SYMBOLCOMMON_NAMEaka. SYNONYMS

MuddyWater  (Back to overview)

aka: ATK51, Boggy Serpens, COBALT ULSTER, G0069, MERCURY, Mango Sandstorm, Seedworm, Static Kitten, TA450, TEMP.Zagros

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.


Associated Families
apk.mudwater ps1.powgoop vbs.starwhale vbs.unidentified_004 win.covicli win.gramdoor win.sharpstats ps1.powerstats win.moriagent win.muddyc2go ps1.phonyc2

References
2023-12-19SymantecSymantec Threat Hunter Team
Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
MuddyC2Go
2023-11-08Deep instinctDeep Instinct Threat Lab, Simon Kenin
MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel
PhonyC2 MuddyC2Go
2023-11-01Deep instinctDeep Instinct Threat Lab, Simon Kenin
MuddyWater eN-Able spear-phishing with new TTPs
PhonyC2
2023-08-24circleidWhoisXML
Signs of MuddyWater Developments Found in the DNS
PhonyC2
2023-06-29DeepInstinctDeep Instinct Threat Lab, Simon Kenin
PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
PhonyC2 POWERSTATS
2022-07-18Palo Alto Networks Unit 42Unit 42
Boggy Serpens
POWERSTATS MuddyWater
2022-06-21Lab52
MuddyWater’s “light” first-stager targetting Middle East
Unidentified VBS 004 (RAT)
2022-05-11NTT Security HoldingsNTT Security Holdings
Analysis of an Iranian APTs “E400” PowGoop Variant Reveals Dozens of Control Servers Dating Back to 2020
PowGoop
2022-03-12GovInfo SecurityPrajeet Nair
Iranian APT: New Methods to Target Turkey, Arabian Peninsula
STARWHALE
2022-03-10The Hacker NewsRavie Lakshmanan
Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign
STARWHALE
2022-03-10TechRepublicBrian Stone
MuddyWater targets Middle Eastern and Asian countries in phishing attacks
STARWHALE
2022-03-10RootdemonRootdaemon
Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign
STARWHALE
2022-03-10TalosArnaud Zobec, Asheer Malhotra, Vitor Ventura
Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
STARWHALE
2022-02-25infoRisk TODAYPrajeet Nair
MuddyWater Targets Critical Infrastructure in Asia, Europe
POWERSTATS PowGoop STARWHALE GRAMDOOR MoriAgent
2022-02-24CISA, CNMF, FBI, NCSC UK, NSA
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop GRAMDOOR MoriAgent
2022-02-24MandiantEmiel Haeghebaert, Ryan Tomcik, Tufail Ahmed
Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity
STARWHALE GRAMDOOR
2022-02-24CISA, CNMF, FBI, NCSC UK
Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop MoriAgent
2022-01-12Sentinel LABSAmitai Ben Shushan Ehrlich
Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor
PowGoop
2022-01-12U.S. Cyber CommandU.S. Cyber Command
Iranian intel cyber suite of malware uses open source tools
PowGoop MoriAgent
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-13Shells.System blogAhmed Khlief
Reviving MuddyC3 Used by MuddyWater (IRAN) APT
POWERSTATS
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-21CyberScoopSean Lyngaas
'MuddyWater' spies suspected in attacks against Middle East governments, telecoms
PowGoop
2020-10-21SymantecThreat Hunter Team
Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East
PowGoop
2020-10-15ClearSkyClearSky
Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations
PowGoop Covicli
2020-09-04Palo Alto Networks Unit 42Robert Falcone
Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
PowGoop Hakbit
2020-06-17Twitter (@Timele9527)Timele12138
Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)
MoriAgent
2020-05-07paloalto LIVEcommunityMohammed Yasin
How to stop MortiAgent Malware using the snort rule?
MoriAgent
2020-01-15Marco Ramilli's BlogMarco Ramilli
Iranian Threat Actors: Preliminary Analysis
POWERSTATS
2020-01-07PrevailionDanny Adamitis
Summer Mirage
POWERSTATS
2020-01-01SecureworksSecureWorks
COBALT ULSTER
POWERSTATS Koadic MuddyWater
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-06-10Trend MicroDaniel Lunghi, Jaromír Hořejší
MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
POWERSTATS
2019-06-10Trend MicroDaniel Lunghi, Jaromír Hořejší
New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More
Mudwater SHARPSTATS
2019-05-29Group-IBGroup-IB
Catching fish in muddy waters
POWERSTATS
2019-05-20CiscoDanny Adamitis, David Maynor, Kendall McKay
Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
MuddyWater
2019-05-09ZDNetCatalin Cimpanu
New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web
MuddyWater
2019-04-15ClearSkyClearSky Research Team
Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
POWERSTATS MuddyWater
2019-04-10Check PointCheck Point Research
The Muddy Waters of APT Attacks
POWERSTATS
2019-03-21QianxinQi Anxin
Analysis of the latest attack activities of the suspected MuddyWater APT group against the Iraqi mobile operator Korek Telecom
POWERSTATS
2019-01-01Council on Foreign RelationsCyber Operations Tracker
MuddyWater
MuddyWater
2019-01-01MITREMITRE ATT&CK
Group description: MuddyWater
MuddyWater
2018-12-10SymantecSymantec DeepSight Adversary Intelligence Team
Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
MuddyWater
2018-11-28ClearSkyClearSky Research Team
MuddyWater Operations in Lebanon and Oman
POWERSTATS
2018-11-01ClearSkyClearSky Cyber Security
MuddyWater Operations in Lebanon and Oman
MuddyWater
2018-10-10Kaspersky LabsGReAT
MuddyWater expands operations
MuddyWater
2018-06-14Trend MicroMartin Co, Michael Villanueva
Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor
MuddyWater
2018-06-06ClearSkyClearSky Cyber Security
Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
POWERSTATS
2018-05-08Security 0wnageMo Bustami
Clearing the MuddyWater - Analysis of new MuddyWater Samples
POWERSTATS
2018-03-22Sekoiasekoia
Falling on MuddyWater
POWERSTATS
2018-03-13FireEyeBen Read, Dileep Kumar Jallepalli, Sudeep Singh, Yogesh Londhe
Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
POWERSTATS MuddyWater
2018-03-12Trend MicroJaromír Hořejší
Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
POWERSTATS MuddyWater
2018-03-01Security 0wnageMo Bustami
A Quick Dip into MuddyWater's Recent Activity
POWERSTATS
2018-01-02Security 0wnageMo Bustami
Burping on MuddyWater
POWERSTATS
2017-11-22ReaqtaReaqta
A dive into MuddyWater APT targeting Middle-East
POWERSTATS
2017-11-14Palo Alto Networks Unit 42Tom Lancaster
Muddying the Water: Targeted Attacks in the Middle East
POWERSTATS MuddyWater
2017-10-04Security 0wnageMo Bustami
Continued Activity targeting the Middle East
POWERSTATS
2017-09-26MalwarebytesMalwarebytes Labs
Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity
POWERSTATS

Credits: MISP Project