Seedworm

Threat Actor updated 23 days ago (2024-11-29T14:34:02.375Z)

Download STIX

Preview STIX

Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government agencies, oil & gas, NGOs, telecoms, and IT firms. Over the years, Seedworm has compromised more than 130 victims across 30 organizations, with a particular focus on entities in Egypt, Sudan, Tanzania, and Israel. The group employs a variety of tools, including the SimpleHelp remote access tool, Venom Proxy, a custom keylogger, and other publicly available and living-off-the-land tools. In March 2024, Proofpoint researchers observed Seedworm conducting a new phishing campaign targeting Israeli entities. This campaign sought to install a legitimate Remote Monitoring and Management (RMM) solution called Atera onto target systems, providing the attackers with extensive access and control. Symantec noted multiple incidents where Seedworm used SimpleHelp to connect to its known infrastructure, executing a custom build of the Venom Proxy hacktool and a new custom keylogger on the network. The first signs of malicious activity typically come from the execution of PowerShell code to connect to a command-and-control (C2) framework called MuddyC2Go, an infrastructure previously linked to Seedworm. An executable fitted with a PowerShell script automatically connects to Seedworm's C2 server, giving the attackers remote access to a victim system without the need for manual execution by an operator. Researchers believe this framework may have been in use by Seedworm since 2020. As such, Seedworm poses a significant ongoing threat to targeted sectors and regions, warranting continued vigilance and robust cybersecurity measures.

Description last updated: 2024-03-25T16:15:41.624Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
MuddyWater is a possible alias for Seedworm. MuddyWater is an Advanced Persistent Threat (APT) actor that first surfaced in 2017, primarily targeting countries in the Middle East, Europe, and the USA. The group uses a range of techniques for its cyber-espionage activities, including PowerShell for execution, HTTP for C2 communications, and mal	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Proxy

Simplehelp

Iran

Windows

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Muddyc2go Malware is associated with Seedworm. MuddyC2Go is a new malware that has been linked to the Iranian state-backed threat operation MuddyWater. The first evidence of malicious activity was identified through the execution of PowerShell code, which connected to a command-and-control (C2) framework known as MuddyC2Go. This infrastructure i	Unspecified	2
The Venom Proxy Malware is associated with Seedworm. Venom Proxy is a malicious software (malware) that has been associated with Seedworm, a cyber espionage group, since mid-2022. It is a multi-hop proxy tool developed for penetration testers and is written in Go. This malware, often used as Seedworm's "tool of choice," can infiltrate systems via susp	Unspecified	2

Source Document References

Information about the Seedworm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	9 months ago	Iran-Linked APT TA450 embeds malicious links in PDF attachments
CERT-EU	a year ago	Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Seedworm: Iranian Hackers Target Telecoms Organisations in North and East Africa - Cyber Security Review
DARKReading	a year ago	Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs
CERT-EU	a year ago	Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
Securityaffairs	a year ago	MuddyWater has been spotted targeting two Israeli entities
MITRE	2 years ago	Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
MITRE	2 years ago	Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments