{ "id": "45060d42-383b-42a0-8f4f-1e45c3bdb5a7", "created_at": "2026-04-06T00:13:41.246408Z", "updated_at": "2026-04-10T13:11:42.909879Z", "deleted_at": null, "sha1_hash": "e3ee9b5378471d6c5e41d7249f8d0dd5d00b16f5", "title": "Falling on MuddyWater – Where security meets innovation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 268607, "plain_text": "Falling on MuddyWater – Where security meets innovation\r\nBy inThreat Team\r\nArchived: 2026-04-05 22:55:18 UTC\r\nMuddyWater [1] is regularly mentioned in the headlines. We took time to summarize the past campaigns and try to\r\nestablish liaisons between TTPs and targets.\r\nOverview of MuddyWater\r\nMuddyWater’s TTPs were exposed in a MalwareBytes’ blog in September 2017 [2]. We have been following their\r\nactivity since this date to provide intelligence to our inThreat customers and below is an overview of this threat\r\nactor’s modus operandi and targets:\r\nExtract from our Flash Intelligence Report\r\nMuddyWater has stable TTPs… so far\r\nhttps://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/\r\nPage 1 of 5\n\nFrom what we have learned so far, we associate the name MuddyWater with a threat group which has been\r\nconsistently delivering a specific Powershell script, named POWERSTATS [3], to multiple targets in the Middle\r\nEast and South Asia. POWERSTATS has been very well described by ReaQta, TrendMicro and FireEye [1] [4]\r\n[5]. Its main purpose is to collect data and execute other tools on the victim’s machine. Researchers from\r\nMorphisec – who first spotted the backdoor back in March 2017- and from ReaQta were able to observe some\r\npost-compromise actions during which POWERSTATS was used to download several tools such as Meterpreter, a\r\npowershell DNS backdoor, a RAT named Koadic or a python password stealer [5] [6]. POWERSTATS remained\r\nstable in 2017 even though lateral movement functions appeared quite recently [1] [7].\r\nMuddyWater’s main delivery tactics for POWERSTATS is to lure a target into opening a malicious Word\r\ndocument which then drops POWERSTATS. These baits however require the execution of an embedded VBA\r\nmacro code. The POWERSTATS script is also heavily obfuscated, with five to seven layers of powershell\r\nobfuscation. Testing the documents into a malware analysis engine will nonetheless easily unveal the VBA\r\nobfuscated code and the dropped files.\r\nhttps://malware.sekoia.fr/results/71357f80f90af2690d2d554f2f8ae57616556de5e0df3bc3f4e63c3bf4eca237\r\n (typical bait for 2017 campaigns)\r\nhttps://malware.sekoia.fr/results/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024\r\n(Bait from a 2018 campaign)\r\nhttps://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/\r\nPage 2 of 5\n\nWe believe these documents are sent via spear phishing emails. Consistent with this hypothesis, some of the most\r\nrecent documents require that the victim enters a password which is most probably sent in an accompanying\r\nemail.\r\nClearing the mud\r\nThere is no clear indication on what MuddyWater’s ultimate motivation is yet. While some analysts think that\r\ntheir main goal is cyberespionnage, we are cautious with this idea. Indeed little information is currently known on\r\nMuddyWater’s targets and their post-exploitation actions.\r\nWe do however have a good idea on what their areas of interest are. Indeed, the bait documents share a similar and\r\ntypical look-and-feel which makes them quite characteristic. More interestingly, they are designed with a\r\nparticular theme which is specific enough to provide a good hint on which countries or industries might be\r\nconcerned. Based on our intel, we’ve summarized MuddyWater’s intrusion campaigns in the following table:\r\nNumber of distinct malicious documents distributed by country according to their theme\r\nG/U* Generic or Undefined theme\r\nThe first information which pops out of this data is that MuddyWater seem to have intensified their operations\r\nsince the third quarter of 2017.\r\nSecondly, their areas of interest have switched in 2018. Turkish organizations and/or individuals have become\r\nimportant targets. The themes used in malicious documents with a Turkish bait suggest that Turkish targets are\r\nlinked to the government, Defense industry, or the economy. As an example, one spear phishing email was\r\ndesigned to spoof the Turkish Intelligence Services, and lure an employee of a Turkish company working for the\r\nTurkish armed forces.\r\nPakistani, Tajik and Indian organizations might also be current targets of MuddyWater intrusion campaigns, while\r\nGeorgian, Iraqian, Saudi Arabian and Azerbaijani organizations do not seem to be targeted anymore, at least with\r\nhttps://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/\r\nPage 3 of 5\n\nthis delivery tactic.\r\nSome questions remains\r\nAn analysis by ReaQta of MuddyWater’s C\u0026C traffic suggested that, although it had the highest number of\r\ninfections, Pakistan was not one of the most interesting countries for MuddyWater, as opposed to Saudi Arabia,\r\nthe United Arab Emirates or Iraq, which had much lower infection levels but higher C\u0026C activities [5]. However,\r\nwe currently count 10 different malicious documents with a clear Pakistan-related bait, which shows that\r\nMuddyWater put some efforts into targeting Pakistani individuals or organizations. On the other hand, while we\r\nnoticed several documents targeting Iraq or Saudi Arabia, we found only one document with a loose focus on the\r\nUAE: the “veri peri branches information.doc” [8]. Veri Peri owns a franchise restaurant in the UAE – and in\r\nother countries in the Middle East [9]. Although there are even more documents with a generic theme for which\r\nwe cannot infer the targeted intention, the current information on MuddyWater’s malicious documents does not\r\nseem in accordance with ReaQta’s findings.\r\nCould it be possible that MuddyWater is targeting some groups among the Pakistani diaspora (Pakistani are the\r\nsecond largest group in the UAE, while Pakistani in Saudi Arabia and Pakistani in the UAE are respectively the\r\nsecond and third largest communities outside Pakistan [10]) ? Or that MuddyWater is using a different, yet\r\nuncharacterized or un-attributed, delivery tactic to target organizations in the UAE ?\r\nThe discovery of malicious .jar files installing POWERSTATS posted in an English-speaking cybersecurity\r\ncommunity in January 2018 [11] suggests that the latter possibility is quite plausible. However, what could be the\r\nunderlying rationale for a group which seems to have consistently targeted specific organizations to switch on\r\nrandom infections? We believe there is still a lot to discover about MuddyWater, and we think it’s not time for\r\nearly conclusions.\r\n………………..\r\n[1] FireEye uses the name “Temp.Zagros”. https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\n[2] https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/\r\n[3] or TROJ_VALYRIA.PS\r\n[4] see https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/\r\n[5] https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/\r\n[6] http://blog.morphisec.com/fileless-attack-framework-discovery\r\n[7] https://sec0wn.blogspot.fr/2018/03/a-quick-dip-into-muddywaters-recent.html\r\n[8] 97988dfdd7e49192186167e5bba901505b4b4a804f19b8747450964c8b84672c\r\nhttps://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/\r\nPage 4 of 5\n\n[9] http://veri-peri.com/contact-us/\r\n[10] https://en.wikipedia.org/wiki/Pakistanis_in_the_United_Arab_Emirates\r\n[11] https://sec0wn.blogspot.fr/2018/02/burping-on-muddywater.html\r\nSource: https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/\r\nhttps://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/" ], "report_names": [ "falling-on-muddywater" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434421, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3ee9b5378471d6c5e41d7249f8d0dd5d00b16f5.pdf", "text": "https://archive.orkl.eu/e3ee9b5378471d6c5e41d7249f8d0dd5d00b16f5.txt", "img": "https://archive.orkl.eu/e3ee9b5378471d6c5e41d7249f8d0dd5d00b16f5.jpg" } }