MuddyWater (G0069) - Iran's Persistent Cyber Espionage Group
- Suspected Origin
- Iran
- Motivation
- Cyber Espionage, Intelligence Gathering, Geopolitical Influence
- Aliases
- Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, MuddyKrill
- Target Sectors
- Government, Telecommunications, Defense, Oil & Gas, Finance, Critical Infrastructure, Technology, Healthcare, Education, Aviation
- Associated Malware
- POWERSTATS, MuddyViper, Phoenix, BugSleep, CHAR, RustyWater, Dindoor, Fakeset, Small Sieve, PowGoop, Mori, Blackwater, FileFiend
Overview
MuddyWater, also tracked under aliases such as Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, and MuddyKrill, is a highly active and persistent cyber espionage group. It is assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS), operating in support of Iranian state interests and geopolitical objectives. First observed in 2017, the group has consistently engaged in intelligence gathering operations, primarily focusing on covert data exfiltration rather than disruptive attacks or financial gain. While their primary motivation remains intelligence collection, MuddyWater has, on occasion, deployed ransomware or masqueraded as ransomware groups to mask their true espionage intentions, complicating attribution and defensive efforts.
The group’s targeting is remarkably broad, spanning government agencies, telecommunications providers, local governments, financial institutions, defense organizations, oil and natural gas companies, technology firms, engineering, manufacturing, education, healthcare, aviation, and non-governmental organizations. They also show a specific interest in entities related to immigration, intelligence, and identity systems. Geographically, MuddyWater’s operations are extensive, encompassing the Middle East (including UAE, Saudi Arabia, Israel, Jordan, Egypt), Asia (such as South Korea, Southeast Asia, Pakistan, India, Laos, Thailand, Afghanistan), Africa, Europe (Portugal, Germany, Türkiye), and North America (USA, Canada). Notably, since early 2025, the group has significantly expanded its activities into Europe, marking a notable shift in its operational focus. With confirmed activity across 113 countries, MuddyWater demonstrates a truly global reach in its intelligence collection mandate.
Tactics & Techniques
MuddyWater’s operational methodology blends custom malware with off-the-shelf tools, open-source frameworks, and legitimate administrative utilities, often referred to as “living off the land” techniques. This hybrid approach helps them blend into normal network activity and complicates detection.
Initial access is frequently achieved through sophisticated spear-phishing campaigns. These emails often contain malicious attachments, such as ZIP files, Excel documents with macros, PDFs that drop payloads, or Word documents leveraging macros to initiate infection chains. They are known to use compromised mailboxes to send further phishing emails, exploiting existing trust relationships to reach target organizations. Beyond phishing, MuddyWater actively exploits publicly known vulnerabilities in internet-facing applications and network devices, including Fortinet, Ivanti, Citrix, BeyondTrust, and SolarWinds N-Central. They have also exploited vulnerabilities like CVE-2017-0199 (Microsoft Office), CVE-2020-1472 (Microsoft Netlogon), and CVE-2020-0688 (Microsoft Exchange). Password spraying is another method observed for initial compromise.
Once inside, MuddyWater employs various execution methods. They heavily rely on PowerShell scripts and commands, often obfuscated using frameworks like Invoke-Obfuscation or Base64 encoding to evade detection. DLL side-loading is a favored persistence and execution technique, where malicious DLLs are paired with legitimate programs to trick them into loading and executing malware. Other execution methods include leveraging COM, DCOM, Outlook, Dynamic Data Exchange (DDE), mshta.exe, rundll32.exe, and CMSTP.exe.
For persistence, MuddyWater establishes Scheduled Tasks, modifies Registry Run keys, or uses legitimate Word templates like Normal.dotm. A significant aspect of their persistence strategy involves abusing legitimate Remote Monitoring and Management (RMM) tools such as ConnectWise, RemoteUtilities, SimpleHelp, Atera Agent, Syncro, and ScreenConnect, which provide covert and persistent remote access.
Defense evasion is a constant focus for MuddyWater. Beyond script obfuscation, they disguise malicious executables with names like “Windows Defender” components. They hide their Command and Control (C2) infrastructure behind compromised websites and proxy networks, and have even experimented with blockchain-based C2 mechanisms. Recent campaigns show a move towards stealthier techniques, including memory-only loaders and intentionally avoiding noisy, hands-on-keyboard interactive sessions. Their malware often includes anti-analysis safeguards, checking for security tools and using techniques like Vectored Exception Handlers (VEH) to resist researchers.
Credential access is critical for lateral movement. They use tools like Mimikatz and procdump64.exe for OS credential dumping and deploy custom browser data stealers such as CE-Notes, LP-Notes, and Blub. Discovery techniques include mapping target networks and collecting system information like OS versions, machine names, IP addresses, domain names, and running processes. Lateral movement often involves exploiting remote services and abusing stolen administrative accounts.
Data collection typically involves uploading additional files, exfiltrating data via RMM software, and capturing screenshots. Stolen data may be staged on public file-transfer services like sendit.sh to further blend exfiltration with normal web activity.
For Command and Control (C2), MuddyWater has demonstrated flexibility, utilizing commercial satellite internet (Starlink) and proxy services like NordVPN to obscure their origins. They have also adopted Telegram bots for C2, a notable evolution in their tradecraft, and use various custom C2 frameworks such as DarkBeatC2, PhonyC2, and MuddyC2Go. Their C2 communications often feature asynchronous activity with randomized callback timings to further evade detection.
Notable Campaigns
MuddyWater has a history of high-impact campaigns, consistently evolving its TTPs.
- Operation Quicksand (2020): This cyberespionage campaign targeted Israeli government entities and telecommunications organizations, showcasing the group’s shift to more advanced, multi-stage operations.
- European Expansion (Early-Mid 2025): This period saw a significant surge in MuddyWater’s infrastructure and targeting across Europe, marking its most notable geographic shift.
- International Espionage Phishing Campaign (October 2025): This global operation utilized compromised mailboxes and NordVPN to send malicious Microsoft Word documents, deploying the Phoenix backdoor to over 100 government entities across the Middle East and North Africa.
- Israel and Egypt Critical Infrastructure Campaign (December 2025): ESET researchers documented a campaign primarily targeting critical infrastructure in Israel, with a confirmed victim in Egypt. This operation deployed new custom tools like the MuddyViper backdoor and Fooder loader, demonstrating a marked shift towards stealthier, memory-only execution and advanced defense evasion techniques.
- Operation Olalampo (January-March 2026): Identified by Group-IB, this campaign targeted multiple organizations across the MENA region and was the first documented instance of MuddyWater using a Telegram bot for Command and Control, alongside new malware families such as CHAR, GhostFetch, HTTP_VIP, and GhostBackDoor.
- RustyWater Campaign (January 2026): Simultaneously with Olalampo, MuddyWater deployed a Rust-based implant called RustyWater via macro-enabled Word documents. This campaign targeted diplomatic, maritime, financial, and telecommunications sectors across the Middle East.
- Dindoor + Fakeset Campaigns (Early 2026): These distinct campaigns targeted critical infrastructure in the USA and Canada, including a U.S. bank, a U.S. airport, U.S. defense contractors, and a Canadian non-profit, utilizing Deno (TypeScript/JavaScript) and Python-based implants.
- Q1 2026 Global Espionage: This widespread campaign compromised at least nine organizations across nine countries, including a major South Korean electronics manufacturer, an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial services provider. It heavily relied on DLL side-loading and Node.js-based implants.
- March-April 2026 Destructive Operations: This campaign, targeting the United States, Israel, Saudi Arabia, and Turkey, included destructive operations against at least two U.S. victims, involving the deletion of partitions and data backups, and used a custom C++ exfiltration tool named FileFiend.
