MuddyWater

MuddyWater is an Iranian state-sponsored cyber espionage group assessed to be a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS). It is also tracked as TA450, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, Boggy Serpens, Cobalt Ulster, Earth Vetala, Yellow Nix, ITG17, ATK_51, and G0069. The group has targeted sectors including energy, government, media, telecommunications, diplomatic, maritime, and financial organizations, with targeting described across Europe, the Middle East, and North America, including Middle Eastern telecommunications entities. The content describes MuddyWater using spearphishing and impersonation for initial access, including phishing emails masquerading as Microsoft security updates from support@microsoftonlines[.]com and impersonation of TMCell/Altyn Asyr CJSC using info@tmcell. It has attempted to get users to open malicious PDF attachments, enable macros, and launch malicious Microsoft Word documents. Observed tradecraft includes PowerShell execution and decoding of Base64-encoded PowerShell, JavaScript, and VBScript; HTTP command-and-control communications; collection of victim usernames, IP addresses, and domain names; and account discovery using cmd.exe net user /domain. The group has used malware that checked ProgramData for folders or files containing the keywords "Kasper," "Panda," or "ESET." MuddyWater has abused legitimate remote management and remote monitoring tools for access and persistence, including Atera Agent, PDQ Connect, and SimpleHelp. The content also states that MuddyWater exploited Atera Agent via MSI files to gain unauthorized remote access and that it has used SimpleHelp-based infrastructure and command-and-control hosted on M247/AS9009 with shared SSH keys and similar deployment patterns. The group has also been associated with custom malware and maintained tooling. The content states that in May 2024 MuddyWater shifted from relying exclusively on legitimate remote management tools to deploying a custom backdoor named BugSleep, which reportedly injects encrypted shellcode into processes including msedge.exe, chrome.exe, opera.exe, anydesk.exe, onedrive.exe, and powershell.exe. Additional reporting in the content describes continued evolution of PowGoop, including DLL sideloading variants abusing legitimate executables such as GoogleUpdate.exe, Git.exe, FileSyncConfig.exe, and Inno_Updater.exe; use of hijacked DLLs including goopdate.dll, vcruntime140.dll, and libpcre2-8-0.dll; loading of Core.dat and Dore.dat; and execution of PowerShell from config.txt. MuddyWater operators were also observed using tunneling tools including Chisel, SSF, and Ligolo. The content further describes MuddyWater targeting Microsoft Exchange, including attempted exploitation of CVE-2020-0688 to drop a web shell at /ecp/HybridLogout.aspx and use of the Ruler framework against a Middle Eastern telecommunications target. More recent reporting in the content links MuddyWater to exploitation activity involving CVE-2025-3248, CVE-2025-34291, and reported attribution for exploitation of CVE-2026-34291 is not stated; however, the content does state reported attribution to MuddyWater for exploitation of CVE-2025-34291 in 2026.