{
	"id": "28f7a69b-8d31-4ddd-94c1-a42b447a08b6",
	"created_at": "2026-04-06T00:18:52.789575Z",
	"updated_at": "2026-04-10T13:11:58.321978Z",
	"deleted_at": null,
	"sha1_hash": "44db4d587983673cad0fcc51edf382cb186968a4",
	"title": "‘MuddyWater’ spies suspected in attacks against Middle East governments, telecoms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37216,
	"plain_text": "‘MuddyWater’ spies suspected in attacks against Middle East\r\ngovernments, telecoms\r\nBy Sean Lyngaas\r\nPublished: 2020-10-21 · Archived: 2026-04-05 22:49:31 UTC\r\nOne of the most prolific cyber-espionage groups linked to Iran has used old tricks — and perhaps a new hacking\r\ntool — in dozens of attempts to breach government and telecommunications operators in the Middle East in recent\r\nmonths, security researchers said Wednesday.\r\nThe hacking attempts have hit organizations in Iraq, Kuwait, Turkey and the United Arab Emirates, according to\r\nresearchers at security provider Symantec. Iran has strategic interests in all of those countries. And the attackers\r\nappear to be trying to smuggle key data from the organizations they managed to breach.\r\nIt’s a reminder that while other hacking teams associated with Tehran have gained notoriety for disruptive, data-wiping attacks against Middle East organizations, the group known as MuddyWater, or Seedworm, is better\r\nknown for its relentless spying efforts.\r\n“These actors are extremely focused in what they’re doing,” said Vikram Thakur, technical director at Symantec, a\r\ndivision of semiconductor and software maker Broadcom. “They’re not using zero days. They’re just looking for\r\ncommonly available methods along with their custom malware to get into these environments, exfiltrate whatever\r\nthey want and then move on.”\r\nResearchers from Symantec and other security companies are investigating a new hacking tool they suspect\r\nMuddyWater has been using in the compromises. Known as PowGoop, the malicious code can install other\r\nprograms capable of siphoning data off of networks.\r\n“It could be a subgroup within [MuddyWater] which has been tasked differently” from the rest of the group,\r\nThakur said of the PowGoop tool.\r\nWhile Symantec said it had “medium confidence” that MuddyWater was behind PowGoop, there were other signs\r\nthat the group has been developing new tools.\r\n“MuddyWater has been very active in the last year, both in its prolific operations and constant development of\r\ntools,” said Saher Naumaan, senior threat intelligence analyst at BAE Systems. “One significant evolution is the\r\ngroup’s advancements in malware, which over the years has shifted away from solely scripting-based tooling,\r\nsuch as PowerShell, to .NET and now to custom C++ payloads, as seen with Backdoor.Mori,” added Naumaan,\r\nwho closely tracks hackers associated with Iran.\r\nMuddyWater’s recent activity is in keeping with its reputation for prolific hacking campaigns. From September to\r\nDecember 2018, for example, the group compromised 131 victims in 30 organizations all over the map, from\r\nRussia to Saudi Arabia to North America, Symantec said in previous research.\r\nhttps://www.cyberscoop.com/muddywater-iran-symantec-middle-east/\r\nPage 1 of 2\n\nMuddyWater has so far avoided the extra scrutiny that comes from public U.S. indictments. It was not among the\r\nalleged Iranian hackers who were indicted last month by U.S. grand juries. And while security companies continue\r\nto expose MuddyWater’s tools, the group shows no signs of letting up.\r\nSource: https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/\r\nhttps://www.cyberscoop.com/muddywater-iran-symantec-middle-east/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/"
	],
	"report_names": [
		"muddywater-iran-symantec-middle-east"
	],
	"threat_actors": [
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44db4d587983673cad0fcc51edf382cb186968a4.pdf",
		"text": "https://archive.orkl.eu/44db4d587983673cad0fcc51edf382cb186968a4.txt",
		"img": "https://archive.orkl.eu/44db4d587983673cad0fcc51edf382cb186968a4.jpg"
	}
}