STARWHALE
Starwhale, also referred to as Canopy, is a MuddyWater malware family publicly documented in joint advisory AA22-055A and associated with the Iranian Ministry of Intelligence and Security (MOIS). It has been distributed via spearphishing, including malicious Excel attachments such as Cooperation terms.xls that rely on victim execution. Starwhale is a Windows Script File/VBScript-based backdoor that can collect host information including local IP address, computer name, and username; collect additional data from the infected host; hex-encode or otherwise custom-encode collected data; and exfiltrate that data to command-and-control servers over HTTP POST. Reported samples stored command output in %TEMP%\stari.txt and sent encoded results back to C2. Starwhale communicates with hardcoded C2 infrastructure, receives commands for execution via cmd.exe, and returns command output to the operator. For persistence, observed samples created a Windows service named Windowscarpstss using sc.exe to launch cscript.exe against c:\windows\system32\w7_1.wsf with a VBScript GetRef-based mechanism and auto-start under LocalSystem. Reported C2 and related infrastructure in the provided content includes 88.119.170.124 and 5.199.133[.]149.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments.
"STARWHALE communicates with its C2 server, which is hardcoded in the malware... The C2 server will then respond with a command meant to be executed via cmd.exe"
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network [T1566.001, T1204.002].
Execution
3 techniques
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The content repeatedly describes threat actors and malware using VBScript, VBS, VBA macros, and Visual Basic code for execution, payload delivery, persistence, reconnaissance, and command execution.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
2 techniques
Persistence
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniques
Privilege Escalation
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
2 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
3 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
3 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A MuddyWater-associated malware/tool documented in U.S. government advisory AA22-055A.
Malware executed through a malicious Excel file.
Malware that can hex-encode collected data from infected hosts.
Malware that can hex-encode collected data from infected hosts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.