Malware Profile Updated 3 months ago
Download STIX
Preview STIX
PowGoop is a malicious software (malware) employed by MuddyWater actors, an Iranian cyber threat group also known as TEMP.Zagros. This malware primarily functions as a loader in the group's nefarious operations and includes a DLL loader and a PowerShell-based downloader. The hackers have been observed using multiple malware sets including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS for loading malware, backdoor access, persistence, and exfiltration. They deploy sophisticated techniques such as side-loading DLLs to deceive legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control (C2) functions. The Federal Bureau of Investigation (FBI), Cybersecurity & Infrastructure Security Agency (CISA), Cyber National Mission Force (CNMF), and National Cyber Security Centre UK (NCSC-UK) have noted recent use of various malware variants by MuddyWater actors. These include new versions of PowGoop, among others, as part of their malicious activities. In spear-phishing operations, the group has consistently updated its toolkit over the years, leveraging malware like POWERSTATS, POWGOOP, and MORIAGENT. Iranian hackers have utilized the PowGoop downloader, delivered via phishing emails, and exploited publicly known Microsoft Exchange server vulnerabilities to deliver Thanos ransomware. Open-source cyber research discovered PowGoop Loader variants in compromised networks, which de-obfuscate a PowerShell script enabling attacker command and control functions. Additional PowGoop variants, including C2 Beacon, Loader, and DLL Side-Loading variants, have been identified. These leverage different naming conventions, such as libpcre2-8-0.dll and vcruntime140.dll, to evade antivirus and manual detection, furthering their potential for espionage and ransomware activities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sect
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the PowGoop Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Israeli organizations with ransomware
a year ago
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA
a year ago
Iranian intel cyber suite of malware uses open source tools
a year ago
Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity