MERCURY

Threat Actor updated 4 months ago (2024-07-17T01:17:38.483Z)

Download STIX

Preview STIX

Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLONIUM, previously targeted. The cybersecurity community has recognized the significant security challenges posed by Mercury, highlighting its activities in relation to hybrid IT infrastructures. Recently, Mercury Financial, a high-interest, low credit score non-bank credit card company that uses Evolve to issue cards, reported a data breach. The compromised data included account numbers, deposit balances, business owner names, and emails associated with Mercury and other fintech accounts. The company has notified its affected customers about the breach and the preventative measures being taken to secure their funds. Alex Arango, Head of Cyber Threat Management at Mercury Financial, has been actively working on strengthening the company's defenses using threat intelligence from Recorded Future. In an unrelated event, defensive sectors including consumer staples and utilities showed resilience on the local bourse, with Mercury NZ among the largest large-cap advancers. However, it should be clarified that this Mercury refers to a different entity than the threat actor or Mercury Financial. Similarly, references to "Mercury" in other contexts such as Virginia Mercury, a news outlet, and Mercury in the context of the Regents' meeting, do not pertain to the threat actor group.

Description last updated: 2024-07-17T01:15:31.189Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
MuddyWater is a possible alias for MERCURY. MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group	5
Mint Sandstorm is a possible alias for MERCURY. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c	2
Mango Sandstorm is a possible alias for MERCURY. Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Papercut

Azure

flaw

State Sponso...

Microsoft

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Phosphorus Threat Actor is associated with MERCURY. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ	Unspecified	2
The APT35 Threat Actor is associated with MERCURY. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard Corp	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-27350 Vulnerability is associated with MERCURY. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first upda	Unspecified	2

Source Document References

Information about the MERCURY Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	4 months ago	Iranian State Hackers Are Deploying a New Malware Backdoor
Malwarebytes	5 months ago	Affirm says Evolve Bank data breach also compromised some of its customers \| Malwarebytes
BankInfoSecurity	5 months ago	Evolve Ransomware Hack Affects Affirm and Fintech Companies
CERT-EU	10 months ago	Kansas State President Gives Cybersecurity Update \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Google plans to allow more real-money games on the Play Store, starting with India, Brazil, and Mexico in June 2024, in compliance with local laws
CERT-EU	a year ago	Hybrid IT opens new avenues for cybercriminals
CERT-EU	a year ago	APPALACHIAN POWER, WHEELING POWER SEEK APPROVAL OF SETTLEMENT AGREEMENT IN FUEL COST CASES
CERT-EU	a year ago	AEP SIGNS AGREEMENT TO SELL NEW MEXICO SOLAR ASSETS
Recorded Future	a year ago	Threat Intelligence to Elevate Your Security Defenses \| Recorded Future
CERT-EU	a year ago	Does Private Internet Access Work in Russia? (2023)
CERT-EU	a year ago	Italy's competition watchdog opens an investigation into whether Meta has failed to provide adequate information on how to mark branded content on Instagram
CERT-EU	a year ago	A California jury convicts former VC Mike Rothenberg for defrauding investors on 21 counts of bank fraud, false statements, money laundering, and wire fraud
CERT-EU	a year ago	Insights from Security Mavericks: Interpublic Group, FICO, and Mercury
CERT-EU	a year ago	Techrights — Links 27/10/2023: Facebook Shrinks by a Lot, Yet More Microsoft Layoffs
CERT-EU	a year ago	A researcher details malicious and convincing Google ads linking to a fake site for password manager KeePass; Google shows a verified advertiser paid for them
Naked Security	a year ago	Serious Security: Rowhammer returns to gaslight your computer
CERT-EU	a year ago	New Zealand university operating despite cyberattack
CERT-EU	a year ago	ASX dives to 60-day low after Wall Street’s worst day in six months
CERT-EU	a year ago	OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
CERT-EU	a year ago	Sources: Apple spent $5M on the film rights for Michael Lewis' book about Sam Bankman-Fried; at least eight Hollywood projects on SBF are in the works so far