PowGoop
PowGoop is a malware family and loader/downloader associated with the Iranian state-linked threat actor MuddyWater, also tracked as SeedWorm, Static Kitten, MERCURY, Earth Vetala, and TEMP.Zagros, and publicly attributed to Iran’s MOIS. It was first publicly reported in July 2020 and is described as MuddyWater’s primary loader and main initial access loader since at least 2020. PowGoop uses DLL search order hijacking / DLL side-loading, originally abusing a fake or legitimate GoogleUpdate.exe to load a malicious modified Goopdate.dll that impersonates a legitimate Google update component. Reported PowGoop packages include GoogleUpdate.exe, Goopdate.dll, goopdate.dat or config.dat, and config.txt; delivery has been observed via ZIP archives such as google.zip and via the remote execution tool Remadmin. Newer variants also abused additional legitimate executables including Git.exe, FileSyncConfig.exe, and Inno_Updater.exe, and used hijacked DLLs including goopdate.dll, vcruntime140.dll, and libpcre2-8-0.dll.
PowGoop consists of a DLL loader and a PowerShell-based downloader/backdoor. The malicious DLL loads or decodes PowerShell from external files such as config.txt or config.dat and executes it, including via rundll32.exe and exported functions such as DllRegisterServer. Newer variants were reported to reflectively load additional files named Core.dat and Dore.dat, execute them from memory, and then search for config.txt and run it with PowerShell. The PowerShell payload is described as an obfuscated, multi-stage decoding chain and a fully functional PowerShell backdoor disguised with a benign extension. PowGoop can execute PowerShell scripts to run commands, download and execute additional PowerShell code, and receive encrypted commands from command-and-control. Reporting also states that PowGoop beacons via modified base64-encoded HTTP, contains a hardcoded C2 address and victim GUID in config.txt, and can hide C2 traffic under the Google Update process. One reported sample used Goopdate.dll / goopdate86.dll side-loading with GoogleUpdate.exe, decoded and decompressed tasking, executed tasks as PowerShell, and exfiltrated results via HTTP GET using a Cookie field; another report cited C2 communication with 107.174.241[.]175:80/index.php.
PowGoop has been observed alongside other MuddyWater tooling including Mori, Small Sieve, Canopy/Starwhale, POWERSTATS, tunneling tools such as Chisel, SSF, and Ligolo, and JavaScript artifacts deployed using PowGoop. Public reporting links PowGoop-related activity to campaigns targeting government and private-sector organizations across the Middle East and beyond, including telecommunications, oil and gas, defense, local government, technology, education, real estate, and computer services. Countries mentioned in reporting include Iraq, Turkey, Kuwait, the UAE, Georgia, Afghanistan, Israel, Azerbaijan, Cambodia, and Vietnam. PowGoop was also referenced in reporting on Operation Quicksand, where MuddyWater used a Thanos ransomware variant delivered via PowGoop in destructive attacks against Israeli organizations, although other reporting noted no ransomware or wiper behavior on some PowGoop-infected systems. High-confidence file and artifact names directly mentioned in reporting include GoogleUpdate.exe, Goopdate.dll, goopdate86.dll, config.txt, config.dat, goopdate.dat, Core.dat, Dore.dat, and google.zip.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The samples include multiple variants of PowGoop loader, JavaScripts deployed using the PowGoop and a Mori backdoor sample.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
The content includes multiple examples of PowerShell being used to decode or deobfuscate payloads and commands, such as 'the threat actors deobfuscated encoded PowerShell commands' and 'OilRig macro has run a PowerShell command to decode file contents.'
In some cases, PowGoop is used to launch ‘Wscript.exe’ to execute an unknown VBS file called ‘v.txt’.
PowGoop is a malware family first described by Palo Alto which utilizes DLL search order hijacking (T1574.001). The name derives from the usage ‘GoogleUpdate.exe’ to load a malicious modified version of ‘goopdate.dll’... Aside from ‘GoogleUpdate.exe’, three additional benign pieces of software are abused in order to sideload malicious DLLs: ‘Git.exe’, ‘FileSyncConfig.exe’ and ‘Inno_Updater.exe’.
Stealth
6 techniques
Stealth
MuddyWater actors also use techniques such as ... obfuscating PowerShell scripts [T1059.001] to hide C2 functions [T1027]...
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
It appears this code is used to load PowGoop’s main DLL (goopdate.dll) via rundll32.exe.
PowGoop is a malware family first described by Palo Alto which utilizes DLL search order hijacking (T1574.001). The name derives from the usage ‘GoogleUpdate.exe’ to load a malicious modified version of ‘goopdate.dll’... Aside from ‘GoogleUpdate.exe’, three additional benign pieces of software are abused in order to sideload malicious DLLs: ‘Git.exe’, ‘FileSyncConfig.exe’ and ‘Inno_Updater.exe’.
Command and Control
10 techniques
Command and Control
The config.txt contains a hardcoded C2 address and victim GUID, beacons via modified base64-encoded HTTP, and runs C2 traffic under the legitimate Google Update process to evade network detection.
Use of hard-coded GUID tokens and proxy URLs for command and control (C&C) communications
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Seedworm was also observed setting up tunnels to its own infrastructure using Secure Sockets Funneling and Chisel. These tools allow the attackers to configure local and remote port forwarding
during PowGoop activity, we also observed the attackers downloading tools and some unknown content from GitHub repos
Similarly, Symantec also observed legitimate tools (openssl.exe) and a downloader tool (ssleay32.dll) present in the same directories used to download additional tools
In the majority of recent infections, PowGoop appears to have been deployed via a remote execution tool known as Remadmin.
“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… MacMa has used TLS encryption to initialize a custom protocol for C2 communications… TEMP.Veles used cryptcat binaries to encrypt their traffic.”
“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… Emotet has encrypted data before sending to the C2 server… gh0st RAT has encrypted TCP communications to evade detection… Gomir uses a custom encryption algorithm…”
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Primary loader used by MuddyWater that abuses DLL side-loading via a fake GoogleUpdate.exe to decode and execute a config.txt payload, unwrap an obfuscated PowerShell beacon, and begin live C2 communications. The payload contains a hardcoded C2 address and victim GUID and communicates over modified base64-encoded HTTP while masquerading under the legitimate Google Update process.
A MuddyWater-associated malware/tool used in documented operations and specifically used to deliver a Thanos ransomware variant in destructive attacks.
A ransomware variant used by MuddyWater for destructive attacks, based on Thanos ransomware.
A MuddyWater-linked malware family that uses DLL search order hijacking and DLL sideloading via legitimate executables to load malicious components and execute PowerShell payloads from external files such as config.txt. Newer variants use additional components like Core.dat and Dore.dat loaded reflectively as shellcode to reduce static detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.