{ "id": "e45ed263-d2f7-4d56-ad89-63e73da5826a", "created_at": "2026-04-06T00:20:06.990639Z", "updated_at": "2026-04-10T03:34:22.621612Z", "deleted_at": null, "sha1_hash": "cbdfcb5888e1941de64bf53e2e50a430fe0ceb07", "title": "Iran's MuddyWater Hacker Group Using New Malware in Worldwide Cyber Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 167535, "plain_text": "Iran's MuddyWater Hacker Group Using New Malware in\r\nWorldwide Cyber Attacks\r\nBy The Hacker News\r\nPublished: 2022-02-25 · Archived: 2026-04-05 12:54:39 UTC\r\nCybersecurity agencies from the U.K. and the U.S. have laid bare a new malware used by the Iranian government-sponsored advanced persistent threat (APT) group in attacks targeting government and commercial networks\r\nworldwide.\r\n\"MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to\r\nshare these with other malicious cyber actors,\" the agencies said.\r\nThe joint advisory comes courtesy of the Federal Bureau of Investigation (FBI), the Cybersecurity and\r\nInfrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and\r\nthe U.K.'s National Cyber Security Centre (NCSC).\r\nThe cyberespionage actor was outed this year as conducting malicious operations as part of Iran's Ministry of\r\nIntelligence and Security (MOIS) targeting a wide range of government and private-sector organizations,\r\nincluding telecommunications, defense, local government, and oil and natural gas sectors, in Asia, Africa, Europe,\r\nand North America.\r\nhttps://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html\r\nPage 1 of 3\n\nMuddyWater is also tracked by the wider cybersecurity community under the names Earth Vetala, MERCURY,\r\nStatic Kitten, Seedworm, and TEMP.Zagros, with the group known for cyber offensives in support of MOIS\r\nobjectives since roughly 2018.\r\nBesides exploiting publicly reported vulnerabilities, the hacking collective has been historically observed\r\nemploying open-source tools to gain access to sensitive data, deploy ransomware, and achieve persistence on\r\nvictim networks.\r\nA follow-on investigation by Cisco Talos late last month also uncovered a previously undocumented malware\r\ncampaign aimed at Turkish private organizations and governmental institutions with the goal of deploying a\r\nPowerShell-based backdoor.\r\nThe new activities unmasked by the intelligence authorities are no different in that they make use of obfuscated\r\nPowerShell scripts to conceal the most damaging parts of the attacks, including command-and-control (C2)\r\nfunctions.\r\nThe intrusions are facilitated via a spear-phishing campaign that attempts to coax its targets into downloading\r\nsuspicious ZIP archives that either contain an Excel file with a malicious macro that communicates with the\r\nactor's C2 server or a PDF file that drops a malicious payload to the infected system.\r\n\"Additionally, the group uses multiple malware sets — including PowGoop, Small Sieve, Canopy/Starwhale,\r\nMori, and POWERSTATS — for loading malware, backdoor access, persistence, and exfiltration,\" FBI, CISA,\r\nCNMF, and NCSC said.\r\nWhile PowGoop functions as a loader responsible for downloading second-stage PowerShell scripts, Small Sieve\r\nis described as a Python-based implant used for maintaining a foothold in the network by leveraging the Telegram\r\nAPI for C2 communications to evade detection.\r\nOther key pieces of malware are Canopy, a Windows Script File (.WSF) used to collect and transmit system\r\nmetadata to an adversary-controlled IP address, and two backdoors called Mori and POWERSTATS that are used\r\nto run commands received from the C2 and maintain persistent access.\r\nRounding up the arsenal of tools employed by MuddyWater is a survey script to enumerate and transmit\r\ninformation about victim computers back to the remote C2 server. Also deployed is a newly identified PowerShell\r\nbackdoor that's used to execute commands received from the attacker.\r\nhttps://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html\r\nPage 2 of 3\n\nTo create barriers for potential attacks, the agencies are recommending organizations to use multi-factor\r\nauthentication wherever applicable, limit the use of administrator privileges, implement phishing protections, and\r\nprioritize patching known exploited vulnerabilities.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html\r\nhttps://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html" ], "report_names": [ "irans-muddywater-hacker-group-using-new.html" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434806, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cbdfcb5888e1941de64bf53e2e50a430fe0ceb07.pdf", "text": "https://archive.orkl.eu/cbdfcb5888e1941de64bf53e2e50a430fe0ceb07.txt", "img": "https://archive.orkl.eu/cbdfcb5888e1941de64bf53e2e50a430fe0ceb07.jpg" } }