POWERSTATS

Malware Profile Updated 5 days ago
Download STIX
Preview STIX
PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, or websites. Once inside a system, PowerStats can steal personal information, disrupt operations, or even hold data for ransom. The malware was initially used as a backdoor program by MuddyWater, but the group later shifted to using remote management software, according to Sekoia's advisory. The execution of the PowerStats payload has been carried out via various methods including CMSTP.exe, JavaScript files, mshta.exe, Virtual Basic Script (VBS) files, and macros. For instance, MuddyWater used mshta.exe not only to execute its PowerStats payload but also to pass a PowerShell one-liner for execution. To obfuscate the Command and Control (C2) location, MuddyWater controlled PowerStats from behind a proxy network. The group has also developed other malware sets such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and PowerStats for loading malware, backdoor access, persistence, and exfiltration. A new campaign likely attributed to Static Kitten, another name for the MuddyWater group, has been uncovered by Anomali Threat Research. Consistent with previous Static Kitten activity, this campaign uses tactics, techniques, and procedures that include the use of ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. The group continues to use the PowerStats backdoor, running PowerShell scripts to maintain persistent access to victim systems, and multiple malware sets for various malicious activities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
MuddyWater
2
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Seedworm
1
Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government
TEMP.Zagros
1
TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sect
Static Kitten
1
Static Kitten, also known as MuddyWater, Mercury, Mango Sandstorm, and TA450, is an Iranian government-sponsored hacking group suspected to be linked to the Iranian Ministry of Intelligence and Security. The group has been active since 2017 and is notorious for its cyber-espionage activities. Static
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Exploit
Payload
Rmm
Phishing
Malware
t1059.001
Proxy
Github
PowerShell
Screenconnect
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PowGoopUnspecified
1
PowGoop is a malicious software (malware) employed by MuddyWater actors, an Iranian cyber threat group also known as TEMP.Zagros. This malware primarily functions as a loader in the group's nefarious operations and includes a DLL loader and a PowerShell-based downloader. The hackers have been observ
Small SieveUnspecified
1
Small Sieve is a type of malware used by the MuddyWater actors, as observed by the FBI, CISA, CNMF, and NCSC-UK. This malicious software is distributed through a large (16MB) NSIS installer named gram_app.exe, which does not masquerade as a legitimate application. The Small Sieve payload will only e
MoriUnspecified
1
Mori is a type of malware employed by the cyber threat group known as MuddyWater. The FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors using various malware, including Mori, as part of their malicious activities. These include but are not limited to variants of PowGoop, Small Sieve, Cano
Muddyc3Unspecified
1
None
Phonyc2Unspecified
1
PhonyC2 is a malware, specifically a command-and-control framework, that has been used by the Iranian-based cyber-espionage group MuddyWater since at least 2021. This software was designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. O
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the POWERSTATS Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 days ago
Iranian Threat Group Drops New Backdoor, 'BugSleep'
CERT-EU
a year ago
Cyber security week in review: June 30, 2023
MITRE
a year ago
Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
MITRE
a year ago
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA
MITRE
a year ago
Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
MITRE
a year ago
Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign | Mandiant
MITRE
a year ago
Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity