Threat Actor Profile
High APT
Description

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)

Confidence Score
90%
Known Aliases
MuddyWater Earth Vetala MERCURY Static Kitten Seedworm TEMP.Zagros Mango Sandstorm TA450
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (58)
T1074.001 - Local Data Staging
Collection
T1113 - Screen Capture
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1090.002 - External Proxy
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1104 - Multi-Stage Channels
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1132.001 - Standard Encoding
Command and Control
T1219 - Remote Access Tools
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.004 - LSA Secrets
Credential Access
T1003.005 - Cached Domain Credentials
Credential Access
T1552.001 - Credentials In Files
Credential Access
T1555 - Credentials from Password Stores
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.003 - Steganography
Defense Evasion
T1027.004 - Compile After Delivery
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.003 - CMSTP
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1518 - Software Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.006 - Python
Execution
T1059.007 - JavaScript
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1559.001 - Component Object Model
Execution
T1559.002 - Dynamic Data Exchange
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1190 - Exploit Public-Facing Application
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1210 - Exploitation of Remote Services
Lateral Movement
T1137.001 - Office Template Macros
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
T1548.002 - Bypass User Account Control
Privilege Escalation
T1583.006 - Web Services
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['MuddyWater',
             'Earth Vetala',
             'MERCURY',
             'Static Kitten',
             'Seedworm',
             'TEMP.Zagros',
             'Mango Sandstorm',
             'TA450'],
 'created': '2018-04-18T17:59:24.739Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[MuddyWater](https://attack.mitre.org/groups/G0069) is a '
                'cyber espionage group assessed to be a subordinate element '
                "within Iran's Ministry of Intelligence and Security "
                '(MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) '
                'Since at least 2017, '
                '[MuddyWater](https://attack.mitre.org/groups/G0069) has '
                'targeted a range of government and private organizations '
                'across sectors, including telecommunications, local '
                'government, defense, and oil and natural gas organizations, '
                'in the Middle East, Asia, Africa, Europe, and North '
                'America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: '
                'Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater '
                'Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: '
                'Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A '
                'MuddyWater February 2022)(Citation: Talos MuddyWater Jan '
                '2022)',
 'external_references': [{'external_id': 'G0069',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0069'},
                         {'description': '(Citation: Anomali Static Kitten '
                                         'February 2021)',
                          'source_name': 'MERCURY'},
                         {'description': '(Citation: Anomali Static Kitten '
                                         'February 2021)(Citation: Trend Micro '
                                         'Muddy Water March 2021)',
                          'source_name': 'Static Kitten'},
                         {'description': '(Citation: FireEye MuddyWater Mar '
                                         '2018)(Citation: Anomali Static '
                                         'Kitten February 2021)(Citation: '
                                         'Trend Micro Muddy Water March 2021)',
                          'source_name': 'TEMP.Zagros'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Mango Sandstorm'},
                         {'description': '(Citation: Proofpoint TA450 Phishing '
                                         'March 2024)',
                          'source_name': 'TA450'},
                         {'description': '(Citation: Symantec MuddyWater Dec '
                                         '2018)(Citation: Anomali Static '
                                         'Kitten February 2021)(Citation: '
                                         'Trend Micro Muddy Water March 2021)',
                          'source_name': 'Seedworm'},
                         {'description': '(Citation: Trend Micro Muddy Water '
                                         'March 2021)',
                          'source_name': 'Earth Vetala'},
                         {'description': '(Citation: Unit 42 MuddyWater Nov '
                                         '2017)(Citation: Symantec MuddyWater '
                                         'Dec 2018)',
                          'source_name': 'MuddyWater'},
                         {'description': 'ClearSky Cyber Security. (2018, '
                                         'November). MuddyWater Operations in '
                                         'Lebanon and Oman: Using an Israeli '
                                         'compromised domain for a two-stage '
                                         'campaign. Retrieved November 29, '
                                         '2018.',
                          'source_name': 'ClearSky MuddyWater Nov 2018',
                          'url': 'https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf'},
                         {'description': 'ClearSky. (2019, June). Iranian APT '
                                         'group ‘MuddyWater’ Adds Exploits to '
                                         'Their Arsenal. Retrieved May 14, '
                                         '2020.',
                          'source_name': 'ClearSky MuddyWater June 2019',
                          'url': 'https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf'},
                         {'description': 'Cyber National Mission Force. (2022, '
                                         'January 12). Iranian intel cyber '
                                         'suite of malware uses open source '
                                         'tools. Retrieved September 30, 2022.',
                          'source_name': 'CYBERCOM Iranian Intel Cyber January '
                                         '2022',
                          'url': 'https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/'},
                         {'description': 'FBI, CISA, CNMF, NCSC-UK. (2022, '
                                         'February 24). Iranian '
                                         'Government-Sponsored Actors Conduct '
                                         'Cyber Operations Against Global '
                                         'Government and Commercial Networks. '
                                         'Retrieved September 27, 2022.',
                          'source_name': 'DHS CISA AA22-055A MuddyWater '
                                         'February 2022',
                          'url': 'https://www.cisa.gov/uscert/ncas/alerts/aa22-055a'},
                         {'description': 'Lancaster, T.. (2017, November 14). '
                                         'Muddying the Water: Targeted Attacks '
                                         'in the Middle East. Retrieved March '
                                         '15, 2018.',
                          'source_name': 'Unit 42 MuddyWater Nov 2017',
                          'url': 'https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/'},
                         {'description': 'Malhortra, A and Ventura, V. (2022, '
                                         'January 31). Iranian APT MuddyWater '
                                         'targets Turkish users via malicious '
                                         'PDFs, executables. Retrieved June '
                                         '22, 2022.',
                          'source_name': 'Talos MuddyWater Jan 2022',
                          'url': 'https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html'},
                         {'description': 'Mele, G. et al. (2021, February 10). '
                                         'Probable Iranian Cyber Actors, '
                                         'Static Kitten, Conducting '
                                         'Cyberespionage Campaign Targeting '
                                         'UAE and Kuwait Government Agencies. '
                                         'Retrieved March 17, 2021.',
                          'source_name': 'Anomali Static Kitten February 2021',
                          'url': 'https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Miller, J. et al. (2024, March 21). '
                                         'Security Brief: TA450 Uses Embedded '
                                         'Links in PDF Attachments in Latest '
                                         'Campaign. Retrieved March 27, 2024.',
                          'source_name': 'Proofpoint TA450 Phishing March 2024',
                          'url': 'https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign'},
                         {'description': 'Peretz, A. and Theck, E. (2021, '
                                         'March 5). Earth Vetala – MuddyWater '
                                         'Continues to Target Organizations in '
                                         'the Middle East. Retrieved March 18, '
                                         '2021.',
                          'source_name': 'Trend Micro Muddy Water March 2021',
                          'url': 'https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html'},
                         {'description': 'Reaqta. (2017, November 22). A dive '
                                         'into MuddyWater APT targeting '
                                         'Middle-East. Retrieved May 18, 2020.',
                          'source_name': 'Reaqta MuddyWater November 2017',
                          'url': 'https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/'},
                         {'description': 'Singh, S. et al.. (2018, March 13). '
                                         'Iranian Threat Group Updates '
                                         'Tactics, Techniques and Procedures '
                                         'in Spear Phishing Campaign. '
                                         'Retrieved April 11, 2018.',
                          'source_name': 'FireEye MuddyWater Mar 2018',
                          'url': 'https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html'},
                         {'description': 'Symantec DeepSight Adversary '
                                         'Intelligence Team. (2018, December '
                                         '10). Seedworm: Group Compromises '
                                         'Government Agencies, Oil & Gas, '
                                         'NGOs, Telecoms, and IT Firms. '
                                         'Retrieved December 14, 2018.',
                          'source_name': 'Symantec MuddyWater Dec 2018',
                          'url': 'https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group'}],
 'id': 'intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2',
 'modified': '2025-10-22T19:08:44.552Z',
 'name': 'MuddyWater',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Ozer Sarilar, @ozersarilar, STM',
                          'Daniyal Naeem, BT Security',
                          'Marco Pedrinazzi, @pedrinazziM'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '6.0'}
Quick Actions
Related TTPs (58)
Local Data Staging
Collection
Screen Capture
Collection
Archive via Utility
Collection
Web Protocols
Command and Control
External Proxy
Command and Control
View All 58 TTPs
Back to Threat Actors
Dashboard Home