{ "id": "17e41085-d522-4614-a44f-85897025cc2c", "created_at": "2026-05-01T03:09:29.329963Z", "updated_at": "2026-05-01T03:10:50.710706Z", "deleted_at": null, "sha1_hash": "7b19abff222b2a3635907d2a5515fc4b8cb35209", "title": "Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal – ClearSky Cyber Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38598, "plain_text": "Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal\r\n– ClearSky Cyber Security\r\nPublished: 2019-06-06 · Archived: 2026-05-01 03:08:29 UTC\r\nIn recent months, there has been considerable unrest in the Iranian cybersphere. Highly sensitive data about\r\nIranian APT groups were leaked, exposing abilities, strategies, and attack tools. The main medium for this leak\r\nwas a telegram channel.\r\nThe first leak uncovered attack frameworks and web shells of APT-34 (Known as OilRig group). This was\r\nfollowed by another leak that that exposed previously unknown details (such as compromised C2 servers)\r\nregarding the operation of MuddyWater. Further, it detailed the modus operandi of RANA – a cyber division of the\r\nIranian Ministry of Intelligence (MOIS).\r\nHowever, Clearsky’s Threat Intelligence team investigation indicates that MuddyWater’s activities were\r\nunaffected. This report will reveal the group’s latest exploit usage and TTPs.\r\nRead the full report: Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal\r\nClearsky has detected a new and advanced attack vector used by MuddyWater to target governmental entities and\r\nthe telecommunication sector. Notably, the TTP includes decoy documents exploiting CVE-2017-0199 as the first\r\nstage of the attack. This is followed by the second stage of the attack – communication with the hacked C2 servers\r\nand downloading a file infected with the macros.\r\nMalicious document propagated by MuddyWater impersonating the Iraqi government\r\nMuddyWater (aka SeedWorm/Temp.Zagros) is a high-profile Advanced Persistent Threat (APT) actor sponsored\r\nby Iran. The group was first observed in 2017, and since has operated multiple global espionage campaigns. With\r\nthat in mind, their most significant operations mainly focus on Middle Eastern and Middle Asian nations.\r\nhttps://www.clearskysec.com/muddywater2/\r\nPage 1 of 2\n\nThe group targets a wide gamut of sectors, including governmental, military, telecommunication, and academia. In\r\nthe past months, Clearsky had monitored and detected malicious files of each one of these TTPs – decoy\r\nMicrosoft software with embedded Macros; and documents exploiting vulnerability CVE-2017-0199. This is the\r\nfirst time MuddyWater has used these two vectors in conjunction.\r\nBy analyzing the Rana documents, it appears that the MOIS attack teams are divided into two branches, each with\r\ndifferent purposes.\r\nThe first is the espionage team that specializes in hacking systems, while the other is the social engineering team\r\nthat compromises assets via social engineering and spear-phishing methods. Clearsky assessment is that\r\nMuddyWater is likely the latter group.\r\nIndicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP\r\nevent 1583.\r\nSource: https://www.clearskysec.com/muddywater2/\r\nhttps://www.clearskysec.com/muddywater2/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.clearskysec.com/muddywater2/" ], "report_names": [ "muddywater2" ], "threat_actors": [], "ts_created_at": 1777604969, "ts_updated_at": 1777605050, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b19abff222b2a3635907d2a5515fc4b8cb35209.pdf", "text": "https://archive.orkl.eu/7b19abff222b2a3635907d2a5515fc4b8cb35209.txt", "img": "https://archive.orkl.eu/7b19abff222b2a3635907d2a5515fc4b8cb35209.jpg" } }