TEMP.Zagros

Threat Actor updated 4 months ago (2024-07-18T06:17:38.171Z)
Download STIX
Preview STIX
TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sectors throughout the Middle East and Central and South Asia, including government, defense, telecommunications, energy, and finance. The U.S. government publicly stated in January 2022 that it considers TEMP.Zagros subordinate to MOIS and disclosed samples of malware families (POWGOOP and MORIAGENT) used by the group since at least 2020. The group has consistently updated its toolkit over the years, using malware such as POWERSTATS, POWGOOP, and MORIAGENT in spear-phishing operations. TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, quickly leveraging these techniques to update their malware. They are known to weaponize their malware using various techniques, which include system reboot, shutdown, drive wipe, screenshot capture, information encryption and upload, and code execution leveraging Excel.Application COM object, Outlook.Application COM object, and DCOM object. In March 2024, Proofpoint researchers observed a new phishing campaign by the group, attempting to drop a legitimate Remote Monitoring and Management (RMM) solution called Atera on target systems. Furthermore, TEMP.Zagros has been reported targeting Israeli entities in a new spear-phishing campaign, according to Deep Instinct’s Threat Research team. Mandiant assesses with moderate confidence that UNC3313 is associated with TEMP.Zagros, indicating the group's ongoing and evolving cyber threat activities.
Description last updated: 2024-07-18T06:15:56.717Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
MuddyWater is a possible alias for TEMP.Zagros. MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the TEMP.Zagros Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more