MuddyWater

Threat Actor updated 23 days ago (2024-11-29T14:23:49.829Z)
Download STIX
Preview STIX
MuddyWater is an Advanced Persistent Threat (APT) actor that first surfaced in 2017, primarily targeting countries in the Middle East, Europe, and the USA. The group uses a range of techniques for its cyber-espionage activities, including PowerShell for execution, HTTP for C2 communications, and malware that can collect the victim's username. The tactics, techniques, and procedures (TTPs) and infrastructure analyzed in recent intrusions align with previously reported activities by the MuddyWater APT group. Recently, VBS/DLL-based implants used by MuddyWater have been uncovered and are still active today. The threat actor has been spotted targeting Israeli entities on multiple occasions, demonstrating their ongoing activity and potential threats to global cybersecurity. These attacks have led to increased scrutiny from cybersecurity firms and government organizations alike. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR-10369127-1.v1) on MuddyWater, providing further insights into the group's operations and their potential impact on targeted systems. Recent reports from Check Point Research and Sekoia highlight new developments in MuddyWater's activities. The group has deployed a new backdoor, known as "BugSleep," in their recent campaigns, according to Check Point Research. Furthermore, Sekoia reported that MuddyWater has replaced Atera with a custom implant called "MuddyRot" in a recent campaign. This continuous evolution of tactics and tools underscores MuddyWater's persistent threat to cybersecurity and emphasizes the need for robust defense mechanisms against such sophisticated actors.
Description last updated: 2024-11-28T11:45:16.388Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
MERCURY is a possible alias for MuddyWater. Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
5
TEMP.Zagros is a possible alias for MuddyWater. TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sect
4
Static Kitten is a possible alias for MuddyWater. Static Kitten, also known as MuddyWater, Mercury, Mango Sandstorm, and TA450, is an Iranian government-sponsored hacking group suspected to be linked to the Iranian Ministry of Intelligence and Security. The group has been active since 2017 and is notorious for its cyber-espionage activities. Static
4
Seedworm is a possible alias for MuddyWater. Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government
4
OilRig is a possible alias for MuddyWater. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of
3
Ta450 is a possible alias for MuddyWater. TA450, an Advanced Persistent Threat (APT) group, is a threat actor linked to Iran that has been identified as being behind a series of cyber-attacks. APTs are typically associated with nation-states or state-sponsored groups and are known for their persistence and ability to remain undetected over
2
Mint Sandstorm is a possible alias for MuddyWater. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
2
Mango Sandstorm is a possible alias for MuddyWater. Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
2
POWERSTATS is a possible alias for MuddyWater. PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, o
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Malware
Backdoor
Implant
Rmm
Simplehelp
Ransomware
Reconnaissance
Vulnerability
Espionage
Payload
Spearphishing
Proxy
Tool
Microsoft
Github
State Sponso...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Muddyc2go Malware is associated with MuddyWater. MuddyC2Go is a new malware that has been linked to the Iranian state-backed threat operation MuddyWater. The first evidence of malicious activity was identified through the execution of PowerShell code, which connected to a command-and-control (C2) framework known as MuddyC2Go. This infrastructure iUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT35 Threat Actor is associated with MuddyWater. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard CorpUnspecified
3
The Phosphorus Threat Actor is associated with MuddyWater. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univUnspecified
2
Source Document References
Information about the MuddyWater Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
24 days ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Checkpoint
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
BankInfoSecurity
5 months ago
InfoSecurity-magazine
5 months ago
Checkpoint
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
ESET
7 months ago
Securityaffairs
8 months ago