MuddyWater
High ConfidenceHigh ThreatMERCURY • Mango Sandstorm • Static Kitten • Seedworm • TEMP.Zagros • Earth Vetala
MuddyWater is a highly active and persistent cyber espionage group that is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group has a global reach, targeting a wide range of government and private-sector organizations. Their campaigns are primarily focused on intelligence gathering and data exfiltration, supporting the strategic objectives of the Iranian government. MuddyWater is known for its use of publicly available and open-source tools, which allows them to blend in with normal network traffic and makes attribution more challenging. The group's tactics, techniques, and procedures (TTPs) have evolved over time, but they consistently rely on spear-phishing campaigns as their primary initial access vector. These campaigns often use socially engineered themes relevant to their targets, luring victims into opening malicious attachments or clicking on malicious links. Once inside a network, MuddyWater employs a variety of living-off-the-land techniques, PowerShell-based malware, and remote access tools to maintain persistence, escalate privileges, and move laterally across the network. Their adaptability and continuous development of new tools and techniques make them a significant and ongoing threat to organizations worldwide.
MuddyWater is a highly active and persistent cyber espionage group that is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group has a global reach, targeting a wide range of government and private-sector organizations. Their campaigns are primarily focused on intelligence gathering and data exfiltration, supporting the strategic objectives of the Iranian government. MuddyWater is known for its use of publicly available and open-source tools, which allows them to blend in with normal network traffic and makes attribution more challenging. The group's tactics, techniques, and procedures (TTPs) have evolved over time, but they consistently rely on spear-phishing campaigns as their primary initial access vector. These campaigns often use socially engineered themes relevant to their targets, luring victims into opening malicious attachments or clicking on malicious links. Once inside a network, MuddyWater employs a variety of living-off-the-land techniques, PowerShell-based malware, and remote access tools to maintain persistence, escalate privileges, and move laterally across the network. Their adaptability and continuous development of new tools and techniques make them a significant and ongoing threat to organizations worldwide.
Target Sectors
Target Regions
Attributed to MOIS (Ministry of Intelligence and Security) (Iran). Attribution confidence: High.
Future Outlook
MuddyWater is expected to continue operations targeting Government sectors.
First observed activity of MuddyWater
Continued active operations