TEMP.Zagros

Threat Actor updated 2 months ago (2024-07-18T06:17:38.171Z)

Download STIX

Preview STIX

TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sectors throughout the Middle East and Central and South Asia, including government, defense, telecommunications, energy, and finance. The U.S. government publicly stated in January 2022 that it considers TEMP.Zagros subordinate to MOIS and disclosed samples of malware families (POWGOOP and MORIAGENT) used by the group since at least 2020. The group has consistently updated its toolkit over the years, using malware such as POWERSTATS, POWGOOP, and MORIAGENT in spear-phishing operations. TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, quickly leveraging these techniques to update their malware. They are known to weaponize their malware using various techniques, which include system reboot, shutdown, drive wipe, screenshot capture, information encryption and upload, and code execution leveraging Excel.Application COM object, Outlook.Application COM object, and DCOM object. In March 2024, Proofpoint researchers observed a new phishing campaign by the group, attempting to drop a legitimate Remote Monitoring and Management (RMM) solution called Atera on target systems. Furthermore, TEMP.Zagros has been reported targeting Israeli entities in a new spear-phishing campaign, according to Deep Instinct’s Threat Research team. Mandiant assesses with moderate confidence that UNC3313 is associated with TEMP.Zagros, indicating the group's ongoing and evolving cyber threat activities.

Description last updated: 2024-07-18T06:15:56.717Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
MuddyWater	4	MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the TEMP.Zagros Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Iranian Threat Group Drops New Backdoor, 'BugSleep'
Securityaffairs	5 months ago	Iran-Linked APT TA450 embeds malicious links in PDF attachments
Securityaffairs	10 months ago	MuddyWater has been spotted targeting two Israeli entities
MITRE	2 years ago	Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks \| CISA
MITRE	2 years ago	Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign \| Mandiant
MITRE	2 years ago	Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity
CERT-EU	a year ago	Cyberattacks emerge as the greatest threat for Americans