Seedworm

Threat Actor updated 5 months ago (2024-05-04T19:08:01.676Z)
Download STIX
Preview STIX
Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government agencies, oil & gas, NGOs, telecoms, and IT firms. Over the years, Seedworm has compromised more than 130 victims across 30 organizations, with a particular focus on entities in Egypt, Sudan, Tanzania, and Israel. The group employs a variety of tools, including the SimpleHelp remote access tool, Venom Proxy, a custom keylogger, and other publicly available and living-off-the-land tools. In March 2024, Proofpoint researchers observed Seedworm conducting a new phishing campaign targeting Israeli entities. This campaign sought to install a legitimate Remote Monitoring and Management (RMM) solution called Atera onto target systems, providing the attackers with extensive access and control. Symantec noted multiple incidents where Seedworm used SimpleHelp to connect to its known infrastructure, executing a custom build of the Venom Proxy hacktool and a new custom keylogger on the network. The first signs of malicious activity typically come from the execution of PowerShell code to connect to a command-and-control (C2) framework called MuddyC2Go, an infrastructure previously linked to Seedworm. An executable fitted with a PowerShell script automatically connects to Seedworm's C2 server, giving the attackers remote access to a victim system without the need for manual execution by an operator. Researchers believe this framework may have been in use by Seedworm since 2020. As such, Seedworm poses a significant ongoing threat to targeted sectors and regions, warranting continued vigilance and robust cybersecurity measures.
Description last updated: 2024-03-25T16:15:41.624Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
MuddyWater is a possible alias for Seedworm. MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Proxy
Simplehelp
Iran
Windows
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Muddyc2go Malware is associated with Seedworm. MuddyC2Go is a new malware that has been linked to the Iranian state-backed threat operation MuddyWater. The first evidence of malicious activity was identified through the execution of PowerShell code, which connected to a command-and-control (C2) framework known as MuddyC2Go. This infrastructure iUnspecified
2
The Venom Proxy Malware is associated with Seedworm. Venom Proxy is a malicious software (malware) that has been associated with Seedworm, a cyber espionage group, since mid-2022. It is a multi-hop proxy tool developed for penetration testers and is written in Go. This malware, often used as Seedworm's "tool of choice," can infiltrate systems via suspUnspecified
2