MuddyWater
MuddyWater is an Iranian state-sponsored cyber espionage group linked to the Ministry of Intelligence and Security (MOIS) that conducts global intelligence collection through spear-phishing, vulnerability exploitation, and increasingly sophisticated custom command-and-control infrastructure.
The Origin of MuddyWater
MuddyWater, also tracked as STATIC KITTEN, Earth Vetala, Seedworm, TA450, MERCURY, and Mango Sandstorm, is a cyber espionage group assessed to operate under Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group conducts intelligence collection operations against government, academic, defense, telecommunications, and energy organizations worldwide.
Recent research in 2026 revealed operational infrastructure belonging to MuddyWater hosted on a Netherlands-based VPS, which exposed extensive operational artifacts including command-and-control (C2) frameworks, scripts, victim data, and operational logs. Analysis of this infrastructure confirmed that MuddyWater operates multiple internally developed C2 frameworks and leverages a wide ecosystem of open-source tools to support reconnaissance, exploitation, and data exfiltration operations.
The group demonstrates a hybrid operational approach: combining custom-developed malware frameworks, public exploit code, and legitimate administrative tools to maintain access and evade detection. Recent campaigns also demonstrate experimentation with blockchain-based command-and-control mechanisms, highlighting MuddyWater’s evolving technical capabilities.
Targeted Countries
MuddyWater campaigns span multiple regions including the Middle East, Europe, North America, and Central Asia. Recent activity has targeted organizations in Israel, Jordan, Egypt, the United Arab Emirates, Portugal, and the United States, alongside historical operations against entities in Turkey, Iraq, Pakistan, Saudi Arabia, Germany, India, Afghanistan, and Armenia.
Targeted Industries
MuddyWater targets organizations across numerous sectors including government, telecommunications, defense, academic institutions, aviation, healthcare, energy, financial services, NGOs, and technology companies. The group also targets critical infrastructure and organizations involved in immigration, intelligence, and identity systems, indicating a strong focus on intelligence collection.
Known Victims
Recent operations identified targets including:
- Israeli healthcare organizations, hosting providers, and immigration-related services
- Jordanian government webmail infrastructure
- UAE engineering and energy companies
- Egyptian aviation organizations, including EgyptAir
- NGOs connected to Israeli and Jewish communities
- A Portuguese government-related immigration system
The targeting aligns closely with Iranian intelligence priorities, including geopolitical, diplomatic, and regional strategic interests.
MuddyWater's Attack Method
MuddyWater gains access through spear-phishing emails, exploitation of public-facing applications, password spraying, and vulnerability exploitation. Recent campaigns leveraged vulnerabilities in Fortinet, Ivanti, Citrix, BeyondTrust, and SolarWinds N-Central, as well as SQL injection vulnerabilities in web applications.
The group frequently escalates privileges through techniques such as UAC bypass, exploitation of edge device vulnerabilities, and administrative account creation, including the creation of persistent FortiGate administrator accounts during exploitation.
Defense evasion includes code obfuscation, encrypted payloads, steganography, and masquerading as legitimate services. MuddyWater also hides C2 infrastructure behind compromised websites, proxy networks, and decentralized infrastructure such as blockchain-based C2 resolution.
Credential theft is performed using tools such as Mimikatz, LaZagne, Browser64, and password spraying attacks targeting Outlook Web Access and SMTP services.
Malware deployed by MuddyWater gathers system information, domain membership, running processes, security software presence, and network configuration to map the victim environment.
The group commonly leverages remote monitoring and management (RMM) tools such as ScreenConnect, Atera Agent, SimpleHelp, and Remote Utilities to move laterally across compromised environments.
Sensitive information is collected from compromised systems including documents, credential databases, screenshots, and locally stored files. In recent campaigns, data included passport scans, visa records, financial documents, and biometric system configurations.
Payload execution is typically performed using PowerShell, Windows Command Shell, JavaScript, Python, and Visual Basic scripts, often executed via legitimate system utilities such as mshta, rundll32, or CMSTP.
Data exfiltration occurs through several mechanisms including:
- Custom C2 channels
- Cloud storage platforms such as Wasabi S3 and put.io
- Amazon EC2 servers
- Lightweight HTTP file servers
- Command-and-control channels using HTTP, DNS, and WebSockets
MuddyWater operations are primarily focused on covert intelligence gathering, with stolen data including government communications, personal identity documents, organizational records, and internal communications.
