MalwareUsed by 1 actor

DarkBeatC2

DarkBeatC2 is a backdoor/C2 malware associated with the Iranian threat actor MuddyWater, also referred to in the provided content as Static Kitten and linked to Iran’s MOIS. The content states that DarkBeatC2 is part of MuddyWater’s malware arsenal alongside PhonyC2, MuddyC2Go, PowerStats, and MoriAgent. It was reportedly used in 2024 phishing campaigns targeting Israeli entities, including operations described as using DarkBeatC2 together with the BugSleep backdoor. The supporting material ties its use to phishing-based intrusion activity against Israeli targets; no additional technical execution details, persistence mechanisms, or indicators of compromise specific to DarkBeatC2 are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

MuddyWater

Beyond using RMM software, "the attackers possess a vast arsenal of other malicious programs, including DarkBeatC2, PhonyC2, MuddyC2Go, PowerStats and MoriAgent," 360 said at the time.

via bank info securitybankinfosecurity.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

Multiple Iran-nexus APT groups are described as using spear-phishing: e.g., Charming Kitten uses “spear-phishing with fake personas and compromised emails… phishing via benign PDFs for credential harvesting”; several others use “spear-phishing with malicious documents/attachments/links.”

Execution

1 technique

T1059.001PowerShellEvidence1

Static Kitten is described as “deploying PowerShell backdoors”; OilRig uses “PowerShell-based tools”; Haywire Kitten uses “PowerShell scripts.”

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

polyswarmNews

Mar 6, 2026

Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks

Backdoor used in phishing campaigns to provide command-and-control capability and persistence.

bank info securityNews

Sep 17, 2025

What's Old Is New Again as Iranian Hackers Exploit Macros

A malicious program in MuddyWater's arsenal used for command-and-control purposes.

polyswarmNews

Jul 8, 2025

An Eye on Iran

Backdoor malware used by Static Kitten (MuddyWater) for persistent access and espionage.

harfanglab insidethelabNews

Mar 4, 2025

MuddyWater campaign abusing Atera Agents - HarfangLab

Named command-and-control framework referenced in relation to MuddyWater activity and potential collaboration/hand-off between Iranian threat actors.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.