Nation-State Actor
Mango Sandstorm
Iran • Active since 2017
Mango Sandstorm is the same as MuddyWater - Iranian government hackers who spy on Middle Eastern governments and telecom companies using legitimate admin tools to avoid detection.
Overview
Mango Sandstorm is an Iranian threat actor linked to the Ministry of Intelligence conducting espionage operations. They target government and telecommunications sectors using living-off-the-land techniques.
Also Known As
MERCURY, MuddyWater, Static Kitten, TEMP.Zagros
Target Industries
Government, Telecommunications, Defense, Oil and Gas
Target Regions
Middle East, Asia, Africa, Europe
Is your business exposed?
Tactics, Techniques & Procedures
- • PowerShell-based malware
- • Living off the land techniques
- • Spear-phishing with malicious documents
- • Cloud service abuse for C2
Known Tools & Malware
POWERSTATS, Mori, Aclip, SimpleDownloader, SHARPSTATS
Notable Campaigns
Telecommunications Targeting (2023)
Targeted Middle Eastern telecommunications providers for intelligence access.
Government Entity Compromise (2022)
Compromised government entities across Middle East and North Africa.
MITRE ATT&CK Techniques
T1059.001, T1071.001, T1566.001, T1218.011
Defense Recommendations
- 1.
Monitor PowerShell activity
- 2.
Implement PowerShell Constrained Language Mode
- 3.
Block known C2 cloud infrastructure
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required