SYMBOLCOMMON_NAMEaka. SYNONYMS

MuddyWater  (Back to overview)

aka: TEMP.Zagros, Static Kitten, Seedworm, MERCURY, COBALT ULSTER, G0069, ATK51, Boggy Serpens

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.


Associated Families
apk.mudwater ps1.phonyc2 ps1.powgoop vbs.starwhale vbs.unidentified_004 win.covicli win.gramdoor win.moriagent win.sharpstats ps1.powerstats

References
2023-06-29DeepInstinctSimon Kenin, Deep Instinct Threat Lab
@online{kenin:20230629:phonyc2:fd380e4, author = {Simon Kenin and Deep Instinct Threat Lab}, title = {{PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater}}, date = {2023-06-29}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater}, language = {English}, urldate = {2023-07-02} } PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
PhonyC2 POWERSTATS
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:boggy:69e4bfd, author = {Unit 42}, title = {{Boggy Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/boggyserpens/}, language = {English}, urldate = {2022-07-29} } Boggy Serpens
POWERSTATS MuddyWater
2022-06-21Lab52
@online{lab52:20220621:muddywaters:3e100a8, author = {Lab52}, title = {{MuddyWater’s “light” first-stager targetting Middle East}}, date = {2022-06-21}, url = {https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/}, language = {English}, urldate = {2022-06-22} } MuddyWater’s “light” first-stager targetting Middle East
Unidentified VBS 004 (RAT)
2022-05-11NTT Security HoldingsNTT Security Holdings
@online{holdings:20220511:analysis:646c94e, author = {NTT Security Holdings}, title = {{Analysis of an Iranian APTs “E400” PowGoop Variant Reveals Dozens of Control Servers Dating Back to 2020}}, date = {2022-05-11}, organization = {NTT Security Holdings}, url = {https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant}, language = {English}, urldate = {2022-05-25} } Analysis of an Iranian APTs “E400” PowGoop Variant Reveals Dozens of Control Servers Dating Back to 2020
PowGoop
2022-03-12GovInfo SecurityPrajeet Nair
@online{nair:20220312:iranian:86d630b, author = {Prajeet Nair}, title = {{Iranian APT: New Methods to Target Turkey, Arabian Peninsula}}, date = {2022-03-12}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706}, language = {English}, urldate = {2022-03-14} } Iranian APT: New Methods to Target Turkey, Arabian Peninsula
STARWHALE
2022-03-10RootdemonRootdaemon
@online{rootdaemon:20220310:iranian:6b53790, author = {Rootdaemon}, title = {{Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign}}, date = {2022-03-10}, organization = {Rootdemon}, url = {https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/}, language = {English}, urldate = {2022-03-17} } Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign
STARWHALE
2022-03-10TechRepublicBrian Stone
@online{stone:20220310:muddywater:7f13598, author = {Brian Stone}, title = {{MuddyWater targets Middle Eastern and Asian countries in phishing attacks}}, date = {2022-03-10}, organization = {TechRepublic}, url = {https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/}, language = {English}, urldate = {2022-03-14} } MuddyWater targets Middle Eastern and Asian countries in phishing attacks
STARWHALE
2022-03-10TalosVitor Ventura, Asheer Malhotra, Arnaud Zobec
@online{ventura:20220310:iranian:02ae681, author = {Vitor Ventura and Asheer Malhotra and Arnaud Zobec}, title = {{Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups}}, date = {2022-03-10}, organization = {Talos}, url = {https://blog.talosintelligence.com/iranian-supergroup-muddywater/}, language = {English}, urldate = {2022-12-02} } Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
STARWHALE
2022-03-10The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220310:iranian:b7eb161, author = {Ravie Lakshmanan}, title = {{Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign}}, date = {2022-03-10}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html}, language = {English}, urldate = {2022-03-14} } Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign
STARWHALE
2022-02-25infoRisk TODAYPrajeet Nair
@online{nair:20220225:muddywater:62fb30e, author = {Prajeet Nair}, title = {{MuddyWater Targets Critical Infrastructure in Asia, Europe}}, date = {2022-02-25}, organization = {infoRisk TODAY}, url = {https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611}, language = {English}, urldate = {2022-03-04} } MuddyWater Targets Critical Infrastructure in Asia, Europe
POWERSTATS PowGoop STARWHALE GRAMDOOR MoriAgent
2022-02-24MandiantRyan Tomcik, Emiel Haeghebaert, Tufail Ahmed
@online{tomcik:20220224:left:dfe77e0, author = {Ryan Tomcik and Emiel Haeghebaert and Tufail Ahmed}, title = {{Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity}}, date = {2022-02-24}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/telegram-malware-iranian-espionage}, language = {English}, urldate = {2022-03-01} } Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity
STARWHALE GRAMDOOR
2022-02-24FBI, CISA, CNMF, NCSC UK
@online{fbi:20220224:alert:f9ae76b, author = {FBI and CISA and CNMF and NCSC UK}, title = {{Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-055a}, language = {English}, urldate = {2022-03-01} } Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop MoriAgent
2022-02-24FBI, CISA, CNMF, NCSC UK, NSA
@techreport{fbi:20220224:iranian:9117e42, author = {FBI and CISA and CNMF and NCSC UK and NSA}, title = {{Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf}, language = {English}, urldate = {2022-03-01} } Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
POWERSTATS PowGoop GRAMDOOR MoriAgent
2022-01-12Sentinel LABSAmitai Ben Shushan Ehrlich
@online{ehrlich:20220112:wading:52a8e3a, author = {Amitai Ben Shushan Ehrlich}, title = {{Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor}}, date = {2022-01-12}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/}, language = {English}, urldate = {2022-01-18} } Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor
PowGoop
2022-01-12U.S. Cyber CommandU.S. Cyber Command
@online{command:20220112:iranian:52c412c, author = {U.S. Cyber Command}, title = {{Iranian intel cyber suite of malware uses open source tools}}, date = {2022-01-12}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/}, language = {English}, urldate = {2022-01-25} } Iranian intel cyber suite of malware uses open source tools
PowGoop MoriAgent
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-13Shells.System blogAhmed Khlief
@online{khlief:20210113:reviving:552c0e8, author = {Ahmed Khlief}, title = {{Reviving MuddyC3 Used by MuddyWater (IRAN) APT}}, date = {2021-01-13}, organization = {Shells.System blog}, url = {https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/}, language = {English}, urldate = {2021-02-20} } Reviving MuddyC3 Used by MuddyWater (IRAN) APT
POWERSTATS
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-21CyberScoopSean Lyngaas
@online{lyngaas:20201021:muddywater:00082e2, author = {Sean Lyngaas}, title = {{'MuddyWater' spies suspected in attacks against Middle East governments, telecoms}}, date = {2020-10-21}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/}, language = {English}, urldate = {2020-10-23} } 'MuddyWater' spies suspected in attacks against Middle East governments, telecoms
PowGoop
2020-10-21SymantecThreat Hunter Team
@online{team:20201021:seedworm:7df9e09, author = {Threat Hunter Team}, title = {{Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East}}, date = {2020-10-21}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east}, language = {English}, urldate = {2020-10-23} } Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East
PowGoop
2020-10-15ClearSkyClearSky
@techreport{clearsky:20201015:operation:dead010, author = {ClearSky}, title = {{Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations}}, date = {2020-10-15}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf}, language = {English}, urldate = {2020-10-21} } Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations
PowGoop Covicli
2020-09-04Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200904:thanos:b5eb551, author = {Robert Falcone}, title = {{Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa}}, date = {2020-09-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thanos-ransomware/}, language = {English}, urldate = {2020-09-06} } Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
PowGoop Hakbit
2020-06-17Twitter (@Timele9527)Timele12138
@online{timele12138:20200617:moriagent:a4986d2, author = {Timele12138}, title = {{Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)}}, date = {2020-06-17}, organization = {Twitter (@Timele9527)}, url = {https://twitter.com/Timele9527/status/1272776776335233024}, language = {English}, urldate = {2020-06-18} } Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)
MoriAgent
2020-05-07paloalto LIVEcommunityMohammed Yasin
@online{yasin:20200507:how:a3796cd, author = {Mohammed Yasin}, title = {{How to stop MortiAgent Malware using the snort rule?}}, date = {2020-05-07}, organization = {paloalto LIVEcommunity}, url = {https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#}, language = {English}, urldate = {2023-06-19} } How to stop MortiAgent Malware using the snort rule?
MoriAgent
2020-01-15Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20200115:iranian:d37840a, author = {Marco Ramilli}, title = {{Iranian Threat Actors: Preliminary Analysis}}, date = {2020-01-15}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/}, language = {English}, urldate = {2020-01-17} } Iranian Threat Actors: Preliminary Analysis
POWERSTATS
2020-01-07PrevailionDanny Adamitis
@online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } Summer Mirage
POWERSTATS
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } COBALT ULSTER
POWERSTATS Koadic MuddyWater
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-06-10Trend MicroDaniel Lunghi, Jaromír Hořejší
@online{lunghi:20190610:muddywater:b87a78a, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools}}, date = {2019-06-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/}, language = {English}, urldate = {2019-11-27} } MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
POWERSTATS
2019-06-10Trend MicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20190610:new:4f86b75, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More}}, date = {2019-06-10}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf}, language = {English}, urldate = {2020-01-08} } New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More
Mudwater SHARPSTATS
2019-05-29Group-IBGroup-IB
@online{groupib:20190529:catching:7efa4c2, author = {Group-IB}, title = {{Catching fish in muddy waters}}, date = {2019-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/muddywater/}, language = {English}, urldate = {2023-06-19} } Catching fish in muddy waters
POWERSTATS
2019-05-20CiscoDanny Adamitis, David Maynor, Kendall McKay
@online{adamitis:20190520:recent:4bb543f, author = {Danny Adamitis and David Maynor and Kendall McKay}, title = {{Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques}}, date = {2019-05-20}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html}, language = {English}, urldate = {2020-01-07} } Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
MuddyWater
2019-05-09ZDNetCatalin Cimpanu
@online{cimpanu:20190509:new:f8a3f46, author = {Catalin Cimpanu}, title = {{New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web}}, date = {2019-05-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/}, language = {English}, urldate = {2020-01-09} } New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web
MuddyWater
2019-04-15ClearSkyClearSky Research Team
@online{team:20190415:iranian:5a7f4ff, author = {ClearSky Research Team}, title = {{Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey}}, date = {2019-04-15}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/}, language = {English}, urldate = {2020-01-07} } Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
POWERSTATS MuddyWater
2019-04-10Check PointCheck Point Research
@online{research:20190410:muddy:b75ef4a, author = {Check Point Research}, title = {{The Muddy Waters of APT Attacks}}, date = {2019-04-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/the-muddy-waters-of-apt-attacks/}, language = {English}, urldate = {2023-07-10} } The Muddy Waters of APT Attacks
POWERSTATS
2019-03-21QianxinQi Anxin
@online{anxin:20190321:analysis:952c16d, author = {Qi Anxin}, title = {{Analysis of the latest attack activities of the suspected MuddyWater APT group against the Iraqi mobile operator Korek Telecom}}, date = {2019-03-21}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/NN_iRvwA6yOHFS9Z3A0RBA}, language = {Chinese}, urldate = {2023-09-12} } Analysis of the latest attack activities of the suspected MuddyWater APT group against the Iraqi mobile operator Korek Telecom
POWERSTATS
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:muddywater:1c29dc0, author = {Cyber Operations Tracker}, title = {{MuddyWater}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/muddywater}, language = {English}, urldate = {2019-12-20} } MuddyWater
MuddyWater
2019MITREMITRE ATT&CK
@online{attck:2019:muddywater:b990d10, author = {MITRE ATT&CK}, title = {{Group description: MuddyWater}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0069/}, language = {English}, urldate = {2019-12-20} } Group description: MuddyWater
MuddyWater
2018-12-10SymantecSymantec DeepSight Adversary Intelligence Team
@online{team:20181210:seedworm:d6dba3c, author = {Symantec DeepSight Adversary Intelligence Team}, title = {{Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms}}, date = {2018-12-10}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group}, language = {English}, urldate = {2019-11-17} } Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
MuddyWater
2018-11-28ClearSkyClearSky Research Team
@online{team:20181128:muddywater:89a520f, author = {ClearSky Research Team}, title = {{MuddyWater Operations in Lebanon and Oman}}, date = {2018-11-28}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/}, language = {English}, urldate = {2019-07-09} } MuddyWater Operations in Lebanon and Oman
POWERSTATS
