S1047: Mori
Mori is a backdoor that has been used by MuddyWater since at least January 2022.[1][2]
Analyst context for executives and security teams
Mori is a Windows backdoor in ATT&CK associated through MITRE relationships with MuddyWater use since at least January 2022. Its practical significance is not just the malware name: the linked behaviors point to command-and-control over common web and DNS protocols, registry interaction, encoded or junk C2 data, file deletion, and use of regsvr32 for proxy execution. For leaders, this makes Mori a useful test case for whether endpoint, DNS, proxy, and Windows registry telemetry can support fast containment and evidence-based incident response when a backdoor blends into normal administrative and web traffic.
Executive priority
Prioritize Mori as a coverage-validation object rather than a standalone indicator list. The business question is whether the organization can detect and investigate Windows backdoor activity that uses ordinary protocols and native Windows components. This matters for operational resilience, audit evidence, and incident decision-making because gaps in DNS/web logging, endpoint process telemetry, registry monitoring, or retention can delay scoping and containment.
Technical view
ATT&CK provides no official detection text for Mori, so SOC and IR teams should validate coverage through the related techniques: T1071.001 Web Protocols, T1071.004 DNS, T1001.001 Junk Data, T1132.001 Standard Encoding, T1012 Query Registry, T1112 Modify Registry, T1070.004 File Deletion, T1140 Deobfuscate/Decode Files or Information, and T1218.010 Regsvr32. Focus on Windows endpoint execution context, regsvr32 process behavior, registry reads/writes, suspicious file deletion after execution, and network sessions where web or DNS traffic contains unusual structure, encoding, volume, or destination patterns.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially regsvr32.exe execution
- Module load and parent-child process context for regsvr32.exe where available
- Windows Registry query and modification events
- File creation and deletion telemetry on Windows hosts
- DNS query and response logs
Detection direction
- Do not rely on malware name matching alone; validate behavior-based detections mapped to the related ATT&CK techniques.
- Tune regsvr32 detections for suspicious parent processes, unusual command-line arguments, unexpected network activity, and nonstandard DLL or script registration patterns while accounting for legitimate administrative use.
- Baseline DNS and web traffic so encoded, padded, high-entropy, rare-domain, or unusual beacon-like behavior can be reviewed without overwhelming analysts.
- Correlate registry discovery or modification with subsequent network connections, file deletion, or deobfuscation activity to reduce false positives.
- Confirm that telemetry retention is long enough to reconstruct activity if file deletion removes local artifacts.
Mitigation priorities
- Ensure Windows endpoint detection and logging are enabled for process, registry, file, and network-linked activity.
- Restrict and monitor abuse-prone signed Windows utilities such as regsvr32 where business operations allow.
- Harden egress controls and DNS/web monitoring so common protocols are not implicitly trusted.
- Review registry permissions and administrative privilege exposure to reduce opportunities for persistence or defense impairment via registry modification.
- Maintain incident response playbooks that connect endpoint containment with DNS/proxy log preservation and registry/file-system evidence collection.
Analyst notes and limits
The supplied ATT&CK object identifies Mori as a Windows backdoor used by MuddyWater and provides relationship context to several techniques. The strongest defensive value comes from those relationships, especially command-and-control over web/DNS protocols, registry interaction, file deletion, encoding, junk data, deobfuscation, and regsvr32 abuse.
MITRE provides no official detection text, aliases, labels, or malware-level tactics for Mori in the supplied fields. This summary does not assert active exploitation, customer exposure, or guaranteed detectability. Local telemetry, asset context, and validated detection content are required to assess actual coverage.
Mori
Mori is a backdoor that has been used by MuddyWater since at least January 2022.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1001.001 | Junk Data Sub-technique | Mori has obfuscated the FML.dll with 200MB of junk data.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Mori can use `regsvr32.exe` for DLL execution.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Mori can resolve networking APIs from strings that are ADD-encrypted.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1071.004 | DNS Sub-technique | Mori can use DNS tunneling to communicate with C2.CitationDHS CISA AA22-055A MuddyWater February 2022CitationCYBERCOM Iranian Intel Cyber January 2022 |
| Enterprise | T1012 | Query Registry | Mori can read data from the Registry including from `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\`.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1112 | Modify Registry | Mori can write data to `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\` and delete Registry values.CitationDHS CISA AA22-055A MuddyWater February 2022CitationCYBERCOM Iranian Intel Cyber January 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Mori can delete its DLL file and related files by Registry value.CitationDHS CISA AA22-055A MuddyWater February 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Mori can use Base64 encoded JSON libraries used in C2.CitationDHS CISA AA22-055A MuddyWater February 2022 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8b683107940d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DHS CISA AA22-055A MuddyWater February 2022
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Open source URL -
[2]
CYBERCOM Iranian Intel Cyber January 2022
Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
Open source URL -
[3]
mitre-attack S1047Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.