G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
Analyst context for executives and security teams
MuddyWater matters because ATT&CK describes it as an Iran MOIS-subordinate cyber espionage group with long-running targeting across government and private sectors, including telecommunications, local government, finance, defense, and oil and natural gas. For leaders, the practical issue is not the name alone; it is whether the organization can recognize credential theft, PowerShell/script-based tradecraft, legitimate remote administration tool abuse, cloud-sync exfiltration paths, and unusual command-and-control infrastructure before an investigation becomes dependent on incomplete logs.
Executive priority
Prioritize MuddyWater as a readiness benchmark for espionage-oriented intrusion response: identity hardening, Windows endpoint visibility, remote access governance, and evidence retention. Organizations in or supporting the sectors and regions named by ATT&CK should ask whether their SOC can prove coverage for credential access, backdoors/loaders, post-exploitation frameworks, and remote administration tools that may appear legitimate. This also supports audit and compliance discussions because the decisive evidence is often control validation: who can access credentials, what remote tools are approved, what script execution is logged, and whether incident responders can reconstruct lateral movement and data movement.
Technical view
ATT&CK provides no group-level detection text or platforms for the intrusion-set object, but relationships show extensive use of Windows-focused and cross-platform tooling. Defenders should validate detections and response playbooks around Mimikatz, LaZagne, LSASS memory access, LSA Secrets access, PowerSploit, Empire, Koadic, CrackMapExec, ConnectWise, RemoteUtilities, Rclone, and multiple MuddyWater-associated backdoors/loaders such as POWERSTATS, SHARPSTATS, PowGoop, Mori, Small Sieve, STARWHALE, MuddyViper, Fooder, LP-Notes, and RustyWater. The technical emphasis should be on behavior and control-plane evidence rather than only static indicators: credential dumping attempts, suspicious PowerShell or Windows Script Host activity, unexpected remote admin sessions, unusual cloud storage synchronization, suspicious loaders/backdoors, and C2 patterns including infrastructure choices noted in ATT&CK such as reused domains and commercial satellite internet use for C2 in late 2025 and early 2026.
Likely telemetry
- Windows endpoint process creation, command-line, script block, module, and PowerShell logging where applicable
- Security event logs and EDR telemetry for LSASS access, credential dumping, LSA Secrets access, and suspicious handle access
- Registry and memory-related telemetry relevant to credential material access
- Remote administration tool inventory and session logs for ConnectWise, RemoteUtilities, and other approved or unapproved RAT usage
- Network DNS, proxy, firewall, TLS, and egress telemetry for reused domains, unusual C2 destinations, and beacon-like traffic
Detection direction
- Map existing detections to the related ATT&CK techniques and software rather than relying on the MuddyWater name as a detection object.
- Validate that LSASS memory and LSA Secrets access alerts distinguish authorized administrative/security tooling from suspicious credential access attempts.
- Tune for PowerShell, Windows Script Host, .NET, Python, C/C++, Rust, Node.js, and JavaScript execution patterns only where supported by local telemetry and the related tools; avoid brittle filename-only logic.
- Review allowlists for legitimate remote administration tools because ConnectWise and RemoteUtilities may be expected in some environments and suspicious in others.
- Correlate remote admin sessions, credential access, and new or unusual outbound C2 to reduce false positives and improve incident confidence.
Mitigation priorities
- Start with identity controls: reduce credential exposure, protect privileged accounts, monitor service accounts, and enforce least privilege for administrative access.
- Harden Windows endpoints against credential dumping and script abuse through baseline configuration, logging, and controlled administrative tool use.
- Govern remote administration software with explicit approval, inventory, MFA where applicable, session logging, and rapid revocation processes.
- Restrict and monitor outbound traffic, especially to newly observed or untrusted infrastructure, cloud storage services, and unusual C2 paths.
- Maintain incident response playbooks for credential theft and remote access abuse, including password rotation, token/session revocation, host isolation, and forensic preservation.
Analyst notes and limits
The most defensible Glexia use of this ATT&CK object is as a control-validation scenario for espionage tradecraft. The relationships emphasize credential access, post-exploitation frameworks, backdoors/loaders, remote administration tools, and data movement tooling. Because several tools are open-source or legitimate administration utilities, high-quality detection depends on context: asset role, user identity, parent process, command line, network destination, and whether the tool is approved in the environment.
The supplied group object has no official detection text, no listed tactics, and no group-level platforms. Platform and technique guidance above is derived from the supplied relationships only. Local relevance depends on sector, geography, technology stack, approved remote access tools, logging depth, and retention. This take should not be read as a claim that MuddyWater is currently targeting any specific organization.
MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | MuddyWater has sent targeted spearphishing e-mails with malicious links.CitationAnomali Static Kitten February 2021CitationTrend Micro Muddy Water March 2021CitationProofpoint TA450 Phishing March 2024 |
| Enterprise | T1137.001 | Office Template Macros Sub-technique | MuddyWater has used a Word Template, Normal.dotm, for persistence.CitationReaqta MuddyWater November 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | MuddyWater has used legitimate tools ConnectWise, RemoteUtilities, and SimpleHelp to gain access to the target environment.CitationAnomali Static Kitten February 2021Citationgroup-ib_muddywater_infraCitationESET_MuddyWater_Dec2025CitationNaumaanProofpoint_GlobalClickFix_April2025 |
| Enterprise | T1218.005 | Mshta Sub-technique | MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.CitationFireEye MuddyWater Mar 2018CitationSecurelist MuddyWater Oct 2018 |
| Enterprise | T1204.004 | Malicious Copy and Paste Sub-technique | MuddyWater has leveraged ClickFix type tactics enticing victims to copy and paste malicious PowerShell code.CitationNaumaanProofpoint_GlobalClickFix_April2025 |
| Enterprise | T1047 | Windows Management Instrumentation | MuddyWater has used malware that leveraged WMI for execution and querying host information.CitationSecurelist MuddyWater Oct 2018CitationClearSky MuddyWater Nov 2018CitationTalos MuddyWater May 2019CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1534 | Internal Spearphishing | MuddyWater has used compromised mailboxes within target organizations to send spearphishing emails.CitationFalconFeeds_Iran_Mar2026 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | MuddyWater has performed credential dumping with LaZagne.CitationUnit 42 MuddyWater Nov 2017CitationSymantec MuddyWater Dec 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.CitationUnit 42 MuddyWater Nov 2017CitationFireEye MuddyWater Mar 2018CitationSecurelist MuddyWater Oct 2018CitationClearSky MuddyWater June 2019CitationAnomali Static Kitten February 2021CitationTrend Micro Muddy Water March 2021CitationDHS CISA AA22-055A MuddyWater February 2022CitationProofpoint TA450 Phishing March 2024CitationESET_MuddyWater_Dec2025CitationSOCRadar_MuddyWaterDindoor_Mar2026 MuddyWater has also sent spearphishing emails with the attachment Cybersecurity.doc, which served as the primarily payload for the next stage.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1583.001 | Domains Sub-technique | MuddyWater has established domains, some of which appeared to spoof legitimate domains for use in operations.CitationNaumaanProofpoint_GlobalClickFix_April2025 |
| Enterprise | T1590.004 | Network Topology Sub-technique | MuddyWater has mapped target networks; access to this information and more is then shared/sold to other Iran threat actors.CitationFalconFeeds_MuddyWaterPSRust_Mar2026 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.CitationSecurelist MuddyWater Oct 2018CitationClearSky MuddyWater June 2019CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1571 | Non-Standard Port | MuddyWater has used ports 8043 and 8848 for botnet C2 communication.CitationFalconFeeds_MuddyWaterPSRust_Mar2026 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MuddyWater has used a custom tool for creating reverse shells.CitationSymantec MuddyWater Dec 2018 |
| Enterprise | T1588.001 | Malware Sub-technique | MuddyWater has used publicly available malware for operations, likely to blend in with other cybercriminals.CitationHuntio_IranInfra_Mar2026 |
| Enterprise | T1218.003 | CMSTP Sub-technique | MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.CitationFireEye MuddyWater Mar 2018CitationTalos MuddyWater May 2019CitationAnomali Static Kitten February 2021 |
| Enterprise | T1087.002 | Domain Account Sub-technique | MuddyWater has used |
| Enterprise | T1059.007 | JavaScript Sub-technique | MuddyWater has used JavaScript files to execute its POWERSTATS payload.CitationClearSky MuddyWater Nov 2018CitationFireEye MuddyWater Mar 2018CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1583.006 | Web Services Sub-technique | MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools.CitationAnomali Static Kitten February 2021CitationTrend Micro Muddy Water March 2021CitationProofpoint TA450 Phishing March 2024CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.CitationFireEye MuddyWater Mar 2018CitationMuddyWater TrendMicro June 2018CitationSecurelist MuddyWater Oct 2018CitationSymantec MuddyWater Dec 2018CitationClearSky MuddyWater Nov 2018CitationClearSky MuddyWater June 2019CitationReaqta MuddyWater November 2017CitationTrend Micro Muddy Water March 2021CitationTalos MuddyWater Jan 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | MuddyWater has used malware to collect the victim’s IP address and domain name.CitationSecurelist MuddyWater Oct 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | MuddyWater has added Registry Run key |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript.CitationFireEye MuddyWater Mar 2018CitationMuddyWater TrendMicro June 2018CitationClearSky MuddyWater Nov 2018CitationTalos MuddyWater Jan 2022 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | MuddyWater has used malware that can execute PowerShell scripts via DDE.CitationSecurelist MuddyWater Oct 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.CitationUnit 42 MuddyWater Nov 2017CitationGitHub Invoke-Obfuscation The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.CitationUnit 42 MuddyWater Nov 2017CitationFireEye MuddyWater Mar 2018CitationSecurelist MuddyWater Oct 2018CitationTalos MuddyWater May 2019CitationClearSky MuddyWater June 2019CitationTrend Micro Muddy Water March 2021CitationTalos MuddyWater Jan 2022 |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.CitationClearSky MuddyWater Nov 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.CitationSecurelist MuddyWater Oct 2018 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | MuddyWater has stored a decoy PDF file within a victim's `%temp%` folder.CitationTalos MuddyWater Jan 2022 |
| Enterprise | T1113 | Screen Capture | MuddyWater has used malware that can capture screenshots of the victim’s machine.CitationSecurelist MuddyWater Oct 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | MuddyWater has used HTTP for C2 communications.CitationClearSky MuddyWater June 2019CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1685 | Disable or Modify Tools | MuddyWater can disable the system's local proxy settings.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1518 | Software Discovery | MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1083 | File and Directory Discovery | MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."CitationSecurelist MuddyWater Oct 2018 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | MuddyWater uses various techniques to bypass UAC.CitationClearSky MuddyWater Nov 2018CitationNaumaanProofpoint_GlobalClickFix_April2025 |
| Enterprise | T1105 | Ingress Tool Transfer | MuddyWater has used malware that can upload additional files to the victim’s machine.CitationSecurelist MuddyWater Oct 2018CitationClearSky MuddyWater Nov 2018CitationReaqta MuddyWater November 2017CitationTrend Micro Muddy Water March 2021 MuddyWater has used PowerShell commands to install remote management and monitoring (RMM) software on the victim’s machine to conduct espionage and to exfiltrate data.CitationNaumaanProofpoint_GlobalClickFix_April2025 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | MuddyWater has used AES to encrypt C2 responses.CitationTalos MuddyWater Jan 2022 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | MuddyWater has attempted to exfiltrate data to Wasabi, a cloud storage service, using Rclone.CitationSOCRadar_MuddyWaterDindoor_Mar2026 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.CitationSymantec MuddyWater Dec 2018CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1566 | Phishing | MuddyWater has sent phishing emails to targets from the email address support@microsoftonlines[.]com.CitationNaumaanProofpoint_GlobalClickFix_April2025 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.CitationSymantec MuddyWater Dec 2018 |
| Enterprise | T1684.001 | Impersonation Sub-technique | MuddyWater has used support@microsoftonlines[.]com to send phishing emails that masqueraded as security updates from Microsoft.CitationNaumaanProofpoint_GlobalClickFix_April2025 MuddyWater has also impersonated TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan, sending phishing emails with the email domain info@tmcell.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1059.006 | Python Sub-technique | MuddyWater has developed tools in Python including Out1.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1049 | System Network Connections Discovery | MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1082 | System Information Discovery | MuddyWater has used malware that can collect the victim’s OS version and machine name.CitationSecurelist MuddyWater Oct 2018CitationTalos MuddyWater May 2019CitationReaqta MuddyWater November 2017CitationTrend Micro Muddy Water March 2021CitationTalos MuddyWater Jan 2022 |
