| SYMBOL | COMMON_NAME | aka. SYNONYMS |
The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.
| 2024-04-04
⋅
Deep instinct
⋅
DarkBeatC2: The Latest MuddyWater Attack Framework MuddyC2Go |
| 2023-12-19
⋅
Symantec
⋅
Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa MuddyC2Go |
| 2023-11-08
⋅
Deep instinct
⋅
MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel PhonyC2 MuddyC2Go |
| 2023-11-01
⋅
Deep instinct
⋅
MuddyWater eN-Able spear-phishing with new TTPs PhonyC2 |
| 2023-08-24
⋅
circleid
⋅
Signs of MuddyWater Developments Found in the DNS PhonyC2 Storm-1084 |
| 2023-06-29
⋅
DeepInstinct
⋅
PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater PhonyC2 POWERSTATS |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Boggy Serpens POWERSTATS MuddyWater |
| 2022-06-21
⋅
MuddyWater’s “light” first-stager targetting Middle East Unidentified VBS 004 (RAT) |
| 2022-05-11
⋅
NTT Security Holdings
⋅
Analysis of an Iranian APTs “E400” PowGoop Variant Reveals Dozens of Control Servers Dating Back to 2020 PowGoop |
| 2022-03-12
⋅
GovInfo Security
⋅
Iranian APT: New Methods to Target Turkey, Arabian Peninsula STARWHALE |
| 2022-03-10
⋅
The Hacker News
⋅
Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign STARWHALE |
| 2022-03-10
⋅
TechRepublic
⋅
MuddyWater targets Middle Eastern and Asian countries in phishing attacks STARWHALE |
| 2022-03-10
⋅
Rootdemon
⋅
Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign STARWHALE |
| 2022-03-10
⋅
Talos
⋅
Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups STARWHALE |
| 2022-02-25
⋅
infoRisk TODAY
⋅
MuddyWater Targets Critical Infrastructure in Asia, Europe POWERSTATS PowGoop STARWHALE GRAMDOOR MoriAgent |
| 2022-02-24
⋅
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks POWERSTATS PowGoop GRAMDOOR MoriAgent |
| 2022-02-24
⋅
Mandiant
⋅
Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity STARWHALE GRAMDOOR |
| 2022-02-24
⋅
Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks POWERSTATS PowGoop MoriAgent |
| 2022-01-12
⋅
Sentinel LABS
⋅
Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor PowGoop |
| 2022-01-12
⋅
U.S. Cyber Command
⋅
Iranian intel cyber suite of malware uses open source tools PowGoop MoriAgent |
| 2021-03-05
⋅
Trend Micro
⋅
Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East MuddyWater |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2021-01-13
⋅
Shells.System blog
⋅
Reviving MuddyC3 Used by MuddyWater (IRAN) APT POWERSTATS |
| 2020-11-03
⋅
Kaspersky Labs
⋅
APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
| 2020-10-21
⋅
CyberScoop
⋅
'MuddyWater' spies suspected in attacks against Middle East governments, telecoms PowGoop |
| 2020-10-21
⋅
Symantec
⋅
Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East PowGoop |
| 2020-10-15
⋅
ClearSky
⋅
Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations PowGoop Covicli |
| 2020-09-04
⋅
Palo Alto Networks Unit 42
⋅
Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa PowGoop Hakbit |
| 2020-06-17
⋅
Twitter (@Timele9527)
⋅
Tweet on MoriAgent uesd by MuddyWater (incl YARA rule) MoriAgent |
| 2020-05-07
⋅
paloalto LIVEcommunity
⋅
How to stop MortiAgent Malware using the snort rule? MoriAgent |
| 2020-01-15
⋅
Marco Ramilli's Blog
⋅
Iranian Threat Actors: Preliminary Analysis POWERSTATS |
| 2020-01-07
⋅
Prevailion
⋅
Summer Mirage POWERSTATS |
| 2020-01-01
⋅
Secureworks
⋅
COBALT ULSTER POWERSTATS Koadic MuddyWater |
| 2019-08-01
⋅
Kaspersky Labs
⋅
APT trends report Q2 2019 ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
| 2019-06-10
⋅
Trend Micro
⋅
New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More Mudwater SHARPSTATS |
| 2019-06-10
⋅
Trend Micro
⋅
MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools POWERSTATS |
| 2019-05-29
⋅
Group-IB
⋅
Catching fish in muddy waters POWERSTATS |
| 2019-05-20
⋅
Cisco
⋅
Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques MuddyWater |
| 2019-05-09
⋅
ZDNet
⋅
New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web MuddyWater |
| 2019-04-15
⋅
ClearSky
⋅
Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey POWERSTATS MuddyWater |
| 2019-04-10
⋅
Check Point
⋅
The Muddy Waters of APT Attacks POWERSTATS |
| 2019-03-21
⋅
⋅
Qianxin
⋅
Analysis of the latest attack activities of the suspected MuddyWater APT group against the Iraqi mobile operator Korek Telecom POWERSTATS |
| 2019-01-01
⋅
MITRE
⋅
Group description: MuddyWater MuddyWater |
| 2019-01-01
⋅
Council on Foreign Relations
⋅
MuddyWater MuddyWater |
| 2018-12-10
⋅
Symantec
⋅
Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms MuddyWater |
| 2018-11-28
⋅
ClearSky
⋅
MuddyWater Operations in Lebanon and Oman POWERSTATS |
| 2018-11-01
⋅
ClearSky
⋅
MuddyWater Operations in Lebanon and Oman MuddyWater |
| 2018-10-10
⋅
Kaspersky Labs
⋅
MuddyWater expands operations MuddyWater |
| 2018-06-14
⋅
Trend Micro
⋅
Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor MuddyWater |
| 2018-06-06
⋅
ClearSky
⋅
Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal POWERSTATS |
| 2018-05-08
⋅
Security 0wnage
⋅
Clearing the MuddyWater - Analysis of new MuddyWater Samples POWERSTATS |
| 2018-03-22
⋅
Sekoia
⋅
Falling on MuddyWater POWERSTATS |
| 2018-03-13
⋅
FireEye
⋅
Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign POWERSTATS MuddyWater |
| 2018-03-12
⋅
Trend Micro
⋅
Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia POWERSTATS MuddyWater |
| 2018-03-01
⋅
Security 0wnage
⋅
A Quick Dip into MuddyWater's Recent Activity POWERSTATS |
| 2018-01-02
⋅
Security 0wnage
⋅
Burping on MuddyWater POWERSTATS |
| 2017-11-22
⋅
Reaqta
⋅
A dive into MuddyWater APT targeting Middle-East POWERSTATS |
| 2017-11-14
⋅
Palo Alto Networks Unit 42
⋅
Muddying the Water: Targeted Attacks in the Middle East POWERSTATS MuddyWater |
| 2017-10-04
⋅
Security 0wnage
⋅
Continued Activity targeting the Middle East POWERSTATS |
| 2017-09-26
⋅
Malwarebytes
⋅
Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity POWERSTATS |