{ "id": "cdc5301e-f3f4-45b3-b05e-157c23f17126", "created_at": "2026-04-06T00:07:07.04195Z", "updated_at": "2026-04-10T13:12:09.875548Z", "deleted_at": null, "sha1_hash": "679cbdce358a56258d2a2f2da3b684e9450a2f94", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56497, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 10:47:57 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MuddyC2Go\r\n Tool: MuddyC2Go\r\nNames MuddyC2Go\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(Deep Instinct) While analyzing previous PhonyC2 infrastructure, Deep Instinct uncovered\r\nanomalies that indicated MuddyWater might be using an additional C2 framework.\r\nAt that time, we lacked sufficient evidence to support this claim. However, after we published\r\nour PhonyC2 research, we observed two IP addresses previously related to MuddyWater, one\r\nof those addresses which was hosting PhonyC2 had switched to a different C2 framework\r\ndelivering a PowerShell payload.\r\nThis behavior heightened suspicions of a new C2 framework. However, without seeing and\r\nobserving the initial payload, those IP addresses could have been internal tests by MuddyWater\r\nbefore fully deploying the C2.\r\nInformation\r\n\u003chttps://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.muddyc2go\u003e\r\nLast change to this tool card: 17 January 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool MuddyC2Go\r\nChanged Name Country Observed\r\nAPT groups\r\n  MuddyWater, Seedworm, TEMP.Zagros, Static Kitten 2017-Jul 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84270a76-a828-4e46-a343-6ac3015f7afc\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84270a76-a828-4e46-a343-6ac3015f7afc\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84270a76-a828-4e46-a343-6ac3015f7afc\r\nPage 2 of 2\n\nAPT groups MuddyWater, Seedworm, TEMP.Zagros, Static Kitten 2017-Jul 2025\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=84270a76-a828-4e46-a343-6ac3015f7afc" ], "report_names": [ "listgroups.cgi?u=84270a76-a828-4e46-a343-6ac3015f7afc" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434027, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/679cbdce358a56258d2a2f2da3b684e9450a2f94.pdf", "text": "https://archive.orkl.eu/679cbdce358a56258d2a2f2da3b684e9450a2f94.txt", "img": "https://archive.orkl.eu/679cbdce358a56258d2a2f2da3b684e9450a2f94.jpg" } }