TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sectors throughout the Middle East and Central and South Asia, including government, defense, telecommunications, energy, and finance. The U.S. government publicly stated in January 2022 that it considers TEMP.Zagros subordinate to MOIS and disclosed samples of malware families (POWGOOP and MORIAGENT) used by the group since at least 2020.
The group has consistently updated its toolkit over the years, using malware such as POWERSTATS, POWGOOP, and MORIAGENT in spear-phishing operations. TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, quickly leveraging these techniques to update their malware. They are known to weaponize their malware using various techniques, which include system reboot, shutdown, drive wipe, screenshot capture, information encryption and upload, and code execution leveraging Excel.Application COM object, Outlook.Application COM object, and DCOM object.
In March 2024, Proofpoint researchers observed a new phishing campaign by the group, attempting to drop a legitimate Remote Monitoring and Management (RMM) solution called Atera on target systems. Furthermore, TEMP.Zagros has been reported targeting Israeli entities in a new spear-phishing campaign, according to Deep Instinct’s Threat Research team. Mandiant assesses with moderate confidence that UNC3313 is associated with TEMP.Zagros, indicating the group's ongoing and evolving cyber threat activities.
Description last updated: 2024-07-18T06:15:56.717Z