MuddyWater

Introduction

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). CYBERCOM Iranian Intel Cyber January 2022 Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America. Unit 42 MuddyWater Nov 2017 Symantec MuddyWater Dec 2018 ClearSky MuddyWater Nov 2018 ClearSky MuddyWater June 2019 Reaqta MuddyWater November 2017 DHS CISA AA22-055A MuddyWater February 2022 Talos MuddyWater Jan 2022

Activities and Tactics

Targeted Sectors: Government, Telecommunications, Defense, Oil and Gas

Country of Origin: 🇮🇷 Iran

Risk Level: High

First Seen: 2017

Last Activity: 2023

Incident Type: Espionage

Suspected Victims: Saudi Arabia, Georgia, Turkey, Iraq, Israel, India, United Arab Emirates, Pakistan, United States

Notable Campaigns

• BlackWater
• Operation Quicksand

Tactics, Techniques, and Procedures (TTPs)

• T1566.002 Spearphishing Link
• T1137.001 Office Template Macros
• T1574.001 DLL
• T1588.002 Tool
• T1218.005 Mshta
• T1204.004 Malicious Copy and Paste
• T1047 Windows Management Instrumentation
• T1534 Internal Spearphishing
• T1003.004 LSA Secrets
• T1566.001 Spearphishing Attachment
• T1583.001 Domains
• T1590.004 Network Topology
• T1559.001 Component Object Model
• T1571 Non-Standard Port
• T1059.003 Windows Command Shell
• T1588.001 Malware
• T1218.003 CMSTP
• T1036.005 Match Legitimate Resource Name or Location
• T1087.002 Domain Account
• T1059.007 JavaScript
• T1583.006 Web Services
• T1059.005 Visual Basic
• T1016 System Network Configuration Discovery
• T1547.001 Registry Run Keys / Startup Folder
• T1140 Deobfuscate/Decode Files or Information
• T1559.002 Dynamic Data Exchange
• T1027.010 Command Obfuscation
• T1027.004 Compile After Delivery
• T1518.001 Security Software Discovery
• T1074.001 Local Data Staging
• T1113 Screen Capture
• T1071.001 Web Protocols
• T1685 Disable or Modify Tools
• T1518 Software Discovery
• T1083 File and Directory Discovery
• T1548.002 Bypass User Account Control
• T1105 Ingress Tool Transfer
• T1573.001 Symmetric Cryptography
• T1567.002 Exfiltration to Cloud Storage
• T1555.003 Credentials from Web Browsers
• T1566 Phishing
• T1560.001 Archive via Utility
• T1684.001 Impersonation
• T1059.006 Python
• T1049 System Network Connections Discovery
• T1082 System Information Discovery
• T1555 Credentials from Password Stores
• T1057 Process Discovery
• T1132.001 Standard Encoding
• T1104 Multi-Stage Channels
• T1090 Proxy
• T1204.001 Malicious Link
• T1027.003 Steganography
• T1003.001 LSASS Memory
• T1053.005 Scheduled Task
• T1090.002 External Proxy
• T1204.002 Malicious File
• T1033 System Owner/User Discovery
• T1219.002 Remote Desktop Software
• T1041 Exfiltration Over C2 Channel
• T1059.001 PowerShell
• T1102.002 Bidirectional Communication
• T1218.011 Rundll32
• T1552.001 Credentials In Files
• T1190 Exploit Public-Facing Application
• T1210 Exploitation of Remote Services
• T1203 Exploitation for Client Execution
• T1003.005 Cached Domain Credentials

ATT&CK technique IDs (denormalized)

• T1003.001
• T1003.004
• T1003.005
• T1016
• T1027.003
• T1027.004
• T1027.010
• T1033
• T1036.005
• T1041
• T1047
• T1049
• T1053.005
• T1057
• T1059.001
• T1059.003
• T1059.005
• T1059.006
• T1059.007
• T1071.001
• T1074.001
• T1082
• T1083
• T1087.002
• T1090
• T1090.002
• T1102.002
• T1104
• T1105
• T1113
• T1132.001
• T1137.001
• T1140
• T1190
• T1203
• T1204.001
• T1204.002
• T1204.004
• T1210
• T1218.003
• T1218.005
• T1218.011
• T1219.002
• T1518
• T1518.001
• T1534
• T1547.001
• T1548.002
• T1552.001
• T1555
• T1555.003
• T1559.001
• T1559.002
• T1560.001
• T1566
• T1566.001
• T1566.002
• T1567.002
• T1571
• T1573.001
• T1574.001
• T1583.001
• T1583.006
• T1588.001
• T1588.002
• T1590.004
• T1684.001
• T1685

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 3 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• Backdoor.Oldrea
• PowerDuke
• POWERSTATS
• Power Loader
• POWERSOURCE
• TINY
• PowerRAT
• Mudwater
• PhonyC2
• PowGoop
• STARWHALE
• Unidentified VBS 004 (RAT)
• Covicli
• GRAMDOOR
• MuddyC2Go
• SHARPSTATS
• DCHSpy
• MoriAgent
• Tsundere
• PoweMuddy
• LaZagne
• Crackmapexec
• ScreenConnect
• Pudpoul
• Thanos Ransomware
• DarkBit
• MuddyRot
• POWERSTATS:
• PoweMuddy:
• LaZagne:
• Crackmapexec:
• ScreenConnect:
• MoriAgent:
• Pudpoul:
• Thanos Ransomware:
• PowGoop:
• Covicli:
• DarkBit:
• MuddyRot:

MITRE ATT&CK Software

• MuddyViper (S9032) — malware
• STARWHALE (S1037) — malware
• LP-Notes (S9036) — malware
• POWERSTATS (S0223) — malware
• Rclone (S1040) — tool
• Out1 (S0594) — tool
• Tsundere Botnet (S9034) — malware
• PowerSploit (S0194) — tool
• Small Sieve (S1035) — malware
• Fooder (S9033) — malware
• Mori (S1047) — malware
• Mimikatz (S0002) — tool
• LaZagne (S0349) — tool
• PowGoop (S1046) — malware
• CrackMapExec (S0488) — tool
• ConnectWise (S0591) — tool
• SHARPSTATS (S0450) — malware
• Empire (S0363) — tool
• RustyWater (S9037) — malware
• RemoteUtilities (S0592) — tool
• Koadic (S0250) — tool
• DCHSpy (S1243) — malware

Ransomware Tool Matrix observations

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

[1] mitre-attack [2] Cloudflare 2026 Threat Report New Threat Actors March 2026 Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026. [12] ClearSky MuddyWater Nov 2018 ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. [13] ClearSky MuddyWater June 2019 ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. [14] CYBERCOM Iranian Intel Cyber January 2022 Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. [15] ESET_MuddyWater_Dec2025 ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026. [16] FalconFeeds_Iran_Mar2026 FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran’s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026. [17] DHS CISA AA22-055A MuddyWater February 2022 FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. [18] Huntio_IranInfra_Mar2026 Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026. [19] Unit 42 MuddyWater Nov 2017 Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. [20] Talos MuddyWater Jan 2022 Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. [21] Anomali Static Kitten February 2021 Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. [22] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [23] Proofpoint TA450 Phishing March 2024 Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024. [24] NaumaanProofpoint_GlobalClickFix_April2025 Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026. [25] Trend Micro Muddy Water March 2021 Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. [26] Reaqta MuddyWater November 2017 Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. [27] FireEye MuddyWater Mar 2018 Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. [28] Symantec MuddyWater Dec 2018 Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. [29] SymantecCarbonBlack_Seedworm_Mar2026 Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.

Recent News

Latest articles from security news feeds mentioning this actor.

• MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries The Hacker News - 2026-05-26T