S0223: POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [1]
Analyst context for executives and security teams
POWERSTATS matters because ATT&CK describes it as a PowerShell-based first-stage backdoor on Windows, associated through ATT&CK relationships with MuddyWater. For leaders, the practical risk is not just “malware on an endpoint”; it is an early foothold that can use native Windows scripting and administration paths to discover the environment, stage additional tools, collect data, and attempt to hide activity. This makes PowerShell, scheduled task, WMI, script-host, and endpoint telemetry quality central to business continuity and incident response readiness.
Executive priority
Prioritize validation of Windows script execution visibility, endpoint logging, and response playbooks for suspicious PowerShell-backed intrusion activity. Because the object is a first-stage backdoor with relationships to discovery, collection, command-and-control, persistence/execution, stealth, and exfiltration behaviors, executives should ask whether SOC and IR teams can rapidly answer: which host ran the script, which user context was used, what discovery occurred, whether additional tools were transferred, and whether sensitive local data or screenshots were accessed. This is also useful audit evidence for controls around logging, administrative tool monitoring, and malware response readiness.
Technical view
ATT&CK lists POWERSTATS as Windows malware and a PowerShell-based first-stage backdoor. No official detection text is provided, so defenders should build coverage from the relationship context: PowerShell execution, WMI execution, mshta abuse, Visual Basic/JavaScript execution, scheduled tasks, local account/user/system/process/network/security-software discovery, file deletion, command and code obfuscation, standard encoding, deobfuscation, ingress tool transfer, external proxy use, screen capture, local data collection, and scheduled transfer. SOC validation should focus on correlating script/process telemetry with persistence artifacts, discovery command patterns, unusual outbound connections, and post-execution cleanup rather than relying on a single malware signature.
Likely telemetry
- Windows process creation events, including parent/child relationships for PowerShell, WMI, mshta, script hosts, and task scheduler activity
- PowerShell script block, module, and command-line logging where enabled
- Windows Task Scheduler creation, modification, and execution evidence
- WMI activity logs and remote/local WMI execution traces
- Endpoint detection records for script execution, obfuscation, decoding, file deletion, and tool transfer
Detection direction
- Validate that PowerShell visibility is sufficient to reconstruct command content, encoded content, execution policy bypass indicators, and parent processes; if content logging is absent, detection will be materially weaker.
- Tune detections around suspicious combinations: script execution followed by discovery commands, scheduled task creation, WMI use, file deletion, tool download/transfer, or unusual outbound connections.
- Review trusted Windows utility abuse paths, especially mshta and WMI, because relationship context includes proxy execution and administrative execution mechanisms that may blend with legitimate administration.
- Use relationship-driven clustering rather than single indicators: discovery of users/processes/security tools plus obfuscated PowerShell and scheduled task activity should be higher priority than any one event alone.
- Account for false positives from administrators, software deployment tools, monitoring agents, and legitimate automation; require baselines for normal PowerShell, WMI, scheduled task, and proxy usage.
Mitigation priorities
- Establish or confirm centralized logging for PowerShell, process creation, WMI, scheduled tasks, script hosts, endpoint file activity, and egress traffic on Windows systems.
- Restrict and monitor administrative scripting and living-off-the-land utilities according to operational need, with special attention to PowerShell, WMI, mshta, and scheduled tasks.
- Harden endpoint controls against unauthorized script execution, obfuscated command execution, dropped tools, and suspicious file deletion while preserving approved administration workflows.
- Apply least privilege so ordinary user accounts cannot create persistent scheduled tasks, run broad discovery, or access sensitive local data beyond business need.
- Segment and monitor egress paths so unusual proxy-mediated outbound communication and tool transfer attempts are visible and reviewable.
Analyst notes and limits
The most decision-relevant point is that POWERSTATS is described as a PowerShell-based first-stage backdoor, so native Windows telemetry and script governance are likely to determine whether an organization can see and scope activity. ATT&CK also relates the malware to MuddyWater and to many techniques spanning discovery, execution, stealth, C2, collection, and exfiltration, which supports using it as a scenario for SOC and IR readiness exercises. The supplied object does not include aliases except external-reference naming for POWERSTATS/Powermud, and does not provide official detection text.
