{ "id": "42bd8a3d-9545-425d-8887-694af44f20ec", "created_at": "2026-04-06T00:21:55.837098Z", "updated_at": "2026-04-10T13:11:58.807998Z", "deleted_at": null, "sha1_hash": "267c1b09a466f44b67f58c7d1861d27990f9a7a8", "title": "MuddyWater, Seedworm, TEMP.Zagros, Static Kitten", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 122081, "plain_text": "MuddyWater, Seedworm, TEMP.Zagros, Static Kitten\r\nArchived: 2026-04-02 11:29:21 UTC\r\nHome \u003e List all groups \u003e MuddyWater, Seedworm, TEMP.Zagros, Static Kitten\r\n APT group: MuddyWater, Seedworm, TEMP.Zagros, Static Kitten\r\nNames\r\nMuddyWater (Palo Alto)\r\nSeedworm (Symantec)\r\nTEMP.Zagros (FireEye)\r\nStatic Kitten (CrowdStrike)\r\nMercury (Microsoft)\r\nTA450 (Proofpoint)\r\nCobalt Ulster (SecureWorks)\r\nATK 51 (Thales)\r\nT-APT-14 (Tencent)\r\nITG17 (IBM)\r\nMango Sandstorm (Microsoft)\r\nBoggy Serpens (Palo Alto)\r\nYellow Nix (PWC)\r\nG0069 (MITRE)\r\nCountry Iran\r\nSponsor State-sponsored, IRGC (Islamic Republic Guard Corps)\r\nMotivation Information theft and espionage\r\nFirst seen 2017\r\nDescription\r\n(Reaqta) MuddyWater is an APT group that has been active throughout 2017, targeting victims in Middle East w\r\nmemory vectors leveraging on Powershell, in a family of attacks now identified as “Living off the land”, as they\r\nrequire the creation of new binaries on the victim’s machine, thus maintaining a low detection profile and a low\r\nforensic footprint.\r\nThe operators behind MuddyWater are likely espionage motivated, we derive this information from the analysis\r\nand backdoors behaviors. We also find that despite the strong preponderance of victims from Pakistan, the most\r\ntargets appear to be in: Saudi Arabia, UAE and Iraq. Amongst the victims we identify a variety of entities with a\r\nstronger focus at Governments, Telcos and Oil companies.\r\nBy tracking the operations we finally figure out that the originating country is likely to be Iran, while it remains\r\nto ascertain whether MuddyWater is state sponsored or a criminal organization incline to espionage.\r\nObserved\r\nSectors: Aviation, Defense, Education, Energy, Financial, Food and Agriculture, Gaming, Government, Healthc\r\nHigh-Tech, IT, Media, NGOs, Oil and gas, Shipping and Logistics, Telecommunications, Transportation.\r\nCountries: Afghanistan, Armenia, Austria, Azerbaijan, Bahrain, Belarus, Egypt, Georgia, India, Iran, Iraq, Israe\r\nJordan, Kuwait, Laos, Lebanon, Mali, Netherlands, Oman, Pakistan, Portugal, Qatar, Russia, Saudi Arabia, Sud\r\nTajikistan, Tanzania, Thailand, Tunisia, Turkey, UAE, Ukraine, USA.\r\nTools used\r\nBugSleep, ChromeCookiesView, chrome-passwords, CLOUDSTATS, Cobalt Strike, CrackMapExec, DCHSpy,\r\nDELPHSTATS, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz, MuddyC2Go, Mudwater,\r\nMZCookiesView, PhonyC2, Powermud, PowerSploit, POWERSTATS, PowGoop, PRB-Backdoor, QUADAGE\r\nSecure Socket Funneling, SHARPSTATS, Shootback, Smbmap, Living off the Land.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9\r\nPage 1 of 5\n\nOperations performed\nFeb 2017\nThe MuddyWater attacks are primarily against Middle Eastern nations. However, we have also ob\nattacks against surrounding nations and beyond, including targets in India and the USA.\nMar 2018\nCampaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia\nWe discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has\nsimilarities with an earlier campaign named MuddyWater, which hit various industries in several\ncountries, primarily in the Middle East and Central Asia.\nMay 2018\nAnother Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor\nIn May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be\nto this campaign. Like the previous campaigns, these samples again involve a Microsoft Word do\nembedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to\nbackdoor payload. One notable difference in the analyzed samples is that they do not directly dow\nthe Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts\ndocument itself. The scripts will then be decoded and dropped to execute the payload without nee\ndownload the component files.\nMay 2018\nWe recently noticed a large amount of spear phishing documents that appear to be targeting gover\nbodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pak\naddition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in\nAustria, Russia, Iran and Bahrain.. These new documents have appeared throughout 2018 and esc\nfrom May onwards. The attacks are still ongoing.\nSep 2018\nGroup remains highly active with more than 130 victims in 30 organizations hit since September\nSeedworm’s motivations are much like many cyber espionage groups that we observe—they seek\nacquire actionable information about the targeted organizations and individuals. They accomplish\nwith a preference for speed and agility over operational security, which ultimately led to our\nidentification of their key operational infrastructure.\nNov 2018\nOperations in Lebanon and Oman\nMuddyWater has recently been targeting victims likely from Lebanon and Oman, while leveragin\ncompromised domains, one of which is owned by an Israeli web developer. The investigation aim\nuncover additional details regarding the compromise vector. Further, we wished to determine the\ninfection vector, which is currently unknown. With that in mind, past experience implies that this\nbe a two-stage spear-phishing campaign.