MuddyWater

Threat Actor updated 3 months ago (2024-08-14T09:27:35.558Z)
Download STIX
Preview STIX
MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group employs a range of tactics such as spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors. The group's modus operandi includes sending hundreds of malicious emails to multiple recipients within the same organization or sector, often over different days. Their arsenal includes the use of PowerShell for execution, HTTP for C2 communications, and malware capable of collecting the victim’s username. In recent campaigns, MuddyWater has replaced Atera with a custom implant called MuddyRot. However, it remains unclear why MuddyWater operators have reverted to using this homemade implant for their first infection stage in at least one campaign. Reports from Check Point Research have shed light on the recent activity of the Iranian APT group MuddyWater. Despite the group's extensive operations, there is a suggestion that MuddyWater may not be a single group. The cybersecurity industry continues to monitor their activities closely, as they pose a significant threat to global cybersecurity. It is crucial for organizations to stay informed about the latest tactics, techniques, and procedures (TTPs) used by threat actors like MuddyWater to ensure adequate protection against potential attacks.
Description last updated: 2024-08-14T08:54:49.927Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
MERCURY is a possible alias for MuddyWater. Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
5
TEMP.Zagros is a possible alias for MuddyWater. TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sect
4
Static Kitten is a possible alias for MuddyWater. Static Kitten, also known as MuddyWater, Mercury, Mango Sandstorm, and TA450, is an Iranian government-sponsored hacking group suspected to be linked to the Iranian Ministry of Intelligence and Security. The group has been active since 2017 and is notorious for its cyber-espionage activities. Static
4
Seedworm is a possible alias for MuddyWater. Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government
4
OilRig is a possible alias for MuddyWater. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of
3
Ta450 is a possible alias for MuddyWater. TA450, an Advanced Persistent Threat (APT) group, is a threat actor linked to Iran that has been identified as being behind a series of cyber-attacks. APTs are typically associated with nation-states or state-sponsored groups and are known for their persistence and ability to remain undetected over
2
Mint Sandstorm is a possible alias for MuddyWater. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and c
2
Mango Sandstorm is a possible alias for MuddyWater. Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
2
POWERSTATS is a possible alias for MuddyWater. PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, o
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Malware
Backdoor
Implant
Rmm
Simplehelp
Ransomware
Reconnaissance
Vulnerability
Espionage
Payload
Spearphishing
Proxy
Tool
Microsoft
Github
State Sponso...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Muddyc2go Malware is associated with MuddyWater. MuddyC2Go is a new malware that has been linked to the Iranian state-backed threat operation MuddyWater. The first evidence of malicious activity was identified through the execution of PowerShell code, which connected to a command-and-control (C2) framework known as MuddyC2Go. This infrastructure iUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT35 Threat Actor is associated with MuddyWater. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard CorpUnspecified
3
The Phosphorus Threat Actor is associated with MuddyWater. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univUnspecified
2
Source Document References
Information about the MuddyWater Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Checkpoint
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
BankInfoSecurity
4 months ago
InfoSecurity-magazine
4 months ago
Checkpoint
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
ESET
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago