S1037: STARWHALE
STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.[1][2]
Analyst context for executives and security teams
STARWHALE matters because it is a Windows backdoor, described as a Windows Script File with a Golang variant, that ATT&CK links to discovery, persistence, command execution, collection, staging, command-and-control, and exfiltration behaviors. For leaders, the practical issue is not the malware name alone; it is whether Windows endpoint, script, service, registry, and web-traffic telemetry can prove what happened if a user-opened malicious file leads to backdoor activity.
Executive priority
Prioritize STARWHALE as a readiness test for Windows endpoint visibility, user-executed malicious file handling, persistence control, and outbound web-channel monitoring. Because ATT&CK associates it with MuddyWater and references government and commercial targeting in the cited reporting, organizations in regulated or operationally sensitive sectors should ensure incident response can quickly answer: which host executed the file, what commands ran, what data was staged, and whether data left over C2-like web traffic.
Technical view
ATT&CK provides no official detection text, so SOC and IR validation should be relationship-driven. On Windows systems, validate coverage for WSF/VB and cmd execution, suspicious parent-child process chains from user-opened files, creation or modification of Windows services, Registry Run key or Startup Folder persistence, local discovery commands, local data staging, encoded or encrypted artifacts, and outbound web-protocol communications that may carry encoded data. Detection engineering should map STARWHALE coverage to the related techniques: T1204.002, T1059.003, T1059.005, T1543.003, T1547.001, T1033, T1016, T1082, T1005, T1074.001, T1071.001, T1132.001, T1027.013, and T1041.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Script execution telemetry for Windows Script File, Visual Basic, and related interpreters
- File creation/modification events for suspicious scripts, encoded files, and local staging locations
- Windows Registry monitoring for Run keys and Startup Folder persistence
- Windows service creation and modification events
Detection direction
- Confirm that user-opened malicious file execution is correlated with subsequent script, cmd, discovery, persistence, and network activity rather than treated as isolated alerts.
- Tune for suspicious WSF/VB/cmd execution chains, especially when followed by system, user, or network discovery and outbound web traffic.
- Monitor Windows service creation/modification and Registry Run key or Startup Folder changes, with allowlisting for legitimate software deployment and administration tools to reduce false positives.
- Look for encoded or encrypted file content and standard encoding in network traffic, but avoid relying on encoding alone because legitimate applications also encode data.
- Validate visibility into local data staging before exfiltration; many programs create temporary files, so prioritize staging combined with discovery, unusual process lineage, or outbound C2-like web traffic.
Mitigation priorities
- Harden Windows endpoints against unnecessary script execution and restrict risky file types where business processes allow.
- Apply least privilege so user-executed files have limited ability to create services, modify persistence locations, or access sensitive local data.
- Monitor and control Windows service changes, Registry Run keys, and Startup Folder entries as high-value persistence surfaces.
- Strengthen email, download, and user-execution controls for malicious file scenarios, while maintaining response playbooks for when a user opens a file.
- Ensure outbound web traffic inspection, logging, and egress controls are sufficient to investigate command-and-control and exfiltration-over-C2-channel behavior.
Analyst notes and limits
The object is a malware entry for STARWHALE in ATT&CK Enterprise, platform Windows, with no official detection guidance and no tactics listed on the malware object itself. The defensive interpretation is therefore derived from the official description, external references, and ATT&CK relationships showing techniques the malware uses. The relationship to MuddyWater and references to UNC3313 should guide intelligence context and prioritization, but local evidence is required for any incident attribution.
ATT&CK does not provide indicators, detection analytics, specific commands, C2 infrastructure, hashes, or confirmed local exposure in the supplied fields. Related technique platform lists include non-Windows platforms, but STARWHALE itself is supplied as Windows; coverage statements should be validated against the organization’s Windows environment and actual telemetry.
STARWHALE
STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | STARWHALE can gather the computer name of an infected host.CitationMandiant UNC3313 Feb 2022CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem"`.CitationMandiant UNC3313 Feb 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | STARWHALE can exfiltrate collected data to its C2 servers.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM` registry key.CitationDHS CISA AA22-055A MuddyWater February 2022CitationMandiant UNC3313 Feb 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.CitationMandiant UNC3313 Feb 2022CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1033 | System Owner/User Discovery | STARWHALE can gather the username from an infected host.CitationMandiant UNC3313 Feb 2022CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | STARWHALE has relied on victims opening a malicious Excel file for execution.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | STARWHALE can use the VBScript function `GetRef` as part of its persistence mechanism.CitationMandiant UNC3313 Feb 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | STARWHALE has the ability to collect the IP address of an infected host.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | STARWHALE has been obfuscated with hex-encoded strings.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | STARWHALE has the ability to execute commands via `cmd.exe`.CitationMandiant UNC3313 Feb 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | STARWHALE has the ability to hex-encode collected data from an infected host.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1005 | Data from Local System | STARWHALE can collect data from an infected local host.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | STARWHALE has stored collected data in a file called `stari.txt`.CitationMandiant UNC3313 Feb 2022 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8727708bf272… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant UNC3313 Feb 2022
Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
Open source URL -
[2]
DHS CISA AA22-055A MuddyWater February 2022
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Open source URL -
[3]
CANOPY
(Citation: DHS CISA AA22-055A MuddyWater February 2022)
-
[4]
mitre-attack S1037Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.