{"description": "Enterprise techniques used by MuddyViper, ATT&CK software S9032 (v1.0)", "name": "MuddyViper (S9032)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has used HTTP GET requests over port 443 and with the WINHTTP_FLAG_SECURE set to SSL/TLS via the WinHTTP API.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has archived collected web browser data into a file named\u202fCacheDump.zip.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032)\u202fhas the ability to\u202festablish\u202fpersistence by configuring its installation directory as a Windows Startup folder by\u202fsetting the following Registry values to `%APPDATALOCAL%\\Microsoft\\Windows\\PPBCompatCache\\ManagerCache`:\u202f `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup`\u202fand `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup`.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has launched a reverse shell using a provided command line.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has used PowerShell.exe to launch a reverse shell.(Citation: ESET_MuddyWater_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has used cmd.exe to launch a reverse shell.(Citation: ESET_MuddyWater_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1678", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has the ability to sleep for a certain amount of time, with the default being one minute.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has decrypted the embedded\u202fHackBrowserData\u202ftool prior to execution.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has the ability to encrypt C2 communication using AES-CBC using the CNG API, the key `0608101047106453101617106423101013101012101083109710108585106969`, and the initialization vector `0`.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has uploaded files to the C2 server. Additionally, [MuddyViper](https://attack.mitre.org/software/S9032) has the ability to upload the specified file in chunks with sleep time between each chunk.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has the ability to download files from the C2 server. Additionally, [MuddyViper](https://attack.mitre.org/software/S9032) has the ability to download a file in chunks with sleep time between each chunk.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has displayed a fake Windows Security dialog to gather credentials.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has the ability to clear the Registry values in the Windows Startup folder that were previously set for persistence.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has the ability to relaunch itself using the `CreateProcessW` API.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has the ability to collect running processes.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has reflectively loaded the decrypted\u202fHackBrowserData\u202ftool in a new\u202fthread.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f\u202f\u202f", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032)\u202fhas the ability to\u202festablish\u202fpersistence by creating a scheduled task named\u202fManageOnDriveUpdater\u202fto launch itself during system\u202fstartup.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[MuddyViper](https://attack.mitre.org/software/S9032) has the ability to check for a specified list of security tools in the compromised\u202fenvironment.(Citation: ESET_MuddyWater_Dec2025)\u202f\u202f\u202f ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MuddyViper", "color": "#66b1ff"}]}