, on January 6, 2026, the attackers carried out a targeted operation against a major telecom provider in Turkmenistan. An internal company account was used to distribute the file Cybersecurity.doc. A similar scheme was also used in November 2025 against Israeli organizations, where the group used hijacked internal email accounts to distribute decoys disguised as webinar invitations and personnel documents.
The problem for defenders in this scheme is quite specific. When an email is sent from a genuine internal account, spam filters often fail to detect it as typical spam. The study cites an SCL rating of -1 for such messages. This level of trust effectively helps the email bypass standard filtering, because the system considers the sender authenticated and legitimate.
Boggy Serpens' phishing documents have also changed. The group is increasingly moving away from generic lures and toward emails and attachments tailored to a specific department, position, or work context. This approach is particularly evident in the campaign against the national maritime and energy company in the UAE. Between August 2025 and February 2026, researchers recorded four separate waves of attacks against the same organization. This level of persistence suggests not a random attempt, but a targeted mission to infiltrate regional maritime and engineering infrastructure.
The first wave occurred on August 16, 2025, and targeted project engineers. The malicious document used specialized language related to underwater pipelines. The file itself was blurred, enticing the victim to click the "Enable Content" button, thereby activating an embedded macro . This is an old but still effective technique: the employee sees a seemingly corrupted document, receives a clear visual explanation of the problem, and then executes the malicious code, hoping to simply open the contents.
The second wave, recorded on January 30, 2026, targeted the financial and logistics sectors. This time, the attackers used an Excel file mimicking the company's internal financial records. The bait included links to Engineering, Construction & Marine Services, the local currency AED, and plausible transaction codes like "Payroll Payments via WPS." In other words, the document didn't just look like an accounting document—it was filled with details that made it a natural investment for someone in finance or procurement.
That same day, a third wave occurred, this time using a more personalized approach. The attackers sent a fake Air Arabia flight booking confirmation in Word document format to someone associated with the company. The decoy contained the passenger's name, flight route, and Corporate Fare category. This level of detail was unlikely to have been a coincidence. Researchers believe the data could have been collected during a previous compromise, for example, through stolen emails, business itineraries, or internal documents. It's particularly telling that the airline ticket was sent as a Word file, not a standard PDF. While the social engineering in this email appeared sophisticated, the technical delivery method created additional red flags for attentive users or automated sandboxing. In this wave, the group deployed a new malware family, GhostBackDoor, previously described by Group-IB.
The fourth wave followed on February 11, 2026. This time, an Excel file named "Consumption Report (Jan 21 2025 - Feb 20 2026).xls" was used. The general pattern with the lure and macros remained recognizable, but during the final stage of infection, the group was already delivering a different payload module—the Nuso family. This is a proprietary HTTP backdoor used for reconnaissance and remote command execution, but its internal logic differs significantly from earlier Boggy Serpens tools.
Nuso is interesting for several reasons. Instead of the usual import table through which Windows programs typically obtain the addresses of the necessary API functions, the malware dynamically calculates these addresses during execution. This technique is inconvenient for analysts and security tools, as it makes the code less transparent. Even more unusual is its control via HTTP response codes. In normal web traffic, codes like 200, 404, or 500 simply describe the request status. In Nuso, these values are transformed into commands. For example, 201 and 204 launch a remote shell, 210 and 222 change the command-and-control server polling interval, and 350 and 404 stop execution. System information is sent over HTTP or HTTPS, but packaged in non-standard headers like X-Computer-Name and X-Username, with additional transformations.
Using the metadata of debug PDB paths, researchers also traced the evolution of Nuso. The second and third versions feature the user profile "nuso," and filenames show a shift from the erroneous "Analyzor" to the more accurate "Analyser." This may seem like a small detail, but it's useful for attribution: it suggests a single developer maintains and refines the codebase over time.