2018-11ClearSkyClearSky Cyber Security
@techreport{security:201811:muddywater:d68be0b, author = {ClearSky Cyber Security}, title = {{MuddyWater Operations in Lebanon and Oman}}, date = {2018-11}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf}, language = {English}, urldate = {2020-01-08} } MuddyWater Operations in Lebanon and Oman
MuddyWater
2018-10-10Kaspersky LabsGReAT
@online{great:20181010:muddywater:12992b3, author = {GReAT}, title = {{MuddyWater expands operations}}, date = {2018-10-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/muddywater/88059/}, language = {English}, urldate = {2019-12-20} } MuddyWater expands operations
MuddyWater
2018-06-14Trend MicroMichael Villanueva, Martin Co
@online{villanueva:20180614:another:80ffc5f, author = {Michael Villanueva and Martin Co}, title = {{Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor}}, date = {2018-06-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/}, language = {English}, urldate = {2020-01-12} } Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor
MuddyWater
2018-06-06ClearSkyClearSky Cyber Security
@techreport{security:20180606:iranian:5347a63, author = {ClearSky Cyber Security}, title = {{Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal}}, date = {2018-06-06}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf}, language = {English}, urldate = {2023-06-19} } Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
POWERSTATS
2018-05-08Security 0wnageMo Bustami
@online{bustami:20180508:clearing:fbf1a99, author = {Mo Bustami}, title = {{Clearing the MuddyWater - Analysis of new MuddyWater Samples}}, date = {2018-05-08}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html}, language = {English}, urldate = {2023-06-19} } Clearing the MuddyWater - Analysis of new MuddyWater Samples
POWERSTATS
2018-03-22Sekoiasekoia
@online{sekoia:20180322:falling:c04d81f, author = {sekoia}, title = {{Falling on MuddyWater}}, date = {2018-03-22}, organization = {Sekoia}, url = {https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/}, language = {English}, urldate = {2023-06-19} } Falling on MuddyWater
POWERSTATS
2018-03-13FireEyeSudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe, Ben Read
@online{singh:20180313:iranian:3542dc9, author = {Sudeep Singh and Dileep Kumar Jallepalli and Yogesh Londhe and Ben Read}, title = {{Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign}}, date = {2018-03-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
POWERSTATS MuddyWater
2018-03-12Trend MicroJaromír Hořejší
@online{hoej:20180312:campaign:00eb661, author = {Jaromír Hořejší}, title = {{Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia}}, date = {2018-03-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/}, language = {English}, urldate = {2020-01-13} } Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
POWERSTATS MuddyWater
2018-03-01Security 0wnageMo Bustami
@online{bustami:20180301:quick:0c82eea, author = {Mo Bustami}, title = {{A Quick Dip into MuddyWater's Recent Activity}}, date = {2018-03-01}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html}, language = {English}, urldate = {2023-06-19} } A Quick Dip into MuddyWater's Recent Activity
POWERSTATS
2018-01-02Security 0wnageMo Bustami
@online{bustami:20180102:burping:c29dd52, author = {Mo Bustami}, title = {{Burping on MuddyWater}}, date = {2018-01-02}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html}, language = {English}, urldate = {2023-06-19} } Burping on MuddyWater
POWERSTATS
2017-11-22ReaqtaReaqta
@online{reaqta:20171122:dive:5c67031, author = {Reaqta}, title = {{A dive into MuddyWater APT targeting Middle-East}}, date = {2017-11-22}, organization = {Reaqta}, url = {https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/}, language = {English}, urldate = {2020-01-08} } A dive into MuddyWater APT targeting Middle-East
POWERSTATS
2017-11-14Palo Alto Networks Unit 42Tom Lancaster
@online{lancaster:20171114:muddying:aa0467a, author = {Tom Lancaster}, title = {{Muddying the Water: Targeted Attacks in the Middle East}}, date = {2017-11-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/}, language = {English}, urldate = {2020-01-08} } Muddying the Water: Targeted Attacks in the Middle East
POWERSTATS MuddyWater
2017-10-04Security 0wnageMo Bustami
@online{bustami:20171004:continued:0703924, author = {Mo Bustami}, title = {{Continued Activity targeting the Middle East}}, date = {2017-10-04}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html}, language = {English}, urldate = {2023-06-19} } Continued Activity targeting the Middle East
POWERSTATS
2017-09-26MalwarebytesMalwarebytes Labs
@online{labs:20170926:elaborate:bed9adc, author = {Malwarebytes Labs}, title = {{Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity}}, date = {2017-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/}, language = {English}, urldate = {2019-12-20} } Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity
POWERSTATS

Credits: MISP Project