| Enterprise | T1555 | Credentials from Password Stores | MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.CitationUnit 42 MuddyWater Nov 2017CitationSymantec MuddyWater Dec 2018CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1057 | Process Discovery | MuddyWater has used malware to obtain a list of running processes on the system.CitationSecurelist MuddyWater Oct 2018CitationClearSky MuddyWater June 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | MuddyWater has used tools to encode C2 communications including Base64 encoding.CitationClearSky MuddyWater June 2019CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1104 | Multi-Stage Channels | MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.CitationTalos MuddyWater May 2019 |
| Enterprise | T1090 | Proxy | MuddyWater has used NordVPN to proxy phishing emails, making them appear to originate from France.CitationFalconFeeds_Iran_Mar2026 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | MuddyWater has distributed URLs in phishing e-mails that link to lure documents.CitationAnomali Static Kitten February 2021CitationTrend Micro Muddy Water March 2021CitationProofpoint TA450 Phishing March 2024 |
| Enterprise | T1027.003 | Steganography Sub-technique | MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.CitationClearSky MuddyWater Nov 2018 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.CitationUnit 42 MuddyWater Nov 2017CitationSymantec MuddyWater Dec 2018CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | MuddyWater has used scheduled tasks to establish persistence.CitationReaqta MuddyWater November 2017 |
| Enterprise | T1090.002 | External Proxy Sub-technique | MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.CitationSymantec MuddyWater Dec 2018 MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).CitationReaqta MuddyWater November 2017CitationTrend Micro Muddy Water March 2021 MuddyWater has also used go-socks5 variants to bypass firewalls and Network Address Translation (NAT), to communicate with a hardcoded C2 server, and to exfiltrate data.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.CitationUnit 42 MuddyWater Nov 2017CitationFireEye MuddyWater Mar 2018CitationSecurelist MuddyWater Oct 2018CitationTalos MuddyWater May 2019CitationClearSky MuddyWater June 2019CitationReaqta MuddyWater November 2017CitationAnomali Static Kitten February 2021CitationTrend Micro Muddy Water March 2021CitationDHS CISA AA22-055A MuddyWater February 2022CitationTalos MuddyWater Jan 2022CitationProofpoint TA450 Phishing March 2024 Additionally, MuddyWater has used a Word document with a malicious Visual Basic for Applications (VBA) macro; when enabled, the CertificationKit.ini payload is constructed and executed.CitationCloudSEK_RustyWater_Jan2026 |
| Enterprise | T1033 | System Owner/User Discovery | MuddyWater has used malware that can collect the victim’s username.CitationSecurelist MuddyWater Oct 2018CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | MuddyWater has leveraged RMM solutions including ScreenConnect, AteraAgent, SimpleHelp, Action1, Level, and PDQ to facilitate follow-on actions within compromised hosts to include data exfiltration.CitationTrend Micro Muddy Water March 2021CitationAnomali Static Kitten February 2021CitationProofpoint TA450 Phishing March 2024Citationgroup-ib_muddywater_infraCitationFalconFeeds_Iran_Mar2026CitationNaumaanProofpoint_GlobalClickFix_April2025CitationFalconFeeds_MuddyWaterPSRust_Mar2026 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | MuddyWater has used C2 infrastructure to receive exfiltrated data.CitationReaqta MuddyWater November 2017 |
Groups, software, and campaigns
S9032: MuddyViper
MuddyViper is custom backdoor written in C and C++ used by MuddyWater for command and control (C2) communications and persistence. MuddyViper is loaded by Fooder and sends frequent messages to the C2 server.[1]
S1037: STARWHALE
STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.[1][2]
S9036: LP-Notes
LP-Notes is a C/C++ Windows credential stealer used by MuddyWater. LP-Notes was named after the `lp-notes.txt` file that is used to store stolen credentials.[1]
S0223: POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [1]
S1040: Rclone
S0594: Out1
Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.[1]
S9034: Tsundere Botnet
Tsundere Botnet is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. Tsundere Botnet is attributed to a likely Russian-speaking threat actor.
A variant named DinDoor has been linked to MuddyWater operations and uses the Deno runtime for execution rather than Node.js.[1][2][3][4]
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S1035: Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]
Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]
S9033: Fooder
Fooder is a custom 64-bit C/C++ loader used by MuddyWater that can decrypt and reflectively load embedded payloads such as a go-socks5 proxy utility, the open-source HackBrowserData infostealer, or the MuddyViper backdoor. Fooder has frequently masqueraded as an entertainment executable, such as the Snake game (e.g., `Snake_Game.exe`).[1]
S1047: Mori
Mori is a backdoor that has been used by MuddyWater since at least January 2022.[1][2]
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 7.0 | Current bundle | 7ef8320b44a9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CYBERCOM Iranian Intel Cyber January 2022
Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
Open source URL -
[2]
FalconFeeds_Iran_Mar2026
FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran’s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026.
Open source URL -
[3]
Huntio_IranInfra_Mar2026
Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026.
Open source URL -
[4]
Unit 42 MuddyWater Nov 2017
Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
Open source URL -
[5]
Symantec MuddyWater Dec 2018
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
Open source URL -
[6]
ClearSky MuddyWater Nov 2018
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
Open source URL -
[7]
ClearSky MuddyWater June 2019
ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
Open source URL -
[8]
Reaqta MuddyWater November 2017
Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
Open source URL -
[9]
DHS CISA AA22-055A MuddyWater February 2022
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Open source URL -
[10]
Talos MuddyWater Jan 2022
Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
Open source URL -
[11]
NaumaanProofpoint_GlobalClickFix_April2025
Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026.
Open source URL -
[12]
ESET_MuddyWater_Dec2025
ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.
Open source URL -
[13]
SymantecCarbonBlack_Seedworm_Mar2026
Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.
Open source URL -
[14]
Anomali Static Kitten February 2021
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
Open source URL -
[15]
Cloudflare 2026 Threat Report New Threat Actors March 2026
Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.
Open source URL -
[16]
Earth Vetala
(Citation: Trend Micro Muddy Water March 2021)
-
[17]
FireEye MuddyWater Mar 2018
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
Open source URL -
[18]
MERCURY
(Citation: Anomali Static Kitten February 2021)
-
[19]
Mango Sandstorm
(Citation: Microsoft Threat Actor Naming July 2023)
-
[20]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[21]
MuddyKrill
(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)
-
[22]
MuddyWater
(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)
-
[23]
Proofpoint TA450 Phishing March 2024
Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
Open source URL -
[24]
Seedworm
(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
-
[25]
Static Kitten
(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
-
[26]
TA450
(Citation: Proofpoint TA450 Phishing March 2024)
-
[27]
TEMP.Zagros
(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
-
[28]
Trend Micro Muddy Water March 2021
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Open source URL -
[29]
mitre-attack G0069Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.