{
	"id": "582eb1d0-7282-4f75-88b9-bf57fddd1971",
	"created_at": "2026-04-06T00:11:53.268366Z",
	"updated_at": "2026-04-10T03:34:22.583032Z",
	"deleted_at": null,
	"sha1_hash": "7113577e8a66743a21b3d2fb74df94e8df65494d",
	"title": "POWERSTATS (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75536,
	"plain_text": "POWERSTATS (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:45:31 UTC\r\nPOWERSTATS\r\naka: Valyria\r\nActor(s): MuddyWater\r\nPOWERSTATS is a backdoor written in powershell.\r\nIt has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.\r\nReferences\r\n2023-06-29 ⋅ DeepInstinct ⋅\r\nPhonyC2: Revealing a New Malicious Command \u0026 Control Framework by MuddyWater\r\nPhonyC2 POWERSTATS\r\n2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nBoggy Serpens\r\nPOWERSTATS MuddyWater\r\n2022-02-25 ⋅ infoRisk TODAY ⋅ Prajeet Nair\r\nMuddyWater Targets Critical Infrastructure in Asia, Europe\r\nPOWERSTATS PowGoop STARWHALE GRAMDOOR MoriAgent\r\n2022-02-24 ⋅ CISA, CNMF, FBI, NCSC UK, NSA\r\nIranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and\r\nCommercial Networks\r\nPOWERSTATS PowGoop GRAMDOOR MoriAgent\r\n2022-02-24 ⋅ CISA, CNMF, FBI, NCSC UK\r\nAlert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global\r\nGovernment and Commercial Networks\r\nPOWERSTATS PowGoop MoriAgent\r\n2021-01-13 ⋅ Shells.System blog ⋅ Ahmed Khlief\r\nReviving MuddyC3 Used by MuddyWater (IRAN) APT\r\nPOWERSTATS\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats\r\nPage 1 of 3\n\n2020-01-15 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nIranian Threat Actors: Preliminary Analysis\r\nPOWERSTATS\r\n2020-01-07 ⋅ Prevailion ⋅ Danny Adamitis\r\nSummer Mirage\r\nPOWERSTATS\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nCOBALT ULSTER\r\nPOWERSTATS Koadic MuddyWater\r\n2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2019\r\nZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger\r\nHOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy\r\n2019-06-10 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nMuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools\r\nPOWERSTATS\r\n2019-05-29 ⋅ Group-IB ⋅ Group-IB\r\nCatching fish in muddy waters\r\nPOWERSTATS\r\n2019-04-15 ⋅ ClearSky ⋅ ClearSky Research Team\r\nIranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in\r\nTurkey\r\nPOWERSTATS MuddyWater\r\n2019-04-10 ⋅ Check Point ⋅ Check Point Research\r\nThe Muddy Waters of APT Attacks\r\nPOWERSTATS\r\n2019-03-21 ⋅ ⋅ Qianxin ⋅ Qi Anxin\r\nAnalysis of the latest attack activities of the suspected MuddyWater APT group against the Iraqi mobile\r\noperator Korek Telecom\r\nPOWERSTATS\r\n2018-11-28 ⋅ ClearSky ⋅ ClearSky Research Team\r\nMuddyWater Operations in Lebanon and Oman\r\nPOWERSTATS\r\n2018-06-06 ⋅ ClearSky ⋅ ClearSky Cyber Security\r\nIranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal\r\nPOWERSTATS\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats\r\nPage 2 of 3\n\n2018-05-08 ⋅ Security 0wnage ⋅ Mo Bustami\r\nClearing the MuddyWater - Analysis of new MuddyWater Samples\r\nPOWERSTATS\r\n2018-03-22 ⋅ Sekoia ⋅ sekoia\r\nFalling on MuddyWater\r\nPOWERSTATS\r\n2018-03-13 ⋅ FireEye ⋅ Ben Read, Dileep Kumar Jallepalli, Sudeep Singh, Yogesh Londhe\r\nIranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign\r\nPOWERSTATS MuddyWater\r\n2018-03-12 ⋅ Trend Micro ⋅ Jaromír Hořejší\r\nCampaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia\r\nPOWERSTATS MuddyWater\r\n2018-03-01 ⋅ Security 0wnage ⋅ Mo Bustami\r\nA Quick Dip into MuddyWater's Recent Activity\r\nPOWERSTATS\r\n2018-01-02 ⋅ Security 0wnage ⋅ Mo Bustami\r\nBurping on MuddyWater\r\nPOWERSTATS\r\n2017-11-22 ⋅ Reaqta ⋅ Reaqta\r\nA dive into MuddyWater APT targeting Middle-East\r\nPOWERSTATS\r\n2017-11-14 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster\r\nMuddying the Water: Targeted Attacks in the Middle East\r\nPOWERSTATS MuddyWater\r\n2017-10-04 ⋅ Security 0wnage ⋅ Mo Bustami\r\nContinued Activity targeting the Middle East\r\nPOWERSTATS\r\n2017-09-26 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nElaborate scripting-fu used in espionage attack against Saudi Arabia Government entity\r\nPOWERSTATS\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats"
