{ "id": "d7867505-df2e-4d6b-817e-07e6243386cd", "created_at": "2026-04-06T00:14:19.523321Z", "updated_at": "2026-04-10T13:12:54.453721Z", "deleted_at": null, "sha1_hash": "953cc88780b2238c65cc25f5630469abfa416b46", "title": "MuddyWater Targets Critical Infrastructure in Asia, Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 179644, "plain_text": "MuddyWater Targets Critical Infrastructure in Asia, Europe\r\nBy Prajeet Nair\r\nArchived: 2026-04-05 17:27:31 UTC\r\nApplication Security , Cybercrime , Cybercrime as-a-service\r\nIran-Backed Hacking Group Targets Telecom, Defense, Government Sectors (@prajeetspeaks) • February 25,\r\n2022    \r\nMuddyWater is expected to exploit the world's focus on Ukraine.\r\nHacking group MuddyWater, which has been linked to the Iranian Ministry of Intelligence and Security is\r\ntargeting government and private sector organizations in Asia, Africa, Europe and North America as part of its\r\ncyberespionage and other malicious cyber operations, according to a joint advisory from U.S. and U.K. law\r\nenforcement and intelligence agencies.\r\nSee Also: Securing Patient Data: Shared Responsibility in Action\r\nSectors targeted by the advanced persistent threat actor include telecommunications, defense, local government,\r\nand oil and natural gas. The advisory details the tactics, techniques and procedures, as well as the indicators of\r\ncompromise, associated with the threat group.\r\nDirk Schrader, resident CISO, EMEA, and vice president of security research at cybersecurity firm Netwrix, says\r\ngovernment-linked APTs such as MuddyWater will use the Russia-Ukraine conflict for their own purposes.\r\nKnowing that focus and attention are directed there, he says, the groups may use adapted spear-phishing emails\r\nwhile everyone is expecting a massive cyber operation.\r\nhttps://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611\r\nPage 1 of 4\n\nMuddyWater was earlier suspected of using ransomware to damage the systems of organizations in Israel and\r\nother countries. The group is also known as EMP.Zagros, Static Kitten, Mercury and Seedworm (see: Iranian\r\nHacking Group Suspected of Deploying Ransomware).\r\nAbout MuddyWater\r\nMuddyWater, a subordinate element in the Iranian Ministry of Intelligence and Security, has conducted broad\r\ncyber campaigns in support of MOIS objectives since 2018, the advisory says.\r\nIn 2017 Kaspersky spotted MuddyWater using spear-phishing techniques to target government agencies, military\r\ninstitutions, telecommunications companies and universities throughout the Middle East.\r\nThe threat group is positioned to provide the Iranian government with stolen data and access to systems and to\r\nshare these with other malicious cyber actors, the advisory says, citing analysis by the U.K National Cyber\r\nSecurity Center, the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, the\r\nFederal Bureau of Investigation and U.S. Cyber Command's Cyber National Mission Force.\r\nThe Iranian government-sponsored group was exploiting publicly known vulnerabilities and leveraging multiple\r\nopen-source tools to gain access to sensitive government and commercial networks and deploy ransomware, the\r\nadvisory says. \"These actors also maintain persistence on victim networks via tactics such as side-loading\r\ndynamic link libraries, to trick legitimate programs into running malware and obfuscating PowerShell scripts to\r\nhide command and control functions.\"\r\nTechnical Analysis\r\n\"MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file\r\nwith a malicious macro that communicates with the actor’s command and control server or a PDF file that drops a\r\nmalicious file to the victim’s network,\" the advisory says.\r\nIt also uses multiple malware sets, such as PowGoop, Small Sieve, Canopy/Starwhale, Mori and POWERSTATS\r\nfor loading malware, backdoor access, persistence and exfiltration.\r\n\"APT groups will rearrange their TTPs after being called out. That reinforces the need to be prepared, to have an\r\nestablished security architecture, with embedded workflows that dissolve security silos often seen in\r\norganizations, where protecting infrastructure, identities and data is handled in different ways, while attackers will\r\nuse holes in all three layers to achieve their objectives,\" Netwrix's Schrader tells Information Security Media\r\nGroup.\r\nPowGoop\r\nThe campaign appears to be using a malicious loader named PowGoop - a fake Google Update mechanism -\r\nconsisting of a DLL loader and a PowerShell-based downloader.