In addition to Nuso, Boggy Serpens' arsenal includes Phoenix, UDPGangster, BlackBeard, and LampoRAT. Research shows that the group maintains parallel development pipelines and doesn't rely on a single tool. This approach increases campaign resilience: if one track is discovered and some indicators are detected, another can continue to operate.
The mass mailing platform deployed by the operators on their own infrastructure deserves special attention. On October 3, 2025, analysts discovered a Python server web interface running on port 5000 at IP address 157.20.182[.]75. This interface allowed users to upload recipient lists, specify the sender address, email subject, HTML message body, SMTP server settings, attach attachments, view the results, and initiate sending. This tool demonstrates that the group's phishing operations have long since ceased to be a rudimentary operation using a single email client. This demonstrates a fully-fledged mailing orchestration system, fine-tuned for specific campaigns.
Regarding malicious documents, the group has developed a two-stage deception scheme. First, the attackers hijack an internal or trusted account to prevent the victim from suspecting a trick from the sender. Then, the attachment is opened, where the user is prompted to click Enable Content or Enable Editing. The document is intentionally displayed blurry and accompanied by a message claiming to have been created in an older version of Word or Excel. Once the user activates the macro, the overlay disappears, the document becomes readable, and the malicious payload simultaneously runs in the background. The instant "fix" of the document acts as a psychological deception: the user sees the problem as if it has been resolved and is less likely to realize that the next stage of infection has already begun.
Forensic analysis revealed that these documents are backed by a robust VBA builder, which the group has used repeatedly. Researchers identify two lines of development: Phoenix Lineage, which delivers fully functional backdoors, and UDPGangster Operations, which employs lighter, simpler implants. Despite the differences in payload, important overlaps were found between the tracks—the same decryption key and the same novaservice.exe path. This set of coincidences links both lines of development to a common team.
In early versions of the macros, the payload was hidden not directly in the code, but in the properties of interface elements, such as UserForm1.TextBox1, as a hexadecimal string. The script then extracted and decoded the contents, wrote the file under an innocuous .log or .txt extension, quickly renamed it to .exe, and launched it via the Windows API. This technique helps bypass some simple checks for writing executable files. Later versions added their own encryption, launching via WMI or CreateProcessW instead of standard shells, and primitive but effective delays. One variant, for example, ran the processor through over 100 million operations using nested mathematical loops. Such code is inconsequential to humans, but an automated sandbox might simply tire of waiting and terminate the analysis before the malware could move on to the next stage.
UDPGangster operates in parallel and also entered the campaigns through Microsoft Office documents with VBA macros. The family's main feature is its use of UDP communication instead of the more common HTTP or HTTPS. This protocol often fits less well into standard network control models and allows for more unconventional control. The malware can receive commands, steal data, and load new modules. Additionally, it contains anti-analytics checks to prevent it from running in research environments.
Using PDB paths, researchers were able to associate individual UDPGangster variants with specific geographies and sectors. One sample targeted aviation in Israel and contained a path with the "gangster" profile. Another was associated with the financial sector in Azerbaijan and contained the "piper" profile. A third belonged to the Israeli telecom sector and bore the name "surge." This level of detail isn't conclusive, but it does provide a rare glimpse into the internal organization of the campaigns and how developers or operators tag builds for different purposes.
A particularly valuable part of the study was observing live operator activity within a controlled test environment. Approximately 12 hours after establishing the first heartbeat connections to the command and control server, the attacker began manually interacting with the simulated victim. Around 7:30 AM CST, which corresponds to 5:00 PM Tehran time, a command with the 0x0A byte prefix arrived at the host. This created a named pipe, through which a shell was then launched. Manual reconnaissance followed: nslookup ad, ipconfig /all, viewing the C:\users directory and a specific user's desktop, and the Quser command. This sequence demonstrates an important point: after the automated infection, a human is involved, assessing the host's value in real time, rather than simply relying on a pre-written script. The researchers also noticed a packet with the 0x0B byte, for which the malware version analyzed lacked a function. There are two possible explanations: either the operator made an input error, or another assembly with a different set of commands was involved in the work.
