BugSleep

This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.

Summary

Associated actor(s): MuddyWater
Tool type(s): Backdoor
Confidence level(s): High
Source ID(s): SRC-CP-BUGSLEEP

Behavior

Actor	Behavior Summary
MuddyWater	Check Point reports BugSleep as a MuddyWater backdoor under active development; reported behavior includes victim fingerprinting, command execution, file upload/download, persistence-oriented check-ins, and follow-on C2 after phishing-led access.

Hash And IOC Status

Actor	Status	Reference
MuddyWater	Hash not committed from source page; use Check Point IOC appendix/current report if sample-level matching is required.	`SRC-CP-BUGSLEEP`

Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.

Defensive Hunting Notes

Actor	Hunting Notes
MuddyWater	Hunt MuddyWater phishing-to-loader chains, new scheduled tasks or recurring check-ins, suspicious file transfer from user endpoints, and C2 from hosts that recently executed lure-delivered payloads.

Handling Notes

Actor	Handling Notes
MuddyWater	Prefer behavior and source context; do not build actor attribution from BugSleep hash or family name alone.

Crosslinks

MuddyWater: profile, workbench, tool matrix
Detection status: Detection Status Dashboard
Hunt workflow: Hunt Workflow

Mapped ATT&CK Techniques For Associated Actor(s)

Actor	Technique	Tactic	Mapping Quality	Source
MuddyWater	T1566 Phishing	Initial Access	M2	`SRC-MITRE-G0069`
MuddyWater	T1059.001 PowerShell	Execution	M2	`SRC-MITRE-G0069`
MuddyWater	T1219 Remote Access Software	Command and Control	M3	`SRC-MITRE-G0069`
MuddyWater	T1567.002 Exfiltration to Cloud Storage	Exfiltration	M2	`SRC-THREAT-HUNTER-V3`

These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.

Actor	Detection	Release Status	DRL	Rule
MuddyWater	DET-002 - Suspicious RMM Installer Download From User Context	Pilot	6	detections/sigma/suspicious-rmm-file-sharing-download.yml
MuddyWater	DET-004 - Mail Click To Execution Correlation	Hunt	4	detections/kql/mail-click-to-exec-correlation.kql

These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.

Actor	Hunt	Hypothesis	Query
MuddyWater	HUNT-002	If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled paths	detections/kql/suspicious-rmm-file-sharing-download.kql
MuddyWater	HUNT-004	If VIP phishing is active then mail click events will correlate to risky sign-in or execution	detections/kql/mail-click-to-exec-correlation.kql

Source Review

Source	Publisher	Date	Reliability	Type	Last Reviewed
`SRC-CP-BUGSLEEP`	Check Point Research	2024-07-15	A	Vendor CTI	2026-05-14

If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.

Summary​

Behavior​

Hash And IOC Status​

Defensive Hunting Notes​

Handling Notes​

Crosslinks​

Mapped ATT&CK Techniques For Associated Actor(s)​

Related Actor-Level Repository Detections​

Related Actor-Level Hunts​

Source Review​