MuddyWater

MuddyWater is an Iranian state-sponsored threat actor active since at least 2017 and publicly attributed to Iran’s Ministry of Intelligence and Security (MOIS). It is also tracked as Seedworm, Static Kitten, Mango Sandstorm, Earth Vetala, MERCURY, Temp Zagros, TA450, ITG17, G0069, ATK_51, Boggy Serpens, Cobalt Ulster, and Yellow Nix; some reporting also links the Black Shadow label to this cluster. Public reporting describes Seedworm as a sub-cluster of MuddyWater, and CISA has described Seedworm as a MOIS unit with a confirmed role as an initial access broker. The group is primarily associated with cyber espionage, though reporting in 2026 also linked infrastructure associated with MuddyWater to disruptive and destructive operations conducted under the “Ababil of Minab” front. Victimology in the provided content includes organizations in the Middle East, Israel, Lebanon, Oman, the United States, Portugal, Jordan, Egypt, the UAE, South Korea, and other regions. Reported targets include government, telecommunications, defense, oil and gas, financial services, transportation, aviation, manufacturing, electronics, education, NGOs, airports, and professional services. Across the cited reporting, MuddyWater has used spearphishing and adversary-in-the-mailbox activity, exploitation of internet-facing applications, password spraying against OWA and SMTP, abuse of remote monitoring and management tools, and web-shell deployment for initial access and persistence. Microsoft reported exploitation of Apache Log4j 2 vulnerabilities in SysAid Server instances targeting Israeli organizations. Other reporting described attempted exploitation of Microsoft Exchange via CVE-2020-0688 and use of Ruler, as well as targeting of Fortinet, Ivanti, BeyondTrust, SolarWinds N-central, and Citrix NetScaler technologies. MuddyWater tradecraft in the content includes extensive use of PowerShell, JavaScript, Node.js, DLL sideloading, registry-based persistence, tunneling, proxying, and cloud services. Reported persistence mechanisms include the Registry Run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding, startup-folder and ASEP modifications, scheduled tasks, local administrator account creation, and web shells. The group has used Base64-encoded C2 communications, proxy networks and compromised websites to relay traffic, and tools such as POWERSTATS, PowGoop, Backdoor.Mori, ChromElevator, Dindoor, Fakeset, RustyWater, KeyC2, PersianC2, ArenaC2, and custom reverse-shell tooling. Reporting also describes use of Chisel, SSF, Ligolo, Neo-reGeorg, resocks, revsocks, go-socks5 variants, Rclone, Mimikatz, LaZagne, Browser64, Quarks PwDump, RemCom, eHorus, ScreenConnect, Syncro, and PDQ Connect. Observed post-compromise behavior includes reconnaissance; process listing; credential dumping from registry hives, email, browsers, and Outlook-related sources; browser cookie and payment-data theft; screenshot capture; Kerberos ticket extraction; lateral movement via WMI, RDP, remote services, and tunneling; and exfiltration to Wasabi, Backblaze, OneHub, sendit[.]sh, put.io, Amazon EC2-hosted infrastructure, and attacker-controlled upload servers. One report described use of legitimate cloud storage for payload delivery and Rclone for exfiltration. Another described use of compromised domains, including one owned by an Israeli web developer. The content also notes overlap between MuddyWater and other Iranian activity clusters. Nimbus Manticore is described as an IRGC-affiliated actor that shows some overlap with MuddyWater, but the provided content does not state they are the same group.