Muddy Water

Description

MuddyWater is a government-sponsored advanced persistent threat (APT) actor. Since 2018, it has been working under the Iranian Ministry of Intelligence and Security (MOIS). The group conducts cyber espionage attacks against both public and private sectors such as defense, energy, and telecommunications. MuddyWater has also used ransomware in certain campaigns as well as distributing legitimate remote administration and management tools.

Once inside the target’s network, MuddyWater steals data and provides backdoor access to operatives. The group sometimes shares these with other threat actors. Muddy Water prefers to use spear phishing tactics and exploit known vulnerabilities to gain initial access to a targeted network.

On March 2 2026, Operation Epic Fury a joint coordinated strike on Iran conducted by the United States and Israel commenced. We are monitoring for developments and will update the Threat Actor profile with rolling updates.

Added to Known Tools Used Section:

CHAR, GhostFetch, GhostBackDoor, HTTP_VIP

Objectives

Cyberespionage

Known Infection Vectors

• DLL side-loading through legitimate programs
• Exploit publically known vulnerabilities
• Spear phishing
• CVE-2017-0199
• CVE-2020-1472 (ZeroLogon)

References

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a

MAR–10369127–1.v1 – MuddyWater (CISA)
https://www.cisa.gov/news-events/analysis-reports/ar22-055a

Iranian intel cyber suite of malware uses open source tools (USCYBERCOM)
https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

MuddyWater (MITRE)
https://attack.mitre.org/groups/G0069/

Technological Advancement and Evolution of MuddyWater in 2024 (Israel National Cyber Directorate)
https://www.gov.il/en/pages/maddy_water_2024