virus logo Threat Actor

MuddyWater

Description

MuddyWater is a government-sponsored advanced persistent threat (APT) actor. Since 2018, it has been working under the Iranian Ministry of Intelligence and Security (MOIS). The group conducts cyber espionage attacks against both public and private sectors such as defense, energy, and telecommunications. MuddyWater has also used ransomware in certain campaigns as well as distributing legitimate remote administration and management tools.

Once inside the target’s network, MuddyWater steals data and provides backdoor access to operatives. The group sometimes shares these with other threat actors. MuddyWater prefers to use spear phishing tactics and exploit known vulnerabilities to gain initial access to a targeted network.

On March 2 2026, Operation Epic Fury a joint coordinated strike on Iran conducted by the United States and Israel commenced. We are monitoring for developments and will update the Threat Actor profile with rolling updates.

Added to Known Tools Used Section:

CHAR, GhostFetch, GhostBackDoor, HTTP_VIP

Associated Threat Actors

CyberAv3ngers

https://www.fortiguard.com/threat-actor/5562/cyberav3ngers

Handala Hack Team

https://www.fortiguard.com/threat-actor/6378/handala

Fox Kitten

https://www.fortiguard.com/threat-actor/5570

Oilrig

https://www.fortiguard.com/threat-actor/5528/oilrig

Aliases

  • TA450
  • Earth Vetala
  • Mango Sandstorm
  • MERCURY
  • Seedworm
  • ITG17
  • MuddyWater
  • Static Kitten
  • Temp.Zagros

Common Vulnerabilities and Exposures

Targeted Industries

  • Aerospace & Defense
  • Education
  • Energy
  • Utilities & Waste
  • Government
  • Healthcare
  • Media & Internet
  • Telecommunications
  • Transportation
  • IT
  • SMBs

Objectives

Cyberespionage

Known Tools Used

  • BugSleep
  • Canopy
  • POWERSTATS
  • PowGoop
  • Small Sieve
  • Mori
  • Survey Script
  • SyncroRAT
  • Atera
  • ScreenConnect
  • Rport
  • eHorus
  • RemoteUtilities
  • Mimikatz
  • Meterpreter
  • LaZagne
  • PowerShell
  • PRB-Backdoor
  • Blackout
  • AnchorRat
  • CannonRat
  • Neshta
  • Sad C2
  • TreasureBox
  • BlackPearl
  • HAVOC
  • CobaltStrike
  • CrackMapExec
  • Ligolo
  • SharpChisel
  • Hidec
  • Nping
  • LSASS Dumper
  • Password Dumper
  • ProcDump
  • MiniDump
  • SOCKS5 Proxy Server
  • CHAR
  • GhostFetch
  • GhostBackDoor
  • HTTP_VIP
  • Phoenix

Known Infection Vectors

  • DLL side-loading through legitimate programs
  • Spear phishing
  • CVE-2017-0199
  • CVE-2020-1472 (ZeroLogon)
  • Exploitation of publicly known vulnerabilities

References

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a

MAR–10369127–1.v1 – MuddyWater (CISA)
https://www.cisa.gov/news-events/analysis-reports/ar22-055a

Iranian intel cyber suite of malware uses open source tools (USCYBERCOM)
https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

MuddyWater (MITRE)
https://attack.mitre.org/groups/G0069/

Technological Advancement and Evolution of MuddyWater in 2024 (Israel National Cyber Directorate)
https://www.gov.il/en/pages/maddy_water_2024

MuddyWater

ID

5571

Published

May 01, 2026

Threat Actor Type

Nation-State

Tags

Log4j2 Vulnerability React2Shell RCE Iran-linked Cyber Attacks CISAtop20_PRC2022 Russian Cyber Espionage PaperCut RCE SmarterTools SmarterMail RCE Lazarus RAT Attack Black Basta Ransomware UNC1549 Espionage Attack Citrix Bleed 2 Threat Signal

Attacker Origins

  • Iran

Target Systems

  • ESXi
  • Linux
  • Windows
  • Android

Regions Targeted

  • Southern Africa
  • East Asia
  • South Asia
  • Southeast Asia
  • Europe
  • Middle East
  • North America
  • South America

Active CVEs