PhonyC2 (also known as PhonyC2) is a c2 framework active since 2023. MuddyWater custom C2. Key characteristics include: Python-based, used by MuddyWater/MOIS, custom protocol, PowerShell agents.
Overview & Background
MuddyWater custom C2. First identified in 2023, this threat is attributed to Iran (MOIS).
Threat Assessment
PhonyC2 remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this c2 framework.
- Category: C2 Framework
- Active since: 2023
- Attribution: Iran (MOIS)
- Also known as: PhonyC2
Technical Analysis
PhonyC2 employs the following capabilities and techniques:
- Python-Based: Core functionality
- Used By Muddywater/Mois: Core functionality
- Custom Protocol: Core functionality
- Powershell Agents: Core functionality
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Common delivery vector |
| Execution | T1204.002 Malicious File | User-triggered execution |
| Persistence | T1547.001 Registry Run Keys | Autostart persistence |
| Defense Evasion | T1027 Obfuscated Files | Payload obfuscation |
| C2 | T1071.001 Web Protocols | HTTP/HTTPS C2 |
Detection & Defense
- Endpoint detection: Deploy behavioral detection rules for PhonyC2 indicators
- Network monitoring: Monitor for C2 traffic patterns and anomalous connections
- Threat intelligence: Track PhonyC2 IOCs and campaign updates
- Security awareness: Train users to recognize phishing and social engineering
- Patch management: Keep systems updated to prevent exploitation
Defend Against PhonyC2
Mjolnir Security provides detection and response capabilities against PhonyC2 and similar threats.
Threat DetectionIncident ResponseThreat HuntingMDR ServicesThreat Intelligence
- Proactive Threat Hunting Hunt for PhonyC2 indicators and TTPs within your environment.
- Threat Intelligence Monitor PhonyC2 campaigns and infrastructure changes.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Written by: Mjolnir Security | Published: October 18, 2025
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts