← threatfilter.dev / all groups / MuddyWater
MuddyWater
Also known as: Earth Vetala · MERCURY · Static Kitten · Seedworm · TEMP.Zagros · Mango Sandstorm · TA450 · MuddyKrill
Overview
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication.
Targets
Government
Regions
Georgia · India · Iraq · Israel · Pakistan · Saudi Arabia · Turkey · United Arab Emirates · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 11 attributed custom malware families
TTPs — 68 techniques across 14 tactics
Reconnaissance
-
T1590.004Network Topology
Resource Development
-
T1583.001Domains -
T1583.006Web Services -
T1588.001Malware -
T1588.002Tool
Initial Access
-
T1190Exploit Public-Facing Application -
T1566Phishing -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.006Python -
T1059.007JavaScript -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File -
T1204.004Malicious Copy and Paste -
T1559.001Component Object Model -
T1559.002Dynamic Data Exchange
Persistence
-
T1137.001Office Template Macros -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1548.002Bypass User Account Control
Stealth
-
T1027.003Steganography -
T1027.004Compile After Delivery -
T1027.010Command Obfuscation -
T1036.005Match Legitimate Resource Name or Location -
T1140Deobfuscate/Decode Files or Information -
T1218.003CMSTP -
T1218.005Mshta -
T1218.011Rundll32 -
T1574.001DLL -
T1684.001Impersonation
Defense Impairment
-
T1685Disable or Modify Tools
Credential Access
-
T1003.001LSASS Memory -
T1003.004LSA Secrets -
T1003.005Cached Domain Credentials -
T1552.001Credentials In Files -
T1555Credentials from Password Stores -
T1555.003Credentials from Web Browsers
Discovery
-
T1016System Network Configuration Discovery -
T1033System Owner/User Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.002Domain Account -
T1518Software Discovery -
T1518.001Security Software Discovery
Lateral Movement
Collection
-
T1074.001Local Data Staging -
T1113Screen Capture -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1090Proxy -
T1090.002External Proxy -
T1102.002Bidirectional Communication -
T1104Multi-Stage Channels -
T1105Ingress Tool Transfer -
T1132.001Standard Encoding -
T1219.002Remote Desktop Software -
T1571Non-Standard Port -
T1573.001Symmetric Cryptography
Exfiltration
-
T1041Exfiltration Over C2 Channel -
T1567.002Exfiltration to Cloud Storage
Tools & malware (21)
MuddyViper · STARWHALE · LP-Notes · POWERSTATS · Rclone · Out1 · Tsundere Botnet · PowerSploit · Small Sieve · Fooder · Mori · Mimikatz · LaZagne · PowGoop · CrackMapExec · ConnectWise · SHARPSTATS · Empire · RustyWater · RemoteUtilities · Koadic
Reporting (3)
- The Digital Redoubt: Iran’s National Information Network and the Asymmetry of Modern Cyber Conflict — FalconFeeds.io
- Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company — Threat Hunter Team
- Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation — Hunt.io