MuddyWater

muddywater · primary source: MITRE · first observed 2016

IR · IranState-sponsoredHigh confidencelast cited Feb 23, 2022 · 4y ago

Iranian state-sponsored actor publicly attributed in 2022 by U.S. Cyber Command to subordinates of the Ministry of Intelligence and Security (MOIS). Conducts espionage and access operations against telecommunications, government, defense, and oil-and-gas targets, primarily across the Middle East but with operations reported in North America, Europe, and Asia.

Aliases

MERCURYMicrosoftMango SandstormMicrosoftStatic KittenCrowdStrikeTEMP.ZagrosMandiantEarth VetalaOther

Motivations

espionage

Target sectors

telecommunicationsgovernmentdefenseenergy

Target countries

SAAEILTRJOUSGB

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

MuddyWater
Iran
espionage

Capability

Infrastructure

95.181.161.49

Victim

telecommunications
government
defense
SA
AE
+1 more

MITRE ATT&CK techniques

T1566.001 T1059.001 T1218.005 T1219

Timeline

1 event

AdvisoryHigh2022-02-24·CISA
Joint advisory AA22-055A attributes MuddyWater to Iranian MOIS
CISA, FBI, NSA, U.S. Cyber Command, and the U.K. National Cyber Security Centre released a joint advisory publicly attributing MuddyWater to subordinate elements of Iran's Ministry of Intelligence and Security (MOIS), and providing technical indicators and mitigations for the group's ongoing intrusion campaigns against government and private-sector targets.
five-eyesmoisattribution

Indicators of compromise

4 indicators

defangedcsv

Type	Value	First seen	Source
SHA-256	bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2 family · Small Sieve Small Sieve Python backdoor payload 'index.exe' (PyInstaller-bundled Python 3.9) - hash published in Appendix B Table 3 of CISA AA22-055A. Beacons via the Telegram Bot API with hex byte-shuffling traffic obfuscation.	Feb 23, 2022	CISA
SHA-256	b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 family · Small Sieve Small Sieve NSIS installer 'gram_app.exe' analyzed by NCSC-UK and published in Appendix B of CISA AA22-055A. Drops the Python-based Telegram-Bot-API backdoor index.exe and persists via the registry Run key OutlookMicrosift.	Feb 23, 2022	CISA
Name	POWERSTATS family · POWERSTATS PowerShell backdoor family attributed to MuddyWater in joint CISA/FBI/CNMF/NCSC-UK advisory AA22-055A, which catalogues POWERSTATS, Small Sieve, Mori, Canopy/Starwhale and PowGoop tooling used since approximately 2018 by this MOIS subordinate APT group (also tracked as Static Kitten, Mango Sandstorm, MERCURY, Seedworm, TEMP.Zagros).	Feb 23, 2022	CISA
IPv4	95[.]181[.]161[.]49 family · POWERSTATS Adversary-controlled C2 IP hard-coded in the newly identified MuddyWater PowerShell backdoor sample published in CISA AA22-055A; the script encrypts traffic with a single-byte XOR key 0x02 and beacons over HTTP to /index.php with a victim identifier.	Feb 23, 2022	CISA

Related actors

shared ATT&CK techniques

IR · IranAPT392 shared techniques
- T1059.001
- T1566.001
?? · UnknownBlackSuit2 shared techniques
- T1219
- T1566.001
RU · RussiaEvil Corp2 shared techniques
- T1059.001
- T1566.001
RU · RussiaGamaredon2 shared techniques
- T1059.001
- T1566.001
KP · DPRKKimsuky2 shared techniques
- T1059.001
- T1566.001
KP · DPRKLazarus Group2 shared techniques
- T1059.001
- T1566.001

References

G0069 — MuddyWater
MITRE ATT&CK

cite this page

Threat Intel Tracker. (2026-05-19). MuddyWater — actor profile. Retrieved from https://threatintel.local/actors/muddywater

latest cited activity · 2022-02-24 · 4 cataloged indicators