Another new tool in the group's arsenal is LampoRAT, also known as Olalampo. This is a Rust-based remote access Trojan used in a recent campaign against a UAE-based maritime and energy company. The sample disguised itself as avp.exe, a Kaspersky Anti-Virus process, and even included the "Kaspersky" string in the file's metadata. LampoRAT doesn't appear to be a complex malware monstrosity. It's essentially a lightweight command shell executor. After infection, the program accesses a hardcoded Telegram bot token , waits for a command, passes it to the task manager, and executes it via the command line: cmd.exe /e:ON /v:OFF /d /c <payload>. The result is then returned to the attacker's chat via the Telegram Bot API.
This command and control channel is convenient for two reasons. First, malicious traffic is mixed with regular HTTPS traffic to Telegram. Second, attackers don't need to deploy their entire infrastructure stack for each small command. The name of the bot itself is also interesting: stager_51_bot. In offensive operations, a stager typically refers to a lightweight initial module that is designed to gain a foothold and then pull in other components. The number 51 may indicate a series of similar bots, distributed across campaigns or targets.
Analysts also found another curious trace in LampoRAT—the possible use of generative AI during development. The command dispatcher contains strings with emojis like
CD to and CD error:. This style is unusual for typical malicious code. Malware authors typically choose simple ASCII markers like [+] or ERROR: to avoid unnecessary uniqueness and display issues. However, large language models often insert visual icons by default when generating command-line interfaces or Telegram bots. For the researchers, this artifact was a strong indirect indication that Boggy Serpens uses generative AI to more quickly assemble new variants of its malicious tools.The shift to Rust is also evident in BlackBeard, another backdoor from the group. Israel's National Cyber Directorate has already tracked this tool as a separate family. The choice of Rust here isn't just a matter of fashion. A memory-safe language complicates some typical reverse engineering techniques while simultaneously helping to release new builds faster. In the case of BlackBeard, the intermediate C++ loader already contains traces linking it to the Phoenix family. The loader then decrypts the final Rust payload using an XOR key and executes it in memory using process hollowing, where the malicious code is injected into a legitimate process.
BlackBeard's final payload first scans the %PROGRAMDATA% directory for over 15 security products. The malware then contacts the stratioai[.]org domain via the reqwest Rust library, encrypts system data with AES-256-GCM, and transmits it in the Expires HTTP header. Commands are again transmitted via HTTP status codes. Values 201 and 202 force the malware to dump decrypted content to C:\ProgramData\WebDeepPlayer.scr, and status code 418 terminates the attack. Persistence is achieved via a dummy .wdlp extension in the registry at HKCU\Software\Classes.wdlp, which is linked to WebDeepPlayer.scr. After this, the Oregon.wdlp file in startup is sufficient for the infection to reappear after a reboot.
The overall conclusion of the report is quite stark. Boggy Serpens can no longer be described as a group that relies solely on the volume of emails and the simplicity of its tactics. Over the past year, the operators have significantly improved their technical capabilities, established parallel development pipelines, started using Rust, added features of AI acceleration, expanded their mass mailing infrastructure, and focused on compromising trusted relationships. At the same time, their targets remain strategic: diplomacy, energy, maritime logistics, finance, aviation, and telecom.
This profile is particularly dangerous because the group is able to combine three elements that, taken separately, pose a serious risk. First, they employ credible social engineering, precisely tailored to the department, position, and work context. Second, they employ stealthy and flexible malicious tools designed to persist online. Third, they employ the hijacking of legitimate accounts, which undermines the traditional trust model in corporate email. As long as a company relies solely on sender reputation and basic spam filters, this scheme will continue to work.
Therefore, protecting against Boggy Serpens requires a deeper look. You'll need to evaluate not only the sender's address, but also behavioral anomalies, process chains, macro execution, file writing and renaming, memory injections, suspicious UDP connections, and non-standard HTTP scenarios. Otherwise, the next stage of infection will occur before the infrastructure even realizes the email was suspicious.