Seedworm

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government agencies, oil & gas, NGOs, telecoms, and IT firms. Over the years, Seedworm has compromised more than 130 victims across 30 organizations, with a particular focus on entities in Egypt, Sudan, Tanzania, and Israel. The group employs a variety of tools, including the SimpleHelp remote access tool, Venom Proxy, a custom keylogger, and other publicly available and living-off-the-land tools. In March 2024, Proofpoint researchers observed Seedworm conducting a new phishing campaign targeting Israeli entities. This campaign sought to install a legitimate Remote Monitoring and Management (RMM) solution called Atera onto target systems, providing the attackers with extensive access and control. Symantec noted multiple incidents where Seedworm used SimpleHelp to connect to its known infrastructure, executing a custom build of the Venom Proxy hacktool and a new custom keylogger on the network. The first signs of malicious activity typically come from the execution of PowerShell code to connect to a command-and-control (C2) framework called MuddyC2Go, an infrastructure previously linked to Seedworm. An executable fitted with a PowerShell script automatically connects to Seedworm's C2 server, giving the attackers remote access to a victim system without the need for manual execution by an operator. Researchers believe this framework may have been in use by Seedworm since 2020. As such, Seedworm poses a significant ongoing threat to targeted sectors and regions, warranting continued vigilance and robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
MuddyWater
4
MuddyWater is a recognized threat actor in the cybersecurity landscape, known for its malicious activities and sophisticated hacking techniques. This group employs a range of tools and methods to execute their attacks, including the use of PowerShell for execution and HTTP for Command and Control (C
POWERSTATS
1
PowerStats is a type of malware, or malicious software, used by the Iran-nexus cyberespionage group known as Static Kitten (also referred to as Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, and MuddyWater). This group primarily targets sectors in the Middle East and uses PowerStats to run Pow
TEMP.Zagros
1
TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group has been consistently updating their toolkit over the years, leveraging malware such as POWERSTATS, POWGOOP, and MORIAGENT
Static Kitten
1
Static Kitten, also known as MuddyWater, SeedWorm, TEMP.Zagros, and Mercury, is an Iranian government-sponsored hacking group that has been active since 2017. The group is notorious for its malicious activities, including spear-phishing campaigns targeting various entities globally, with a particula
OilRig
1
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Mango Sandstorm
1
Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targete
Ta450
1
TA450, an Advanced Persistent Threat (APT) group, is a threat actor linked to Iran that has been identified as being behind a series of cyber-attacks. APTs are typically associated with nation-states or state-sponsored groups and are known for their persistence and ability to remain undetected over
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Proxy
Iran
Apt
Windows
Simplehelp
Tool
PowerShell
Symantec
Github
Espionage
Backdoor
Exploit
Phishing
Rmm
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Muddyc2goUnspecified
2
MuddyC2Go is a new malware that has been linked to the Iranian state-backed threat operation MuddyWater. The first evidence of malicious activity was identified through the execution of PowerShell code, which connected to a command-and-control (C2) framework known as MuddyC2Go. This infrastructure i
Venom ProxyUnspecified
2
Venom Proxy is a malicious software (malware) that has been associated with Seedworm, a cyber espionage group, since mid-2022. It is a multi-hop proxy tool developed for penetration testers and is written in Go. This malware, often used as Seedworm's "tool of choice," can infiltrate systems via susp
Phonyc2Unspecified
1
PhonyC2 is a malware, specifically a command-and-control framework, that has been used by the Iranian-based cyber-espionage group MuddyWater since at least 2021. This software was designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. O
VenomUnspecified
1
Venom is a malicious software (malware) that has been associated with Seedworm, a cyber-espionage group, since at least mid-2022. As per Microsoft's August 2022 blog post, Venom is Seedworm's "tool of choice". The malware uses several tools such as Venom RAT v6.0.3, SimpleHelp remote access tool, an
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
Earth VetalaUnspecified
1
Earth Vetala is a notorious threat actor that has been active in the cyber world for some time now. This group is known by several names such as Boggy Serpens, Cobalt Ulster, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix, making it difficult to track their activities. Earth Ve
Yellow NixUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Seedworm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
4 months ago
Iran-Linked APT TA450 embeds malicious links in PDF attachments
CERT-EU
7 months ago
Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
7 months ago
Seedworm: Iranian Hackers Target Telecoms Organisations in North and East Africa - Cyber Security Review
DARKReading
7 months ago
Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs
CERT-EU
7 months ago
Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
Securityaffairs
8 months ago
MuddyWater has been spotted targeting two Israeli entities
MITRE
a year ago
Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
MITRE
a year ago
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments