MuddyWater, Seedworm, TEMP.Zagros, Static Kitten Archived: 2026-04-02 11:29:21 UTC Home > List all groups > MuddyWater, Seedworm, TEMP.Zagros, Static Kitten APT group: MuddyWater, Seedworm, TEMP.Zagros, Static Kitten Names MuddyWater (Palo Alto) Seedworm (Symantec) TEMP.Zagros (FireEye) Static Kitten (CrowdStrike) Mercury (Microsoft) TA450 (Proofpoint) Cobalt Ulster (SecureWorks) ATK 51 (Thales) T-APT-14 (Tencent) ITG17 (IBM) Mango Sandstorm (Microsoft) Boggy Serpens (Palo Alto) Yellow Nix (PWC) G0069 (MITRE) Country Iran Sponsor State-sponsored, IRGC (Islamic Republic Guard Corps) Motivation Information theft and espionage First seen 2017 Description (Reaqta) MuddyWater is an APT group that has been active throughout 2017, targeting victims in Middle East w memory vectors leveraging on Powershell, in a family of attacks now identified as “Living off the land”, as they require the creation of new binaries on the victim’s machine, thus maintaining a low detection profile and a low forensic footprint. The operators behind MuddyWater are likely espionage motivated, we derive this information from the analysis and backdoors behaviors. We also find that despite the strong preponderance of victims from Pakistan, the most targets appear to be in: Saudi Arabia, UAE and Iraq. Amongst the victims we identify a variety of entities with a stronger focus at Governments, Telcos and Oil companies. By tracking the operations we finally figure out that the originating country is likely to be Iran, while it remains to ascertain whether MuddyWater is state sponsored or a criminal organization incline to espionage. Observed Sectors: Aviation, Defense, Education, Energy, Financial, Food and Agriculture, Gaming, Government, Healthc High-Tech, IT, Media, NGOs, Oil and gas, Shipping and Logistics, Telecommunications, Transportation. Countries: Afghanistan, Armenia, Austria, Azerbaijan, Bahrain, Belarus, Egypt, Georgia, India, Iran, Iraq, Israe Jordan, Kuwait, Laos, Lebanon, Mali, Netherlands, Oman, Pakistan, Portugal, Qatar, Russia, Saudi Arabia, Sud Tajikistan, Tanzania, Thailand, Tunisia, Turkey, UAE, Ukraine, USA. Tools used BugSleep, ChromeCookiesView, chrome-passwords, CLOUDSTATS, Cobalt Strike, CrackMapExec, DCHSpy, DELPHSTATS, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz, MuddyC2Go, Mudwater, MZCookiesView, PhonyC2, Powermud, PowerSploit, POWERSTATS, PowGoop, PRB-Backdoor, QUADAGE Secure Socket Funneling, SHARPSTATS, Shootback, Smbmap, Living off the Land. https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9 Page 1 of 5 Operations performed Feb 2017 The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also ob attacks against surrounding nations and beyond, including targets in India and the USA. Mar 2018 Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia. May 2018 Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor In May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word do embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to backdoor payload. One notable difference in the analyzed samples is that they do not directly dow the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts document itself. The scripts will then be decoded and dropped to execute the payload without nee download the component files. May 2018 We recently noticed a large amount of spear phishing documents that appear to be targeting gover bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pak addition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in Austria, Russia, Iran and Bahrain.. These new documents have appeared throughout 2018 and esc from May onwards. The attacks are still ongoing. Sep 2018 Group remains highly active with more than 130 victims in 30 organizations hit since September Seedworm’s motivations are much like many cyber espionage groups that we observe—they seek acquire actionable information about the targeted organizations and individuals. They accomplish with a preference for speed and agility over operational security, which ultimately led to our identification of their key operational infrastructure. Nov 2018 Operations in Lebanon and Oman MuddyWater has recently been targeting victims likely from Lebanon and Oman, while leveragin compromised domains, one of which is owned by an Israeli web developer. The investigation aim uncover additional details regarding the compromise vector. Further, we wished to determine the infection vector, which is currently unknown. With that in mind, past experience implies that this be a two-stage spear-phishing campaign. Apr 2019 Targeting Kurdish Political Groups and Organizations in Turkey However, unlike the previous vector, we did not identify this time any compromised servers used the malware’s code. Instead, the lure document already contains the malicious code. We also dete five additional files that operate in a similar file to the aforementioned document; but unlike that f https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9 Page 2 of 5 these do not have any content. Apr 2019 The Iranian APT, MuddyWater, has been active since at least 2017. Most recently though, a new campaign, targeting Belarus, Turkey and Ukraine, has emerged that caught the attention of Check researchers. Apr 2019 Operation “BlackWater” Newly associated samples from April 2019 indicate attackers have added three distinct steps to th operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s t techniques and procedures (TTPs) have evolved to evade detection. Jun 2019 Clearsky has detected new and advanced attack vector used by MuddyWater to target government entities and the telecommunication sector. Notably, the TTP includes decoy documents exploiting 2017-0199 as the first stage of the attack. This is followed by the second stage of the attack – communication with the hacked C2 servers and downloading a file infected with the macros. Jun 2019 We came across new campaignsthat seem to bear the markings of MuddyWater –a threat actor gro with a history of targeting organizations in Middle Eastern and Asian countries. The group used n tools and payloads in campaigns over the first half of 2019, pointing to the continued work the gr put in since our last report on MuddyWaterin November 2018. 2019 State-sponsored hackers abuse Slack API to steal airline data Sep 2020 Operation “Quicksand” During September 2020, weidentified a new campaign targeting many prominent Israeli organiza Oct 2020 MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exp (ZeroLogon) in active campaigns over the last 2 weeks. Dec 2020 GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic Feb 2021 Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting U Kuwait Government Agencies https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9 Page 3 of 5 Feb 2021 Operation “Earth Vetala” Earth Vetala used spearphishing emails with embedded links to a legitimate file-sharing service to distribute their malicious package. The links were embedded within lure documents as well as em Jun 2021 Espionage Campaign Targets Telecoms Organizations across Middle East and Asia Nov 2021 Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables Late 2021 New MuddyWater Threat: Old Kitten; New Tricks Late 2022 APT groups muddying the waters for MSPs Apr 2023 MERCURY and DEV-1084: Destructive attack on hybrid environment Apr 2023 PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater May 2023 Microsoft: Iranian hacking groups join Papercut attack spree Jul 2023 MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel Oct 2023 MuddyWater eN-Able spear-phishing with new TTPs Nov 2023 Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa Mar 2024 Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign May 2024 MuddyWater Threat Group Deploys New BugSleep Backdoor Update: this leak may have been the work of the CIA. Information https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9 Page 4 of 5 MITRE ATT&CK Playbook Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0d5af1f9-fa2e-4ce9-a4ce-0c6fade938e9 Page 5 of 5