\r\nThe malicious file impersonates a legitimate file that is signed as a Google Update executable file. The PowGoop\r\nsamples analyzed by CISA and CNMF shows it has components to retrieve encrypted commands from a C2\r\nserver.\r\nhttps://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611\r\nPage 2 of 4\n\nSmall Sieve\r\nA sample analyzed by the NCSC determined Small Sieve to be a Python backdoor distributed using a Nullsoft\r\nScriptable Install System installer, gram_app.exe, which installs the Python backdoor, indoor.exe, and adds it as a\r\nregistry run key that enables persistence.\r\n\"MuddyWater disguises malicious executables, and uses filenames and registry key names associated with\r\nMicrosoft's Windows Defender to avoid detection during a casual inspection. The APT group has also used\r\nvariations of Microsoft (e.g., 'Microsift') and Outlook in its filenames associated with Small Sieve,\" the advisory\r\nsays.\r\nThe backdoor provides the basic functionality required to maintain and expand a foothold in the victim's\r\ninfrastructure and avoid detection by using custom string and traffic obfuscation schemes together with the\r\nTelegram Bot application programming interface, the advisory says. It says the Small Sieve's beacons and tasking\r\nare performed using Telegram API.\r\nCanopy\r\nCanopy or Starwhale malware is another sample that MuddyWater distributes using spear-phishing emails with\r\ntargeted attachments. In samples analyzed by CISA, a malicious Excel file, Cooperation terms.xls, contained\r\nmacros written in Visual Basic for Applications and two encoded Windows Script Files. When the victim opens\r\nthe Excel file, they receive a prompt to enable macros. Once this occurs, the macros are executed, decoding and\r\ninstalling the two embedded Windows Script Files.\r\nMori\r\nThe advisory says that the APT group MuddyWater also uses the Mori backdoor, which uses Domain Name\r\nSystem tunneling to communicate with the group’s C2 infrastructure.\r\n\"According to one sample analyzed by CISA, FML.dll, Mori uses a DLL written in C++ that is executed with\r\nregsvr32.exe with export DllRegisterServer, which appears to be a component to another program,\" the advisory\r\nsays.\r\nSome of the tasks performed include deleting the file FILENAME.old and deleting the file by registry value, it\r\nsays.\r\nPOWERSTATS\r\nThe APT group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain\r\npersistent access to the victim systems.\r\n\"CNMF has posted samples further detailing the different parts of MuddyWater’s new suite of tools - along with\r\nJavaScript files used to establish connections back to malicious infrastructure - to the malware aggregation tool\r\nand repository, Virus Total,\" the advisory says.\r\nhttps://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611\r\nPage 3 of 4\n\nThe government agencies recently observed MuddyWater exploiting the Microsoft Netlogon elevation of privilege\r\nvulnerability CVE-2020-1472 and the Microsoft Exchange memory corruption vulnerability CVE-2020-0688.\r\nMitigation\r\nOrganizations must proactively maintain reasonable cyber hygiene aligned with business context, says Yaniv Bar-Dayan, CEO and co-founder of cyber risk remediation provider Vulcan Cyber.\r\n\"IT security teams must first ask themselves: 'What are the crown jewels of my organization?' and then work to\r\nsecure these priorities. An orchestrated and deliberate approach to risk measurement, management and mitigation\r\nwill deliver the needed security to protect against the hacker group flavor of the day,\" Bar-Dayan says.\r\nThe joint advisory also recommends deploying application control software to limit the applications and\r\nexecutable code that can be run by users. Email attachments and files downloaded via links in emails often contain\r\nexecutable code.\r\nSource: https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611\r\nhttps://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611" ], "report_names": [ "muddywater-targets-critical-infrastructure-in-asia-europe-a-18611" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434459, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/953cc88780b2238c65cc25f5630469abfa416b46.pdf", "text": "https://archive.orkl.eu/953cc88780b2238c65cc25f5630469abfa416b46.txt", "img": "https://archive.orkl.eu/953cc88780b2238c65cc25f5630469abfa416b46.jpg" } }