{ "id": "c0413648-d38b-42cf-be59-60519df9ec63", "created_at": "2026-04-06T00:19:44.864863Z", "updated_at": "2026-04-10T13:11:51.228733Z", "deleted_at": null, "sha1_hash": "e2a4fe9a75e8210eba6d9335fa5b81d5a96d1d39", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57241, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:05:46 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Mudwater\r\n Tool: Mudwater\r\nNames Mudwater\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Exfiltration, Downloader\r\nDescription\r\n(Trend Micro) In addition to uncovering new campaigns, we were also able to find connections between\r\nMuddyWater and four Android malware variants that posed as legitimate applications. We were able to\r\nestablish proof of connection through their shared infrastructure, e.g., IP addresses and C\u0026C servers, and\r\nthe code similarities between some of the malware families.\r\nWe first noticed the first Android malware variant (AndroidOS_Mudwater.HRX) when we discovered\r\nthat its IP address and C\u0026C server, 78[.]129[.]139[.]131, was used as the final C\u0026C server of a\r\nMuddyWater campaign. In the said campaign, we saw victims receiving commands for downloading a\r\nsecond stage payload from the abovementioned IP address.\r\nInformation \u003chttps://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater\u003e\r\nLast change to this tool card: 24 April 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool Mudwater\r\nChanged Name Country Observed\r\nAPT groups\r\n  MuddyWater, Seedworm, TEMP.Zagros, Static Kitten 2017-Jul 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=438f9a8a-34ec-4d7e-a6ab-a59238b4bcd3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=438f9a8a-34ec-4d7e-a6ab-a59238b4bcd3\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=438f9a8a-34ec-4d7e-a6ab-a59238b4bcd3" ], "report_names": [ "listgroups.cgi?u=438f9a8a-34ec-4d7e-a6ab-a59238b4bcd3" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434784, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2a4fe9a75e8210eba6d9335fa5b81d5a96d1d39.pdf", "text": "https://archive.orkl.eu/e2a4fe9a75e8210eba6d9335fa5b81d5a96d1d39.txt", "img": "https://archive.orkl.eu/e2a4fe9a75e8210eba6d9335fa5b81d5a96d1d39.jpg" } }