MuddyWater is an Iranian state-sponsored cyber espionage and intrusion actor widely associated with the Ministry of Intelligence and Security and tracked by multiple vendors under aliases including GreenGolf and Mango Sandstorm. The group has conducted long-running operations primarily across the Middle East and North Africa, while also targeting government, telecommunications, defense, energy, critical infrastructure, and other public- and private-sector organizations in additional regions. Its activity is typically aligned with Iranian strategic intelligence collection, regional influence, and disruptive objectives. MuddyWater is best known for spearphishing-led intrusions, credential theft, abuse of legitimate administrative tools, and deployment of custom backdoors and downloaders. The actor commonly relies on social engineering, staged lures, and living-off-the-land tradecraft to establish footholds, move laterally, maintain persistence, and exfiltrate data while blending into normal enterprise activity. Reporting has also linked the group to malware development and iterative tooling changes intended to support remote execution, file transfer, and covert access. In 2026, MuddyWater was attributed with Operation Olalampo, a campaign targeting entities in the MENA region through spearphishing and delivering several previously unreported malware families, including CHAR, GhostFetch, GhostBackDoor, and HTTP_VIP. Analysis of that activity indicated experimentation with AI-assisted development, consistent with broader reporting that Iranian threat actors were using generative AI and large language models to accelerate reconnaissance, social engineering, code generation, debugging, and malware development. These developments appear to have enhanced the speed and efficiency of established Iranian cyber tradecraft rather than fundamentally changing MuddyWater’s operational model. The group is part of the broader Iranian threat ecosystem that includes multiple clusters and overlapping designations used by different vendors. High-confidence reporting consistently places MuddyWater among Tehran’s most active cyber operators focused on espionage, access operations, and regionally relevant strategic targeting.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 malware families attributed to this actor across reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Iranian threat actor behind Operation Olalampo, using spearphishing to deliver multiple malware families against MENA organizations and reportedly leveraging AI-generated code segments in malware development.
Iran-linked actor behind Operation Olalampo, delivering multiple novel malware families via spearphishing against MENA targets and reportedly experimenting with Gemini for file transfer and remote execution code.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.