MuddyWater gains access through spear-phishing emails, exploitation of public-facing applications, password spraying, and vulnerability exploitation. Recent campaigns leveraged vulnerabilities in Fortinet, Ivanti, Citrix, BeyondTrust, and SolarWinds N-Central, as well as SQL injection vulnerabilities in web applications.
The group frequently escalates privileges through techniques such as UAC bypass, exploitation of edge device vulnerabilities, and administrative account creation, including the creation of persistent FortiGate administrator accounts during exploitation.
Defense evasion includes code obfuscation, encrypted payloads, steganography, and masquerading as legitimate services. MuddyWater also hides C2 infrastructure behind compromised websites, proxy networks, and decentralized infrastructure such as blockchain-based C2 resolution.
Credential theft is performed using tools such as Mimikatz, LaZagne, Browser64, and password spraying attacks targeting Outlook Web Access and SMTP services.
Malware deployed by MuddyWater gathers system information, domain membership, running processes, security software presence, and network configuration to map the victim environment.
The group commonly leverages remote monitoring and management (RMM) tools such as ScreenConnect, Atera Agent, SimpleHelp, and Remote Utilities to move laterally across compromised environments.
Sensitive information is collected from compromised systems including documents, credential databases, screenshots, and locally stored files. In recent campaigns, data included passport scans, visa records, financial documents, and biometric system configurations.
Payload execution is typically performed using PowerShell, Windows Command Shell, JavaScript, Python, and Visual Basic scripts, often executed via legitimate system utilities such as mshta, rundll32, or CMSTP.
Data exfiltration occurs through several mechanisms including:
- Custom C2 channels
- Cloud storage platforms such as Wasabi S3 and put.io
- Amazon EC2 servers
- Lightweight HTTP file servers
- Command-and-control channels using HTTP, DNS, and WebSockets
MuddyWater operations are primarily focused on covert intelligence gathering, with stolen data including government communications, personal identity documents, organizational records, and internal communications.
TTPs Used by MuddyWater
How to Detect MuddyWater with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate an APT attack.
FAQs
Who is behind MuddyWater?
MuddyWater is attributed to Iran’s Ministry of Intelligence and Security (MOIS).
What are MuddyWater’s primary attack vectors?
They use spear-phishing emails with malicious attachments and links and exploitation of public-facing vulnerabilities.
How does MuddyWater evade defenses?
They employ various obfuscation methods, legitimate tools, steganography, and DLL side-loading.
Which malware tools are associated with MuddyWater?
POWERSTATS, NTSTATS, CloudSTATS, PowGoop, Blackwater, ForeLord, MoriAgent, and others.
Which industries does MuddyWater target?
Telecommunications, defense, academia, oil and gas, healthcare, technology, NGOs, and government entities.
Which tools can detect MuddyWater’s activities?
Organizations should leverage advanced Network Detection and Response (NDR) solutions like Vectra AI.
What can organizations do to defend against MuddyWater attacks?
Organizations should apply security patches promptly, educate users on spear-phishing awareness, enforce multifactor authentication, and monitor network traffic and user activity closely.
Does MuddyWater leverage vulnerabilities?
Yes, they exploit vulnerabilities like CVE-2020-0688 (Microsoft Exchange), CVE-2017-0199 (Office), and CVE-2020-1472 (Netlogon).
Does MuddyWater have global reach?
Yes, while primarily active in Middle East and Asia, MuddyWater targets entities worldwide including North America and Europe.
How can an organization detect MuddyWater’s lateral movement?
Organizations can effectively detect lateral movement associated with MuddyWater by utilizing advanced Network Detection and Response (NDR) solutions such as Vectra AI. Vectra AI leverages artificial intelligence and machine learning algorithms to continuously monitor network traffic, quickly identifying abnormal behaviors like unauthorized remote access tool usage, suspicious internal connections, and unexpected credential usage patterns. By providing real-time visibility and prioritized threat alerts, Vectra AI empowers security teams to rapidly identify and contain threats posed by MuddyWater before significant damage occurs.