This take is limited to the supplied ATT&CK fields, external references, and relationships. The malware object platform is Windows; related techniques may list additional platforms, but those do not expand the supported platform claim for POWERSTATS here. ATT&CK tactics are not specified on the object itself, and no official detection is provided. Local environment baselines, logging configuration, and incident evidence are required to determine actual exposure or coverage.
POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1559.001 | Component Object Model Sub-technique | POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | POWERSTATS can deobfuscate the main backdoor code.CitationClearSky MuddyWater Nov 2018 |
| Enterprise | T1033 | System Owner/User Discovery | POWERSTATS has the ability to identify the username on the compromised host.CitationTrendMicro POWERSTATS V3 June 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.CitationClearSky MuddyWater Nov 2018 |
| Enterprise | T1087.001 | Local Account Sub-technique | POWERSTATS can retrieve usernames from compromised hosts.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | POWERSTATS has detected security tools.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1218.005 | Mshta Sub-technique | POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1047 | Windows Management Instrumentation | POWERSTATS can use WMI queries to retrieve data from compromised hosts.CitationFireEye MuddyWater Mar 2018CitationClearSky MuddyWater Nov 2018 |
| Enterprise | T1029 | Scheduled Transfer | POWERSTATS can sleep for a given number of seconds.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1082 | System Information Discovery | POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.CitationFireEye MuddyWater Mar 2018CitationTrendMicro POWERSTATS V3 June 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | POWERSTATS encoded C2 traffic with base64.CitationUnit 42 MuddyWater Nov 2017 |
| Enterprise | T1090.002 | External Proxy Sub-technique | POWERSTATS has connected to C2 servers through proxies.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | POWERSTATS can use DDE to execute additional payloads on compromised hosts.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | POWERSTATS uses PowerShell for obfuscation and execution.CitationUnit 42 MuddyWater Nov 2017CitationClearSky MuddyWater Nov 2018CitationTrendMicro POWERSTATS V3 June 2019CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.CitationFireEye MuddyWater Mar 2018CitationTrendMicro POWERSTATS V3 June 2019 |
| Enterprise | T1005 | Data from Local System | POWERSTATS can upload files from compromised hosts.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1685 | Disable or Modify Tools | POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | POWERSTATS has established persistence through a scheduled task using the command |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | POWERSTATS has encrypted C2 traffic with RSA.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. CitationFireEye MuddyWater Mar 2018CitationClearSky MuddyWater Nov 2018 POWERSTATS has used PowerShell code with custom string obfuscation CitationTrendMicro POWERSTATS V3 June 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | POWERSTATS can use VBScript (VBE) code for execution.CitationClearSky MuddyWater Nov 2018CitationTrendMicro POWERSTATS V3 June 2019 |
| Enterprise | T1059.007 | JavaScript Sub-technique | POWERSTATS can use JavaScript code for execution.CitationClearSky MuddyWater Nov 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.CitationFireEye MuddyWater Mar 2018 |
| Enterprise | T1113 | Screen Capture | POWERSTATS can retrieve screenshots from compromised hosts.CitationFireEye MuddyWater Mar 2018CitationTrendMicro POWERSTATS V3 June 2019 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | POWERSTATS has used useless code blocks to counter analysis.CitationTrendMicro POWERSTATS V3 June 2019 |
| Enterprise | T1057 | Process Discovery | POWERSTATS has used |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | 63ecb084bb4d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 MuddyWater Nov 2017
Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
Open source URL -
[2]
ClearSky MuddyWater Nov 2018
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
Open source URL -
[3]
POWERSTATS
(Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018)
-
[4]
Powermud
(Citation: Symantec MuddyWater Dec 2018)
-
[5]
Symantec MuddyWater Dec 2018
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
Open source URL -
[6]
mitre-attack S0223Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.