\nApr 2019 Targeting Kurdish Political Groups and Organizations in Turkey\nHowever, unlike the previous vector, we did not identify this time any compromised servers used\nthe malware’s code. Instead, the lure document already contains the malicious code. We also dete\nfive additional files that operate in a similar file to the aforementioned document; but unlike that f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9\nPage 2 of 5\n\nthese do not have any content.\nApr 2019\nThe Iranian APT, MuddyWater, has been active since at least 2017. Most recently though, a new\ncampaign, targeting Belarus, Turkey and Ukraine, has emerged that caught the attention of Check\nresearchers.\nApr 2019\nOperation “BlackWater”\nNewly associated samples from April 2019 indicate attackers have added three distinct steps to th\noperations, allowing them to bypass certain security controls and suggesting that MuddyWater’s t\ntechniques and procedures (TTPs) have evolved to evade detection.\nJun 2019\nClearsky has detected new and advanced attack vector used by MuddyWater to target government\nentities and the telecommunication sector. Notably, the TTP includes decoy documents exploiting\n2017-0199 as the first stage of the attack. This is followed by the second stage of the attack –\ncommunication with the hacked C2 servers and downloading a file infected with the macros.\nJun 2019\nWe came across new campaignsthat seem to bear the markings of MuddyWater –a threat actor gro\nwith a history of targeting organizations in Middle Eastern and Asian countries. The group used n\ntools and payloads in campaigns over the first half of 2019, pointing to the continued work the gr\nput in since our last report on MuddyWaterin November 2018.\n2019\nState-sponsored hackers abuse Slack API to steal airline data\nSep 2020\nOperation “Quicksand”\nDuring September 2020, weidentified a new campaign targeting many prominent Israeli organiza\nOct 2020\nMSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exp\n(ZeroLogon) in active campaigns over the last 2 weeks.\nDec 2020\nGitHub-hosted malware calculates Cobalt Strike payload from Imgur pic\nFeb 2021\nProbable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting U\nKuwait Government Agencies\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9\nPage 3 of 5\n\nFeb 2021\nOperation “Earth Vetala”\nEarth Vetala used spearphishing emails with embedded links to a legitimate file-sharing service to\ndistribute their malicious package. The links were embedded within lure documents as well as em\nJun 2021\nEspionage Campaign Targets Telecoms Organizations across Middle East and Asia\nNov 2021\nIranian APT MuddyWater targets Turkish users via malicious PDFs, executables\nLate 2021\nNew MuddyWater Threat: Old Kitten; New Tricks\nLate 2022\nAPT groups muddying the waters for MSPs\nApr 2023\nMERCURY and DEV-1084: Destructive attack on hybrid environment\nApr 2023\nPhonyC2: Revealing a New Malicious Command \u0026 Control Framework by MuddyWater\nMay 2023\nMicrosoft: Iranian hacking groups join Papercut attack spree\nJul 2023\nMuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel\nOct 2023\nMuddyWater eN-Able spear-phishing with new TTPs\nNov 2023\nSeedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa\nMar 2024\nSecurity Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign\nMay 2024\nMuddyWater Threat Group Deploys New BugSleep Backdoor\nUpdate: this leak may have been the work of the CIA.\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9\nPage 4 of 5\n\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9" ], "report_names": [ "showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9" ], "threat_actors": [ { "id": "640fc3dc-433d-4244-a85a-21d5135498b2", "created_at": "2025-08-07T02:03:24.71289Z", "updated_at": "2026-04-10T02:00:03.688893Z", "deleted_at": null, "main_name": "COBALT AZTEC", "aliases": [ "DEV-1084 ", "GOLD AZTEC", "Storm-1084 " ], "source_name": "Secureworks:COBALT AZTEC", "tools": [ "DarkBit ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0321f048-2313-42dd-b10c-08a99ae98f2a", "created_at": "2024-02-02T02:00:04.06752Z", "updated_at": "2026-04-10T02:00:03.54849Z", "deleted_at": null, "main_name": "Storm-1084", "aliases": [ "DEV-1084" ], "source_name": "MISPGALAXY:Storm-1084", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25a38dea-d23b-479b-9548-024e955b8964", "created_at": "2022-10-25T16:07:23.305911Z", "updated_at": "2026-04-10T02:00:04.533448Z", "deleted_at": null, "main_name": "Anchor Panda", "aliases": [ "APT 14", "Anchor Panda", "QAZTeam" ], "source_name": "ETDA:Anchor Panda", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCRat", "Poison Ivy", "SPIVY", "Torn RAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434915, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/267c1b09a466f44b67f58c7d1861d27990f9a7a8.pdf", "text": "https://archive.orkl.eu/267c1b09a466f44b67f58c7d1861d27990f9a7a8.txt", "img": "https://archive.orkl.eu/267c1b09a466f44b67f58c7d1861d27990f9a7a8.jpg" } }