	],
	"report_names": [
		"ps1.powerstats"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b",
			"created_at": "2022-10-25T15:50:23.308924Z",
			"updated_at": "2026-04-10T02:00:05.298591Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"MuddyWater",
				"Earth Vetala",
				"Static Kitten",
				"Seedworm",
				"TEMP.Zagros",
				"Mango Sandstorm",
				"TA450"
			],
			"source_name": "MITRE:MuddyWater",
			"tools": [
				"STARWHALE",
				"POWERSTATS",
				"Out1",
				"PowerSploit",
				"Small Sieve",
				"Mori",
				"Mimikatz",
				"LaZagne",
				"PowGoop",
				"CrackMapExec",
				"ConnectWise",
				"SHARPSTATS",
				"RemoteUtilities",
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d",
			"created_at": "2023-01-06T13:46:38.760807Z",
			"updated_at": "2026-04-10T02:00:03.091254Z",
			"deleted_at": null,
			"main_name": "ZooPark",
			"aliases": [],
			"source_name": "MISPGALAXY:ZooPark",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ed8d590-defa-4873-b2de-b75c9b30931e",
			"created_at": "2023-01-06T13:46:38.730137Z",
			"updated_at": "2026-04-10T02:00:03.08136Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"TEMP.Zagros",
				"Seedworm",
				"COBALT ULSTER",
				"G0069",
				"ATK51",
				"Mango Sandstorm",
				"TA450",
				"Static Kitten",
				"Boggy Serpens",
				"Earth Vetala"
			],
			"source_name": "MISPGALAXY:MuddyWater",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6",
			"created_at": "2022-10-25T16:07:24.435275Z",
			"updated_at": "2026-04-10T02:00:04.988022Z",
			"deleted_at": null,
			"main_name": "ZooPark",
			"aliases": [
				"APT-C-38",
				"Cobalt Juno",
				"Saber Lion",
				"TG-2884"
			],
			"source_name": "ETDA:ZooPark",
			"tools": [
				"ZooPark"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "156b3bc5-14b7-48e1-b19d-23aa17492621",
			"created_at": "2025-08-07T02:03:24.793494Z",
			"updated_at": "2026-04-10T02:00:03.634641Z",
			"deleted_at": null,
			"main_name": "COBALT ULSTER",
			"aliases": [
				"Boggy Serpens ",
				"ENT-11 ",
				"Earth Vetala ",
				"ITG17 ",
				"MERCURY ",
				"Mango Sandstorm ",
				"MuddyWater ",
				"STAC 1171 ",
				"Seedworm ",
				"Static Kitten ",
				"TA450 ",
				"TEMP.Zagros ",
				"UNC3313 ",
				"Yellow Nix "
			],
			"source_name": "Secureworks:COBALT ULSTER",
			"tools": [
				"CrackMapExec",
				"Empire",
				"FORELORD",
				"Koadic",
				"LaZagne",
				"Metasploit",
				"Mimikatz",
				"Plink",
				"PowerStats"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb",
			"created_at": "2022-10-25T16:07:23.880522Z",
			"updated_at": "2026-04-10T02:00:04.775749Z",
			"deleted_at": null,
			"main_name": "MuddyWater",
			"aliases": [
				"ATK 51",
				"Boggy Serpens",
				"Cobalt Ulster",
				"G0069",
				"ITG17",
				"Mango Sandstorm",
				"MuddyWater",
				"Operation BlackWater",
				"Operation Earth Vetala",
				"Operation Quicksand",
				"Seedworm",
				"Static Kitten",
				"T-APT-14",
				"TA450",
				"TEMP.Zagros",
				"Yellow Nix"
			],
			"source_name": "ETDA:MuddyWater",
			"tools": [
				"Agentemis",
				"BugSleep",
				"CLOUDSTATS",
				"ChromeCookiesView",
				"Cobalt Strike",
				"CobaltStrike",
				"CrackMapExec",
				"DCHSpy",
				"DELPHSTATS",
				"EmPyre",
				"EmpireProject",
				"FruityC2",
				"Koadic",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"MZCookiesView",
				"Meterpreter",
				"Mimikatz",
				"MuddyC2Go",
				"MuddyRot",
				"Mudwater",
				"POWERSTATS",
				"PRB-Backdoor",
				"PhonyC2",
				"PowGoop",
				"PowerShell Empire",
				"PowerSploit",
				"Powermud",
				"QUADAGENT",
				"SHARPSTATS",
				"SSF",
				"Secure Socket Funneling",
				"Shootback",
				"Smbmap",
				"Valyria",
				"chrome-passwords",
				"cobeacon",
				"prb_backdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775792062,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7113577e8a66743a21b3d2fb74df94e8df65494d.pdf",
		"text": "https://archive.orkl.eu/7113577e8a66743a21b3d2fb74df94e8df65494d.txt",
		"img": "https://archive.orkl.eu/7113577e8a66743a21b3d2fb74df94e8df65494d.jpg"
	}
}