- “DarkBit” Ransomware Impersonation (February 2023): MuddyWater was attributed to a disruptive cyberattack on the Technion – Israel Institute of Technology, where they posed as the “DarkBit” ransomware persona to mask their espionage activity. A similar tactic was observed in June 2026, where they posed as the Chaos ransomware group.
Associated Malware & Tools
MuddyWater utilizes a dynamic and expanding toolkit, featuring both custom-developed malware and a wide array of legitimate and open-source tools.
Custom Malware:
- POWERSTATS, NTSTATS, CloudSTATS: PowerShell-based backdoors for remote command execution and data exfiltration.
- PowGoop: A DLL loader impersonating legitimate Google Update files.
- Blackwater: A PowerShell-based backdoor for remote access.
- MoriAgent/Mori: A backdoor used in conjunction with PowGoop.
- MuddyViper: A new, stealthier backdoor deployed in late 2025, capable of system info collection, command execution, file transfer, and credential exfiltration.
- Fooder: A custom loader used to reflectively load MuddyViper into memory.
- Phoenix: A custom backdoor deployed in phishing campaigns from October 2025.
- BugSleep: A custom C/C++ backdoor used in 2024, capable of command execution and file transfer.
- CHAR, GhostFetch, HTTP_VIP, GhostBackDoor: New malware families identified in Operation Olalampo (2026).
- RustyWater (aka Archer RAT/RUSTRIC): A Rust-based implant representing a significant tooling evolution, capable of asynchronous C2, anti-analysis, and modular post-compromise functionality.
- Dindoor: A backdoor leveraging the Deno JavaScript runtime, used in 2026 campaigns.
- Fakeset: A Python-based implant used in 2026.
- Small Sieve, Canopy (Starwhale): Other malware noted in advisories.
- FileFiend: A custom C++ exfiltration tool used in 2026.
Legitimate/Open-Source Tools:
- Remote Monitoring and Management (RMM) Tools: ConnectWise, RemoteUtilities, SimpleHelp, Atera Agent, ScreenConnect, Syncro.
- Credential Dumpers: Mimikatz,
procdump64.exe, LaZagne, CrackMapExec. - Obfuscation Frameworks: Daniel Bohannon’s Invoke-Obfuscation.
- Networking Utilities: NordVPN (for C2 obfuscation),
reqwestlibrary (for HTTP-based C2 in Rust implants),go-socks5(reverse tunnels). - Exploitation Tools: Publicly available scripts for vulnerabilities like CVE-2020-0688, Ruler (Exchange exploitation framework).
Current Status
MuddyWater remains an exceptionally active and evolving threat actor. Throughout late 2025 and into 2026, the group has demonstrated a clear strategic shift, rapidly retooling its capabilities to bypass modern security defenses.
Their recent activity highlights a move away from easily detected legacy tools and scripting languages (like traditional PowerShell and VBS loaders) towards a polyglot approach, embracing new programming languages like Rust, Deno (TypeScript/JavaScript), and Python for their implants. This allows for more structured, modular, and low-noise remote access capabilities. The first quarter of 2026 alone saw at least three distinct campaigns documented by researchers: Operation Olalampo, RustyWater, and the Dindoor + Fakeset campaigns. These operations demonstrate continuous innovation in delivery mechanisms, malware variants, and C2 infrastructure, including the novel use of Telegram bots and commercial satellite internet (Starlink).
Recent research in 2026 also exposed significant operational infrastructure belonging to MuddyWater on a Netherlands-based VPS, which included C2 frameworks, scripts, victim data, and operational logs, offering rare insight into their command and control. This continuous activity, coupled with their sustained targeting of critical sectors globally, confirms that MuddyWater is a high-confidence, state-sponsored threat that is actively adapting its tradecraft to maintain long-term access and achieve its intelligence objectives. Their ongoing retooling and consistent operational tempo indicate they will continue to pose a significant and dynamic threat in the foreseeable future.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call