Threat Actor Profile Updated 6 days ago
Download STIX
Preview STIX
TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sectors throughout the Middle East and Central and South Asia, including government, defense, telecommunications, energy, and finance. The U.S. government publicly stated in January 2022 that it considers TEMP.Zagros subordinate to MOIS and disclosed samples of malware families (POWGOOP and MORIAGENT) used by the group since at least 2020. The group has consistently updated its toolkit over the years, using malware such as POWERSTATS, POWGOOP, and MORIAGENT in spear-phishing operations. TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, quickly leveraging these techniques to update their malware. They are known to weaponize their malware using various techniques, which include system reboot, shutdown, drive wipe, screenshot capture, information encryption and upload, and code execution leveraging Excel.Application COM object, Outlook.Application COM object, and DCOM object. In March 2024, Proofpoint researchers observed a new phishing campaign by the group, attempting to drop a legitimate Remote Monitoring and Management (RMM) solution called Atera on target systems. Furthermore, TEMP.Zagros has been reported targeting Israeli entities in a new spear-phishing campaign, according to Deep Instinct’s Threat Research team. Mandiant assesses with moderate confidence that UNC3313 is associated with TEMP.Zagros, indicating the group's ongoing and evolving cyber threat activities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, o
Static Kitten
Static Kitten, also known as MuddyWater, Mercury, Mango Sandstorm, and TA450, is an Iranian government-sponsored hacking group suspected to be linked to the Iranian Ministry of Intelligence and Security. The group has been active since 2017 and is notorious for its cyber-espionage activities. Static
Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including government
UNC3313, a threat actor group identified by Mandiant, has been actively involved in cyber-attacks targeting Middle Eastern government and technology entities since the second half of 2021. The group leverages a range of malware families, including GRAMDOOR, a Python-written backdoor that communicate
TA450, an Advanced Persistent Threat (APT) group, is a threat actor linked to Iran that has been identified as being behind a series of cyber-attacks. APTs are typically associated with nation-states or state-sponsored groups and are known for their persistence and ability to remain undetected over
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
State Sponso...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PowGoop is a malicious software (malware) employed by MuddyWater actors, an Iranian cyber threat group also known as TEMP.Zagros. This malware primarily functions as a loader in the group's nefarious operations and includes a DLL loader and a PowerShell-based downloader. The hackers have been observ
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TEMP.Zagros Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
6 days ago
Iranian Threat Group Drops New Backdoor, 'BugSleep'
4 months ago
Iran-Linked APT TA450 embeds malicious links in PDF attachments
9 months ago
MuddyWater has been spotted targeting two Israeli entities
a year ago
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA
a year ago
Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign | Mandiant
a year ago
Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity
a year ago
Cyberattacks emerge as the greatest threat for Americans