1. Home
  2. Groups
  3. MuddyWater

MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]

ID: G0069
Associated Groups: Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, MuddyKrill
Contributors: Daniyal Naeem, BT Security; Marco Pedrinazzi, @pedrinazziM; Ozer Sarilar, @ozersarilar, STM; Dragos Threat Intelligence
Version: 7.0
Created: 18 April 2018
Last Modified: 12 May 2026

Associated Group Descriptions

Name Description
Earth Vetala

[14]
MERCURY

[15]
Static Kitten

[15][14]
Seedworm

[5][15][14]
TEMP.Zagros

[16][15][14]
Mango Sandstorm

[17]
TA450

[18]
MuddyKrill

[19]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

MuddyWater uses various techniques to bypass UAC.[6][11]
Enterprise T1087 .002 Account Discovery: Domain Account

MuddyWater has used cmd.exe net user /domain to enumerate domain users.[14]
Enterprise T1583 .001 Acquire Infrastructure: Domains

MuddyWater has established domains, some of which appeared to spoof legitimate domains for use in operations.[11]

.006 Acquire Infrastructure: Web Services

MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools.[15][14][18][12]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MuddyWater has used HTTP for C2 communications.[7][14]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[5]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.[16][20][21][8][14][10]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

MuddyWater has used PowerShell for execution.[16][22][20][5][6][21][8][14][9][10][11]
.003 Command and Scripting Interpreter: Windows Command Shell

MuddyWater has used a custom tool for creating reverse shells.[5]
.005 Command and Scripting Interpreter: Visual Basic

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.[16][22][20][5][6][7][8][14][10]
.006 Command and Scripting Interpreter: Python

MuddyWater has developed tools in Python including Out1.[14]
.007 Command and Scripting Interpreter: JavaScript

MuddyWater has used JavaScript files to execute its POWERSTATS payload.[6][16][9]
Enterprise T1555 Credentials from Password Stores

MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.[4][5][14]
.003 Credentials from Web Browsers

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.[5][14]
Enterprise T1132 .001 Data Encoding: Standard Encoding

MuddyWater has used tools to encode C2 communications including Base64 encoding.[7][14]
Enterprise T1074 .001 Data Staged: Local Data Staging

MuddyWater has stored a decoy PDF file within a victim's %temp% folder.[10]
Enterprise T1140 Deobfuscate/Decode Files or Information

MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript.[16][22][6][10]
Enterprise T1685 Disable or Modify Tools

MuddyWater can disable the system's local proxy settings.[14]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

MuddyWater has used AES to encrypt C2 responses.[10]
Enterprise T1041 Exfiltration Over C2 Channel

MuddyWater has used C2 infrastructure to receive exfiltrated data.[8]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

MuddyWater has attempted to exfiltrate data to Wasabi, a cloud storage service, using Rclone.[23]

Enterprise T1190 Exploit Public-Facing Application

MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).[9]
Enterprise T1203 Exploitation for Client Execution

MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.[7]
Enterprise T1210 Exploitation of Remote Services

MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472).[9]
Enterprise T1083 File and Directory Discovery

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[20]
Enterprise T1590 .004 Gather Victim Network Information: Network Topology

MuddyWater has mapped target networks; access to this information and more is then shared/sold to other Iran threat actors.[24]

Enterprise T1574 .001 Hijack Execution Flow: DLL

MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.[9]
Enterprise T1105 Ingress Tool Transfer

MuddyWater has used malware that can upload additional files to the victim’s machine.[20][6][8][14] MuddyWater has used PowerShell commands to install remote management and monitoring (RMM) software on the victim’s machine to conduct espionage and to exfiltrate data.[11]

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[20][7][9]
.002 Inter-Process Communication: Dynamic Data Exchange

MuddyWater has used malware that can execute PowerShell scripts via DDE.[20]
Enterprise T1534 Internal Spearphishing

MuddyWater has used compromised mailboxes within target organizations to send spearphishing emails.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.[16][21][15]
Enterprise T1104 Multi-Stage Channels

MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.[21]

Enterprise T1571 Non-Standard Port

MuddyWater has used ports 8043 and 8848 for botnet C2 communication.[24]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.[6]
.004 Obfuscated Files or Information: Compile After Delivery

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[6]
.010 Obfuscated Files or Information: Command Obfuscation

MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.[4][25] The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.[4][16][20][21][7][14][10]
Enterprise T1588 .001 Obtain Capabilities: Malware

MuddyWater has used publicly available malware for operations, likely to blend in with other cybercriminals.[3]

.002 Obtain Capabilities: Tool

MuddyWater has used legitimate tools ConnectWise, RemoteUtilities, and SimpleHelp to gain access to the target environment.[15][26][12][11]
Enterprise T1137 .001 Office Application Startup: Office Template Macros

MuddyWater has used a Word Template, Normal.dotm, for persistence.[8]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.[4][5][14]
.004 OS Credential Dumping: LSA Secrets

MuddyWater has performed credential dumping with LaZagne.[4][5]
.005 OS Credential Dumping: Cached Domain Credentials

MuddyWater has performed credential dumping with LaZagne.[4][5]
Enterprise T1566 Phishing

MuddyWater has sent phishing emails to targets from the email address support@microsoftonlines[.]com.[11]
.001 Spearphishing Attachment

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[4][16][20][7][15][14][9][18][12][23] MuddyWater has also sent spearphishing emails with the attachment Cybersecurity.doc, which served as the primarily payload for the next stage.[27]

.002 Spearphishing Link

MuddyWater has sent targeted spearphishing e-mails with malicious links.[15][14][18]
Enterprise T1057 Process Discovery

MuddyWater has used malware to obtain a list of running processes on the system.[20][7]
Enterprise T1090 Proxy

MuddyWater has used NordVPN to proxy phishing emails, making them appear to originate from France.[2]

.002 External Proxy

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.[5] MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).[8][14] MuddyWater has also used go-socks5 variants to bypass firewalls and Network Address Translation (NAT), to communicate with a hardcoded C2 server, and to exfiltrate data.[12]

Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

MuddyWater has leveraged RMM solutions including ScreenConnect, AteraAgent, SimpleHelp, Action1, Level, and PDQ to facilitate follow-on actions within compromised hosts to include data exfiltration.[14][15][18][26][2][11][24]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

MuddyWater has used scheduled tasks to establish persistence.[8]
Enterprise T1113 Screen Capture

MuddyWater has used malware that can capture screenshots of the victim’s machine.[20]
Enterprise T1684 .001 Social Engineering: Impersonation

MuddyWater has used support@microsoftonlines[.]com to send phishing emails that masqueraded as security updates from Microsoft.[11] MuddyWater has also impersonated TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan, sending phishing emails with the email domain info@tmcell.[27]

Enterprise T1518 Software Discovery

MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.[14]
.001 Security Software Discovery

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[20]
Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.[16]
.005 System Binary Proxy Execution: Mshta

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[16][20]
.011 System Binary Proxy Execution: Rundll32

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[20]
Enterprise T1082 System Information Discovery

MuddyWater has used malware that can collect the victim’s OS version and machine name.[20][21][8][14][10]
Enterprise T1016 System Network Configuration Discovery

MuddyWater has used malware to collect the victim’s IP address and domain name.[20]
Enterprise T1049 System Network Connections Discovery

MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.[14]
Enterprise T1033 System Owner/User Discovery

MuddyWater has used malware that can collect the victim’s username.[20][14]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

MuddyWater has run a tool that steals passwords saved in victim email.[5]
Enterprise T1204 .001 User Execution: Malicious Link

MuddyWater has distributed URLs in phishing e-mails that link to lure documents.[15][14][18]
.002 User Execution: Malicious File

MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[4][16][20][21][7][8][15][14][9][10][18] Additionally, MuddyWater has used a Word document with a malicious Visual Basic for Applications (VBA) macro; when enabled, the CertificationKit.ini payload is constructed and executed.[27]
.004 User Execution: Malicious Copy and Paste

MuddyWater has leveraged ClickFix type tactics enticing victims to copy and paste malicious PowerShell code.[11]

Enterprise T1102 .002 Web Service: Bidirectional Communication

MuddyWater has used web services including OneHub to distribute remote access tools.[15]
Enterprise T1047 Windows Management Instrumentation

MuddyWater has used malware that leveraged WMI for execution and querying host information.[20][6][21][9]

Software

ID Name References Techniques
S0591 ConnectWise [15][14] Command and Scripting Interpreter: PowerShell, Screen Capture, Video Capture
S0488 CrackMapExec [28][5] Account Discovery: Domain Account, Brute Force: Password Spraying, Brute Force: Password Guessing, Brute Force, Command and Scripting Interpreter: PowerShell, File and Directory Discovery, Local Storage Discovery, Modify Registry, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled Task/Job: At, System Network Configuration Discovery, System Network Connections Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S1243 DCHSpy [29] Application Layer Protocol, Archive Collected Data, Audio Capture, Data from Local System, Location Tracking, Masquerading: Match Legitimate Name or Location, Protected User Data: Contact List, Protected User Data: SMS Messages, Protected User Data: Accounts, Protected User Data: Call Log, Stored Application Data, Video Capture
S0363 Empire [28] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Keychain, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S9033 Fooder MuddyWater has used Fooder during operations.[12] Access Token Manipulation: Token Impersonation/Theft, Delay Execution, Deobfuscate/Decode Files or Information, Masquerading: Match Legitimate Resource Name or Location, Native API, Obfuscated Files or Information, Reflective Code Loading
S0250 Koadic [8][28] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel: Asymmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Network Service Discovery, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Mshta, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, Windows Management Instrumentation
S0349 LaZagne [5][28] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S9036 LP-Notes MuddyWater has used LP-Notes during operations.[12] Access Token Manipulation: Token Impersonation/Theft, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Input Capture: GUI Input Capture, Native API, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Valid Accounts
S0002 Mimikatz [4][28] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S1047 Mori [9] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Data Encoding: Standard Encoding, Data Obfuscation: Junk Data, Deobfuscate/Decode Files or Information, Indicator Removal: File Deletion, Modify Registry, Query Registry, System Binary Proxy Execution: Regsvr32
S9032 MuddyViper MuddyWater has used MuddyViper during operations.[12] Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Delay Execution, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Ingress Tool Transfer, Input Capture: GUI Input Capture, Modify Registry, Native API, Process Discovery, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery
S0594 Out1 [14] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Email Collection: Local Email Collection, Obfuscated Files or Information
S0194 PowerSploit [28] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0223 POWERSTATS [4][16][6][5][7] Account Discovery: Local Account, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: JavaScript, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Disable or Modify Tools, Encrypted Channel: Asymmetric Cryptography, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Inter-Process Communication: Dynamic Data Exchange, Masquerading: Masquerade Task or Service, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information: Junk Code Insertion, Process Discovery, Proxy: External Proxy, Scheduled Task/Job: Scheduled Task, Scheduled Transfer, Screen Capture, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S1046 PowGoop [9] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Encrypted Channel, Hijack Execution Flow: DLL, Masquerading, Masquerading: Match Legitimate Resource Name or Location
S1040 Rclone [23] Archive Collected Data: Archive via Utility, Data Transfer Size Limits, Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery
S0592 RemoteUtilities [14] File and Directory Discovery, Ingress Tool Transfer, Screen Capture, System Binary Proxy Execution: Msiexec
S9037 RustyWater [27] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Encoding: Standard Encoding, Debugger Evasion, Delay Execution, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Resource Name or Location, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Injection: Portable Executable Injection, Social Engineering: Impersonation, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, User Execution: Malicious File
S0450 SHARPSTATS [28] Command and Scripting Interpreter: PowerShell, Ingress Tool Transfer, Obfuscated Files or Information: Command Obfuscation, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S1035 Small Sieve [9][30] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Python, Data Encoding: Non-Standard Encoding, Encrypted Channel: Asymmetric Cryptography, Execution Guardrails, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Obfuscated Files or Information, System Network Configuration Discovery, System Owner/User Discovery, Web Service: Bidirectional Communication
S1037 STARWHALE [9] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Obfuscated Files or Information: Encrypted/Encoded File, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File
S9034 Tsundere Botnet [31] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Execution Guardrails, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Command Obfuscation, Supply Chain Compromise: Compromise Software Dependencies and Development Tools, System Binary Proxy Execution: Msiexec, System Information Discovery, System Location Discovery, Web Service: Dead Drop Resolver

References

  1. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  2. FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran’s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026.
  3. Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026.
  4. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  5. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  6. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  7. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  8. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  9. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  10. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  11. Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026.
  12. ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.
  13. Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.
  14. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  15. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  16. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  2. Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
  3. Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.
  4. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  5. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  6. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  7. SOCRadar. (2026, March 9). MuddyWater Uses Dindoor Malware Targeting U.S. Networks. Retrieved March 12, 2026.
  8. FalconFeeds.io. (2026, March 6). MuddyWater in the Iran–Israel Cyber War: From PowerShell Scripts to Rust Implants. Retrieved March 12, 2026.
  9. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  10. Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.
  11. Awasthi, P. (2026, January 8). Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant. Retrieved March 19, 2026.
  12. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  13. Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.
  14. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  15. CheckPoint Research. (2026, March 10). Iranian MOIS Actors & the Cyber Crime Connection. Retrieved March 12, 2026.