Stagecomp
Stagecomp is a malware family, commonly described as a downloader, associated with the Iranian threat actor Seedworm, also known as MuddyWater. Multiple sources in the provided content state that Stagecomp has been linked to Seedworm by Google, Microsoft, and Kaspersky. Its primary documented role is to deliver the Darkcomp backdoor. Samples of Stagecomp were signed with a code-signing certificate issued to the name "Donald Gay," and this certificate reuse is repeatedly cited as an attribution artifact connecting Stagecomp and related activity to MuddyWater/Seedworm. The malware is discussed in the context of Seedworm operations targeting organizations, including U.S. entities, and sectors such as government, defense, telecommunications, oil and gas, banking, aviation, and non-profits. In the reporting provided, Stagecomp itself was not observed on victim networks in the 2026 intrusions, but historical overlap in certificates and tooling was used to support attribution of newer MuddyWater malware families such as Dindoor and Fakeset. High-confidence indicators directly mentioned in the content include the malware name Stagecomp, its function as a downloader for Darkcomp, its association with the "Donald Gay" certificate, and its attribution to Seedworm/MuddyWater.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
По данным Broadcom, сертификат «Donald Gay» ранее использовался для подписи малвари, предположительно связываемой с Seedworm [названия Stagecomp/Darkcomp требуют верификации по первоисточнику Broadcom].
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malware reportedly tied to Seedworm in public reporting, but the content explicitly notes the name requires verification from the original Broadcom source.
Stagecomp is a downloader previously used by MuddyWater and referenced here through shared code-signing certificate overlap with ms_upd.exe.
Malware attributed to MuddyWater and referenced as being signed with a code-signing certificate linked to the group.
A MuddyWater-linked tool referenced as part of attribution evidence through previously associated code-signing certificates.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.