MITRE ATT&CK Group G0069, MuddyWater, is a cyber-espionage group active since at least 2017 and attributed by the US Cyber Command in January 2022 and a five-agency joint advisory the following month to Iran's Ministry of Intelligence and Security (MOIS). The original CISA, FBI, NSA, US Cyber Command Cyber National Mission Force, and UK National Cyber Security Centre joint advisory AA22-055A, published on February 24, 2022, was the first public attribution by a Western coalition. Three weeks earlier, US Cyber Command had posted more than a dozen malware samples to VirusTotal, naming the actor and the PowGoop loader, Mori backdoor, and DNS-tunneling C2 explicitly. Seven months after that, the US Department of the Treasury sanctioned MOIS itself on September 9, 2022 for cyber-enabled activities against the United States and its allies.
This is original Stingrai threat-intel research, written for defenders. The same actor is tracked under at least ten cluster names across the industry: Earth Vetala (Trend Micro), MERCURY and Mango Sandstorm (Microsoft Threat Intelligence), Static Kitten (CrowdStrike), Seedworm (Symantec / Broadcom), TEMP.Zagros (Mandiant), TA450 (Proofpoint), MuddyKrill (Microsoft), Boggy Serpens (Palo Alto Networks Unit 42), and GreenGolf (Recorded Future). The profile that follows summarizes attribution, target sectors and regions, the chronology of named campaigns from 2017 through May 2026, the MITRE ATT&CK technique mapping a SOC analyst can lift into a coverage matrix, the documented custom and commodity tooling catalog, eight CVEs verified at NIST NVD that MuddyWater has used for initial access, and concrete defender mitigations. We close with a forward outlook for 2026 and a defender FAQ.
Stingrai is a Toronto-headquartered offensive-security firm founded in 2021, in Toronto Canada, and with a London, UK office. Team certifications include OSCE3, OSCP, OSWE, OSED, OSEP, CREST CRT, CISSP, CRTO, GCPN, CRTE, and eWPTX. The team has 18 published CVEs (Ivan Spiridonov 10, Moaaz Taha 5, Victor Villar 3), a 5.0/5.0 average across 19 Clutch reviews, and an internal AI pentest agent named Snipe trained on more than 6,000 HackerOne disclosures. Stingrai presents research at DEFCON and BSIDES. Lead data anchoring this profile is full-year 2025 telemetry and 2026 disclosures published between January and May 2026, the freshest available as of May 26, 2026. Every figure links to a named primary publisher so any claim can be audited inline.
TL;DR: 10 labeled claims
MITRE ATT&CK ID: G0069. Active since: "at least 2017" (MITRE ATT&CK G0069, last modified May 12, 2026). Attribution: "subordinate element within the Iranian Ministry of Intelligence and Security (MOIS)" per CISA AA22-055A (Feb 24, 2022).
Coalition attribution (Feb 24, 2022): Joint advisory co-authored by five agencies: FBI, CISA, NSA, US Cyber Command Cyber National Mission Force, and UK NCSC (CISA AA22-055A).
US Cyber Command attribution (Jan 12, 2022): First US-government public attribution to Iranian MOIS, with malware samples posted to VirusTotal (reporting via The Record).
US Treasury OFAC sanctions (Sep 9, 2022): Iranian Ministry of Intelligence and Security and the Minister of Intelligence sanctioned for "engaging in cyber-enabled activities against the United States and its allies" (US Treasury Press Release JY0941).
Aliases tracked: at least 10 distinct cluster names across the threat-intel industry (Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, MuddyKrill, Boggy Serpens, GreenGolf) (MITRE ATT&CK G0069).
Sectors targeted (per CISA AA22-055A): "telecommunications, defense, local government, and oil and natural gas," with corroborating Unit 42 coverage adding maritime, aviation, financial, and education sectors (Unit 42, March 16, 2026).
Regions targeted (per CISA AA22-055A): "Asia, Africa, Europe, and North America," with corroborating Microsoft and Unit 42 coverage adding "the Middle East (specifically the UAE and Saudi Arabia)" (CISA AA22-055A; Unit 42, March 16, 2026).
MITRE ATT&CK techniques used: 65-plus entries across all 11 ATT&CK tactics (MITRE ATT&CK G0069).
Custom malware in MITRE Software: 12-plus named families, from POWERSTATS (S0223) and PowGoop (S1046) through Small Sieve (S1035), STARWHALE (S1037), Mori (S1047), and the newer MuddyViper / Fooder / Tsundere Botnet / LP-Notes / RustyWater generation series, plus DCHSpy (S1243) Android surveillanceware (MITRE ATT&CK Software).
Most recent disclosure (May 2026 cutoff): Unit 42's March 16, 2026 Boggy Serpens Threat Assessment documents a four-wave campaign against Middle East energy and maritime targets running August 16, 2025 through February 11, 2026, plus the Rust-based RustyWater RAT and Starlink-based C2 abuse (Unit 42, March 16, 2026).
Key takeaways
MuddyWater is a long-tenured, state-aligned cyber-espionage actor with formal US-government attribution. Treat the group with the same intelligence-cycle discipline you would APT29, APT41, or any other named state actor. Western-coalition attribution arrived in 2022; the data has only firmed up since.
Initial access leans on phishing and public-facing exploitation, but the operational signature in 2024-2026 is RMM-tool abuse. MuddyWater first used SimpleHelp on June 30, 2022 and has since cycled through ScreenConnect, Atera Agent, RemoteUtilities, Level, PDQ Connect, and Splashtop as first-stage payloads. RMM inventory and egress monitoring are first-class defender controls against this actor.
The PowerShell era did not end; it widened. POWERSTATS (2017) and SHARPSTATS (2019) opened the catalog; PowGoop (2020-2022) layered DLL side-loading on top; Mori added DNS-tunneling C2. Recent generations include the Rust-based RustyWater RAT and the CNG-cryptography-based MuddyViper. PowerShell logging, AMSI, and constrained-language mode still matter.
The actor has used at least eight CVEs for initial access, all verifiable at NVD. CVE-2017-0199, CVE-2017-11882, CVE-2018-20250, CVE-2020-0688, CVE-2020-1472 (Zerologon), CVE-2021-44228 (Log4Shell), CVE-2022-26134 (Confluence), and CVE-2023-27350 (PaperCut) form the documented exploit shortlist. Patching this set is non-optional for any 2026 enterprise.
Detection requires looking for behavior, not just IOCs. Unit 42's March 2026 guidance: "look beyond sender reputation and automated spam filters and focus on detecting underlying behavioral anomalies." That maps directly to specific signals in identity, endpoint, and network telemetry that we enumerate later in this profile.
Fundamentals carry most of the defender value. MFA on perimeter accounts, restricted PowerShell, application allowlisting, RMM-tool inventory audits, scheduled-task auditing, and network segmentation between identity tiers do most of the work. The newest 2026 toolchain still relies on the same human and systemic weaknesses that worked in 2017.
Methodology
Date cutoff: May 26, 2026. The lead data anchoring this profile is full-year 2025 telemetry from named primary publishers plus 2026 disclosures published between January and May 2026, the freshest available as of the cutoff. Where multiple primary publishers report compatible information, the publisher with the most direct methodology window is cited. Secondary aggregators are cited only where they constitute the public record of a corporate announcement or named disclosure.
Source curation: US-government primary attribution (CISA, FBI, NSA, US Cyber Command, US Treasury OFAC, NVD) plus MITRE ATT&CK Enterprise and ATT&CK Software, plus Western-vendor threat-intel research from Microsoft Threat Intelligence, Mandiant (now Google Cloud Threat Intelligence), CrowdStrike, Cisco Talos, Palo Alto Networks Unit 42, Trend Micro, Proofpoint, HarfangLab, Sekoia.io, Symantec / Broadcom, Recorded Future, ESET, and Lookout. UK NCSC content is included where the agency co-authored CISA advisories. Claims that could not be reached on at least one verification pass against a named primary source were dropped rather than estimated. Every figure links back to its primary publisher so any claim can be audited.
This profile is original Stingrai threat-intel research. It is not framed as a response to or commentary on any other vendor's MuddyWater write-up. Other vendors are cited only where their data point is genuinely additive (for example, where a vendor disclosed first or maintains the canonical statistic for a particular metric).
Figure 1: Chronology of named MuddyWater public disclosures, 2017 through March 2026. Sources: MITRE ATT&CK G0069; CISA AA22-055A; Microsoft Threat Intelligence; Proofpoint TA450 brief, March 21, 2024; Sekoia, July 15, 2024; Unit 42, March 16, 2026.
Aliases and attribution
MuddyWater is one of the most heavily aliased actors in the public threat-intel catalog. The same group is tracked under at least ten distinct cluster names across the major vendors. The differences are largely cosmetic; the underlying tradecraft, infrastructure overlaps, and victim sets line up.
Alias | Tracking vendor or agency |
|---|---|
MuddyWater | Palo Alto Networks (first 2017 public disclosure), MITRE ATT&CK |
Earth Vetala | Trend Micro |
MERCURY (and later Mango Sandstorm) | Microsoft Threat Intelligence |
Static Kitten | CrowdStrike |
Seedworm | Symantec / Broadcom |
TEMP.Zagros | Mandiant |
TA450 | Proofpoint |
MuddyKrill | Microsoft |
Boggy Serpens | Palo Alto Networks Unit 42 |
GreenGolf | Recorded Future |
The formal US-government attribution arrived in two steps. On January 12, 2022, US Cyber Command stated on Twitter that "Iranian MOIS hacker group MuddyWater is using a suite of malware to conduct espionage and malicious activity," and posted more than a dozen malware samples to VirusTotal, including PowGoop and Mori. Six weeks later, on February 24, 2022, the CISA-led joint advisory AA22-055A co-authored by FBI, CISA, NSA, US Cyber Command Cyber National Mission Force, and UK NCSC formalized the attribution. The advisory characterizes MuddyWater as "a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS)" conducting "cyber espionage and other malicious cyber operations" against government and private-sector organizations across "telecommunications, defense, local government, and oil and natural gas" in "Asia, Africa, Europe, and North America." Seven months later, on September 9, 2022, US Treasury OFAC sanctioned the MOIS itself and the Iranian Minister of Intelligence for "engaging in cyber-enabled activities against the United States and its allies."
Mandiant has been tracking the actor as TEMP.Zagros since 2017. Cisco Talos's March 10, 2022 supergroup analysis described MuddyWater as "a conglomerate of smaller teams, with each team using different targeting tactics against specific regions of the world." Cisco's analyst team observes that "U.S. Cyber Command recently connected MuddyWater to Iran's Ministry of Intelligence and Security (MOIS)."
Target sectors and regions
Target sectors per the CISA-led joint advisory are "telecommunications, defense, local government, and oil and natural gas." Corroborating vendor research adds finance, education, NGOs, maritime, aviation, government broadly, and critical infrastructure to the documented set. Regional targeting in CISA's wording: "Asia, Africa, Europe, and North America." Microsoft and Unit 42 both add "the Middle East (specifically the UAE and Saudi Arabia)" to that list (CISA AA22-055A; Unit 42, March 16, 2026).
In its Boggy Serpens Threat Assessment of March 16, 2026, Palo Alto Networks Unit 42 documents recent activity against "government, military and critical infrastructure sectors" including "maritime, aviation and financial sectors" across "the Middle East, the Caucasus, Central and Western Asia, South America and Europe," with specific 2025-2026 targeting of organizations in Saudi Arabia, the UAE, Turkmenistan, Egypt, Hungary, and Turkey. Proofpoint's March 21, 2024 brief on TA450 documented a phishing campaign running March 7 through 11, 2024, targeting "large multinational organizations" in "global manufacturing, technology, and information security companies." Proofpoint's April 17, 2025 ClickFix analysis documents the November 13-14, 2024 campaign hitting "at least 39 organizations in the Middle East" with primary targeting density in the UAE and Saudi Arabia.
Figure 2: MuddyWater target sectors documented in primary US-government and Western-vendor sources, 2017 through May 2026. Sources: CISA AA22-055A; MITRE ATT&CK G0069; Unit 42, March 16, 2026; Proofpoint, March 21, 2024.
Chronology of named campaigns
The chronology below traces MuddyWater across nine years, using only named US-government advisories and Western-vendor primary disclosures. Years where multiple disclosures occurred are summarized; the focus is the chain of evidence that ties the actor to specific tradecraft over time.
2017: First public disclosure and POWERSTATS
Palo Alto Networks first publicly documented MuddyWater in November 2017 after campaigns running February through October targeted organizations across Saudi Arabia, Iraq, the UAE, Georgia, India, Pakistan, Turkey, and the United States. The initial tradecraft was malicious Office documents and PowerShell payloads, with POWERSTATS (MITRE S0223) as the first-stage backdoor. The 2017 disclosure also called out region-specific decoy documents designed to look like communications from local government bodies, a tell-tale of the actor's spear-phishing tradecraft that has persisted into 2026.
2018: Seedworm and the 130-victim Symantec disclosure
By September 2018, Symantec (as Broadcom) tracked the actor as Seedworm and documented over 130 victims across 30 organizations in the Middle East, Europe, and North America. Custom tooling expanded to include Powermud, Powemuddy, and credential-theft tools LaZagne (MITRE S0349) and CrackMapExec (MITRE S0488). The TTPs from this period set the playbook for the next five years: PowerShell-based initial-stage backdoor, commodity credential dumping, scheduled-task persistence, and HTTP-based C2.
2020-2021: PowGoop, Mori, and SimpleHelp adoption
The DLL side-loading evolution arrived with PowGoop (MITRE S1046), described in MITRE's Software entry as "a loader that consists of a DLL loader and a PowerShell-based downloader" that performs "DLL side-loading of Goopdate.dll into GoogleUpdate.exe" and "disguises malicious files as legitimate components." The Mori backdoor (MITRE S1047) added DNS-tunneling C2. US Cyber Command's January 2022 VirusTotal release explicitly called out both PowGoop and Mori as core to the MuddyWater toolset.
January-February 2022: US Cyber Command attribution and CISA AA22-055A
The first formal US-government attribution arrived on January 12, 2022, with US Cyber Command's release tying MuddyWater to Iranian MOIS and publishing malware samples to VirusTotal. On February 24, 2022, the five-agency CISA-led joint advisory AA22-055A (FBI, CISA, NSA, US Cyber Command CNMF, UK NCSC) formalized the attribution and called out variants of "PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS" by name.
Cisco Talos followed on March 10, 2022 with a primary write-up describing MuddyWater as "a conglomerate of smaller teams, with each team using different targeting tactics against specific regions of the world." Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec documented WSF-based and PowerShell-based downloaders, the Ligolo reverse-tunneling tool, and ConnectWise remote-access abuse against Turkey, Pakistan, Armenia, the Arabian Peninsula, Jordan, North America, Europe, and Asia.
June 30, 2022 onward: SimpleHelp era
MuddyWater first deployed SimpleHelp on June 30, 2022, beginning what would become a sustained legitimate-RMM-abuse pattern. Over the next four years the actor cycled through ScreenConnect, Syncro, RemoteUtilities, Atera Agent, PDQ Connect, Level, and Splashtop as first-stage payloads. The pattern matters for defenders: legitimate, signed RMM binaries often bypass naive endpoint controls.
September 2022: US Treasury OFAC sanctions
US Treasury Press Release JY0941, September 9, 2022, sanctioned Iran's Ministry of Intelligence and Security and its Minister of Intelligence for "engaging in cyber-enabled activities against the United States and its allies." The Treasury statement explicitly enumerated MOIS cyber proxies' activity against critical infrastructure sectors worldwide.
February-May 2023: MERCURY destructive wiper masquerading as DarkBit ransomware
In early 2023, Microsoft Threat Intelligence disclosed that MERCURY (Mango Sandstorm) had worked in partnership with an actor Microsoft called DEV-1084 (Storm-1084) to carry out destructive wiper attacks under the "DarkBit" ransomware persona on a Middle East educational institution. The campaign targeted both on-premises and Azure cloud environments; the destructive intent was masked as extortion to obfuscate the strategic motivation. In May 2023, Microsoft observed Mango Sandstorm together with Mint Sandstorm exploiting CVE-2023-27350 (PaperCut MF/NG, CVSS 9.8) for initial access. PaperCut was a high-leverage target because compromised print management infrastructure pivots quickly to identity and network primitives.
March 2024: TA450 PDF-and-RMM phishing campaign
Proofpoint's March 21, 2024 brief documented a TA450 spearphishing campaign running March 7 through 11, 2024 against "large multinational organizations" in "global manufacturing, technology, and information security companies." Phishing emails carried PDF attachments with embedded links to file-sharing platforms (Egnyte, OneHub, Sync, TeraBox); clicking the links triggered ZIP downloads containing MSI installers that deployed Atera Agent. Sender domains were compromised .il accounts pretending to be salary or HR contacts. Proofpoint's attribution language: "Iranian intel cyber suite" linked to "Iran's Ministry of Intelligence and Security" per January 2022 US Cyber Command attribution.
April-July 2024: BugSleep, MuddyRot, and the Atera-to-custom-implant shift
HarfangLab disclosed MuddyWater infection chains using SimpleHelp (2023) and Atera (2023-2024) on April 22, 2024. By May 2024, the actor introduced BugSleep, a custom backdoor designed to partially replace legitimate RMM payloads. BugSleep used heavy Sleep API calls and mutex creation for anti-sandbox evasion and decrypted its C2 IP and port at runtime; it has been documented by multiple Western threat-intel teams and is included in CrowdStrike's Static Kitten profile.
Sekoia's July 15, 2024 report described MuddyRot, a custom implant the actor used to replace Atera as a campaign validator. MuddyRot supports "Upload file, Download file, Reverse shell, Kill process, Delete Task, Create scheduled task," establishes persistence through scheduled tasks, and communicates "via raw TCP on port 443." Sekoia documented C2 IPs 91.235.234[.]202 and 146.19.143[.]14 and noted spearphishing entry via compromised email accounts and Egnyte-hosted PDFs leading to ZIP archives.
November 13-14, 2024: ClickFix campaign
Proofpoint's April 17, 2025 ClickFix analysis documents a two-day TA450 campaign on November 13 and 14, 2024 that sent phishing emails from support@microsoftonlines[.]com, an attacker-controlled domain impersonating Microsoft, to "at least 39 organizations in the Middle East." Primary targeting density was in the UAE and Saudi Arabia. Subject line: "Urgent Security Update Required, Immediate Action Needed." Infrastructure was newly registered as of January 2025 and largely hosted on compromised systems in South Korea using dynamic DNS services. This was Proofpoint's first observation of state-sponsored use of the ClickFix social-engineering pattern by an Iran-nexus actor.
September 2024 to March 2025: trojanized RMM installers and file-sharing platform abuse
A sustained campaign ran from September 30, 2024 through March 18, 2025 in which MuddyWater "heavily relied on spearphishing tactics directing victims to file-sharing platforms including OneHub, Egnyte, and Mega to download trojanized RMM installers" (corroborated across Western-vendor reporting).
October 2025: Phoenix Backdoor v4 wave
In October 2025, MuddyWater launched a phishing campaign using compromised mailboxes that targeted "more than 100 government and critical infrastructure organizations across the Middle East and North Africa," deploying a custom Phoenix Backdoor v4 along with FakeUpdate Loader and Chromium_Stealer. Phoenix has continued in subsequent waves into 2026.
December 2025: MuddyViper and the Fooder Snake-game-masquerade malware
In December 2025, ESET researchers identified a new MuddyWater campaign that introduced MuddyViper as a successor backdoor and Fooder, a dropper component that visually masquerades as the classic Snake game, hence the campaign name. Several Fooder variants implement a "custom delay function that implements the core logic of the Snake game, combined with Sleep API calls, intended to delay execution in an attempt to hide malicious behavior from automated analysis systems." MuddyViper enables the operators to "collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data." ESET noted that the campaign showed "increased precision, strategic targeting, and a more advanced toolset," including adoption of Microsoft's Cryptography API: Next Generation (CNG) cryptographic API. ESET also observed that the operators "deliberately avoided hands-on-keyboard interactive sessions" during the campaign, an evolution toward more automated, agent-friendly tradecraft.
August 2025 to February 2026: Four-wave Middle East maritime and energy campaign
Palo Alto Networks Unit 42's Boggy Serpens Threat Assessment, March 16, 2026, documents a four-wave campaign against a Middle East energy and maritime company:
Wave 1, August 16, 2025: Engineering-themed VBA-macro lures.
Wave 2, January 30, 2026: Financial-deception Excel files.
Wave 3, January 30, 2026: Fake Air Arabia flight reservations delivering a new GhostBackDoor.
Wave 4, February 11, 2026: Consumption-report lure delivering a Nuso HTTP_VIP payload.
Unit 42 also documents account-hijacking activity in August 2025 (Omani Ministry of Foreign Affairs mailbox compromise) and January 6, 2026 (Turkmenistan telecom internal-account compromise). Unit 42 names tooling families Phoenix, BugSleep, UDPGangster (UDP-based C2), LampoRAT (Rust-based RAT, also called Olalampo), BlackBeard (Rust backdoor), Nuso (HTTP_VIP backdoor), and GhostBackDoor (newly documented). Unit 42 characterizes the operational evolution: early campaigns were "high-volume, low-sophistication," while recent activity shows "adoption of the Rust programming language and the integration of AI-assisted techniques."
2024-2025: DCHSpy Android surveillanceware
MITRE ATT&CK Software S1243 catalogs DCHSpy as Android malware "likely developed and maintained by MuddyWater" that "uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications" to distribute itself. Lookout first acquired a DCHSpy-laden "Hide VPN" sample in July 2023. New samples were observed disguised as Earth VPN and Comodo VPN in mid-2025. DCHSpy implements audio and video capture, location tracking, call-log and contact-list theft, SMS reading, WhatsApp data exfiltration, and exfiltrates to attacker-controlled C2. Distribution leverages malicious URLs shared over messaging platforms including Telegram. DCHSpy is the only mobile-platform tool in the MuddyWater MITRE-cataloged catalog, expanding the actor's collection surface to include mobile devices of high-value targets.
MITRE ATT&CK technique mapping
MuddyWater's documented tradecraft maps to 65-plus MITRE ATT&CK Enterprise technique IDs across all 11 ATT&CK tactics. The table below summarizes the heaviest-hit techniques per tactic; the G0069 group page carries the complete list.
Figure 3: MITRE ATT&CK tactic-to-technique matrix for MuddyWater, summarizing the highest-leverage techniques per tactic. Source: MITRE ATT&CK G0069, last modified May 12, 2026.
Tactic | Selected technique IDs and short descriptions |
|---|---|
Reconnaissance (TA0043) | T1590.004 (Gather Victim Network Information: Network Topology), T1684.001 (Social Engineering: Domain Impersonation) |
Resource Development (TA0042) | T1583.001 (Acquire Infrastructure: Domain registration), T1583.006 (Web Services for tool distribution), T1588.001 (Obtain Capabilities: Malware), T1588.002 (Obtain Capabilities: Tool) |
Initial Access (TA0001) | T1566 / T1566.001 / T1566.002 (Phishing / Spearphishing Attachment / Spearphishing Link), T1190 (Exploit Public-Facing Application; e.g., CVE-2020-0688), T1534 (Internal Spearphishing using compromised mailboxes) |
Execution (TA0002) | T1059.001 (PowerShell), T1059.003 (Windows Command Shell), T1059.005 (Visual Basic / VBScript), T1059.006 (Python), T1059.007 (JavaScript), T1559.001 (COM / DCOM / Outlook), T1559.002 (Dynamic Data Exchange), T1203 (Exploitation for Client Execution; e.g., CVE-2017-0199), T1204.001 / T1204.002 / T1204.004 (User Execution including ClickFix), T1218.003 (CMSTP.exe), T1218.005 (Mshta.exe), T1218.011 (Rundll32.exe), T1047 (WMI) |
Persistence (TA0003) | T1137.001 (Office Application Startup: Normal.dotm), T1547.001 (Registry Run Keys / Startup Folder), T1053.005 (Scheduled Task) |
Privilege Escalation (TA0004) | T1548.002 (Abuse Elevation Control Mechanism: Bypass UAC), T1574.001 (DLL Side-Loading via PowGoop / Goopdate.dll into GoogleUpdate.exe) |
Defense Evasion (TA0005) | T1027.003 (Steganography), T1027.004 (Compile After Delivery via csc.exe), T1027.010 (PowerShell obfuscation), T1036.005 (Match Legitimate Name or Location), T1132.001 (Standard Encoding: Base64), T1140 (Deobfuscate Files), T1685 (Disable or Modify Tools: proxy settings), T1685 + T1027 obfuscation chains |
Credential Access (TA0006) | T1003.001 (LSASS Memory: Mimikatz / procdump), T1003.004 (LSA Secrets), T1003.005 (Cached Domain Credentials), T1555 / T1555.003 (Credentials from Password Stores; Browsers), T1552.001 (Unsecured Credentials: Credentials in Files), T1210 (Exploitation of Remote Services; e.g., CVE-2020-1472 Zerologon) |
Discovery (TA0007) | T1057 (Process Discovery), T1083 (File and Directory Discovery, scanning for AV product names), T1082 (System Information Discovery), T1518.001 (Security Software Discovery), T1016 (System Network Configuration Discovery), T1049 (System Network Connections Discovery), T1033 (System Owner / User Discovery), T1087.002 (Account Discovery: Domain Account), T1518 (Software Discovery via Skype connectivity checks) |
Lateral Movement (TA0008) | T1210 (Exploitation of Remote Services), Living-off-the-land techniques layered with RMM tools |
Collection (TA0009) | T1113 (Screen Capture), T1074.001 (Local Data Staged), T1560.001 (Archive Collected Data via makecab.exe) |
Command and Control (TA0011) | T1071.001 (Application Layer Protocol: Web Protocols / HTTP), T1090 / T1090.002 (Proxy / External Proxy, including NordVPN abuse), T1102.002 (Bidirectional Communication via Web Service), T1104 (Multi-Stage Channels: separate command and data C2), T1571 (Non-Standard Port: 8043, 8848), T1573.001 (Encrypted Channel: AES), T1219.002 (Remote Access Tools: RMM solutions) |
Exfiltration (TA0010) | T1041 (Exfiltration Over C2 Channel), T1567.002 (Exfiltration Over Web Service: Cloud Storage, including Wasabi) |
The takeaway for a SOC architect: the same 11 ATT&CK tactics that cover any APT cover MuddyWater. The differentiator is which techniques are heaviest. The MuddyWater signature is the dense overlap of T1059.001 PowerShell with T1574.001 DLL side-loading, T1053.005 scheduled tasks, T1219.002 RMM abuse, T1071.001 HTTP-based C2, and T1567.002 cloud-storage exfiltration. Detection coverage that fires on this stack catches most of the operational tradecraft.
Custom and commodity tooling catalog
MuddyWater operates a mixed-tooling model: custom malware for high-value implants, commodity offensive frameworks for routine post-exploitation, and legitimate signed RMM binaries for stealth persistence. The MITRE ATT&CK Software pages anchor the canonical names.
Figure 4: MuddyWater tooling catalog, split between custom malware (MITRE ATT&CK Software) and commodity RMM and offensive tools. Sources: MITRE ATT&CK Software; Unit 42, March 16, 2026; Sekoia, July 15, 2024.
Custom malware (selected)
Family | MITRE Software | Function | First documented |
|---|---|---|---|
POWERSTATS | PowerShell first-stage backdoor with reconnaissance and persistence | 2017 | |
SHARPSTATS | .NET successor backdoor | 2019 | |
Small Sieve | Telegram-API custom malware | 2022 | |
STARWHALE (aka Canopy) | WSF / JScript backdoor | 2022 | |
PowGoop | DLL loader plus PowerShell downloader (side-loads Goopdate.dll into GoogleUpdate.exe) | 2020-2022 | |
Mori | DNS-tunneling backdoor | 2022 | |
BugSleep | corroborated in Western-vendor catalogs and the CrowdStrike Static Kitten profile | Anti-sandbox sleep-heavy backdoor that partially replaced RMM payloads | May 2024 |
MuddyRot | Custom implant replacing Atera, raw-TCP-on-443 C2 | July 2024 | |
Phoenix Backdoor v4 | corroborated across Western-vendor coverage | High-volume government and critical-infrastructure backdoor | October 2025 |
MuddyViper | catalog and ESET WeLiveSecurity, December 2025 | CNG-cryptography-based backdoor with Snake-game-masquerade dropper Fooder | December 2025 |
LampoRAT (Olalampo), BlackBeard, Nuso (HTTP_VIP), UDPGangster, GhostBackDoor | Rust-based RATs and UDP / HTTP / new modular backdoors in 2025-2026 waves | Aug 2025 to Feb 2026 | |
RustyWater | catalog | Rust-based RAT supporting Starlink C2 abuse | 2026 |
DCHSpy | Android surveillanceware masquerading as VPN / banking apps; audio, video, location, SMS, WhatsApp data | 2023 onward |
Commodity and legitimate tooling
Tool | Role | MITRE / Source |
|---|---|---|
Atera Agent | Legitimate RMM, used as first-stage payload | Proofpoint TA450 brief |
SimpleHelp | Legitimate RMM, used since June 30, 2022 | Proofpoint / corroborated |
ScreenConnect | Legitimate RMM | Sekoia / HarfangLab |
RemoteUtilities | Legitimate RMM | |
ConnectWise | Legitimate RMM | |
Level | Legitimate RMM (first observed by Proofpoint Nov 2024) | Proofpoint |
PDQ Connect | Legitimate RMM | Proofpoint |
Mimikatz | Credential dumping | |
LaZagne | Credential extraction | |
CrackMapExec | Lateral movement and credential testing | |
PowerSploit | Offensive PowerShell framework | |
Empire | Post-exploitation framework | |
Koadic | C3 backdoor framework | |
Out1 | Custom utility for living-off-the-land scripting | |
Rclone | Cloud-storage exfiltration | |
NordVPN, dynamic DNS, compromised file-sharing accounts (Egnyte, OneHub, Sync, TeraBox, Mega) | Infrastructure obfuscation | Proofpoint, Sekoia, multiple |
CVEs MuddyWater has exploited
The CVE shortlist below covers the documented MuddyWater exploit catalog through May 2026. Each CVE is verified at NIST NVD. Anyone running a 2026 enterprise asset inventory should treat this set as patch-priority floor.
CVE | Product | CVSS | Date published | Vulnerability type |
|---|---|---|---|---|
Microsoft Office and Windows (multiple versions) | 7.8 HIGH (CVSS 3.1) | Apr 12, 2017 | Remote code execution via crafted Office document | |
Microsoft Office Equation Editor | 7.8 HIGH | Nov 14, 2017 | Memory corruption (CWE-119) | |
WinRAR ACE format | 7.8 HIGH | Feb 5, 2019 | Absolute path traversal | |
Microsoft Exchange Server 2010-2019 | 8.8 HIGH | Feb 11, 2020 | Improper authentication leading to RCE | |
CVE-2020-1472 (Zerologon) | Microsoft Netlogon | 10.0 CRITICAL | Aug 17, 2020 | Elevation of privilege to domain admin |
CVE-2021-44228 (Log4Shell) | Apache Log4j 2.0-beta9 through 2.15.0 | 10.0 CRITICAL | Dec 10, 2021 | JNDI expression-language injection |
Atlassian Confluence Server / Data Center | 9.8 CRITICAL | Jun 3, 2022 | OGNL injection (unauthenticated RCE) | |
PaperCut MF / NG 8.0 through 22.0.9 | 9.8 CRITICAL | Apr 20, 2023 | Improper access control (auth bypass to SYSTEM RCE) |
CISA AA22-055A explicitly highlighted MuddyWater's exploitation of CVE-2020-0688 (Exchange) and CVE-2020-1472 (Zerologon). Microsoft's May 2023 disclosure tied Mango Sandstorm to CVE-2023-27350 exploitation. MITRE's G0069 page maps CVE-2017-0199 to the T1203 technique entry under MuddyWater's documented usage. Western-vendor research has documented WinRAR (CVE-2018-20250) and Equation Editor (CVE-2017-11882) lure-document tradecraft. Log4Shell (CVE-2021-44228) and Confluence OGNL (CVE-2022-26134) are documented across multiple corroborating sources for 2022 exploitation activity.
The eight-CVE shortlist is the patching floor for any organization in MuddyWater's documented target sectors. None of these are zero days; all eight have public, vendor-blessed remediations. The actor has demonstrated repeatedly that legacy unpatched exposures are the path of least resistance against the target set.
Infrastructure patterns
MuddyWater's C2 and staging infrastructure mixes several recurring patterns. The dataset below comes from US Cyber Command's January 2022 disclosure, the CISA AA22-055A IOC annex, Proofpoint's TA450 briefs, Sekoia's July 2024 MuddyRot report, and Unit 42's March 2026 assessment.
Compromised legitimate email accounts as senders. Spearphishing typically originates from previously compromised mailboxes inside trusted regional organizations. Proofpoint's March 2024 brief documented compromised .il accounts used to phish multinational targets; Unit 42's March 2026 assessment documents Omani Ministry of Foreign Affairs and Turkmenistan telecom internal-account compromises.
Newly registered impersonation domains. The November 2024 ClickFix campaign used
microsoftonlines[.]com(registered November 2024). Subdomains often impersonate vendor support or update endpoints.Dynamic DNS plus compromised hosting in atypical regions. ClickFix infrastructure was "newly registered as of January 2025 and largely hosted on compromised systems in South Korea using dynamic DNS services."
File-sharing services as second-stage delivery channels. Egnyte, OneHub, Sync, TeraBox, and Mega host ZIP-packaged MSI installers, PDFs with embedded links, and trojanized RMM bundles.
Raw TCP on standard-looking ports. MuddyRot communicates "via raw TCP on port 443," not HTTPS. The port-vs-protocol mismatch is a high-value defender signal.
Non-standard ports for HTTP-style C2. CISA AA22-055A documents MuddyWater C2 on ports 8043 and 8848.
Commercial satellite internet as C2 in 2026. Reporting on 2026 activity notes "MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication" in late 2025 and early 2026. Defenders accustomed to traditional egress-IP geolocation analytics need to update playbooks for satellite-uplink AS numbers and IP ranges.
DLL side-loading to hijack legitimate signed binaries. PowGoop side-loads
Goopdate.dllintoGoogleUpdate.exeper MITRE's S1046 entry. The pattern repeats across the actor's loader generations.
Defender detection signals
Unit 42's March 2026 guidance: "Organizations must look beyond sender reputation and automated spam filters and focus on detecting underlying behavioral anomalies." The detection ideas below translate that guidance into specific signals across three observability layers. They are derived from public CISA, Microsoft, Cisco Talos, Unit 42, Sekoia, HarfangLab, and Proofpoint guidance; they are not novel custom detections from Stingrai.
Figure 5: Defender detection signals derived from MuddyWater's public TTP catalog, organized across identity, endpoint, and network observability layers. Sources: CISA AA22-055A; Unit 42, March 16, 2026; MITRE ATT&CK G0069; Microsoft Threat Intelligence.
Identity layer
Anomalous internal-mailbox-to-third-party-domain phishing patterns. Internal Spearphishing (T1534) from a legitimate-looking sender mailbox is the strongest single signal. Tune detection on outbound message volume spikes from individual mailboxes, especially after off-hours-only logons or password-reset events.
MFA-bypass and OAuth consent grants on Microsoft 365 or Azure AD. The DEV-1084 / MERCURY DarkBit campaign hinged on hybrid cloud compromise via stolen identity primitives.
Compromised file-sharing accounts (Egnyte, OneHub, Sync, TeraBox, Mega) used to host attacker payloads. Monitor for outbound downloads of ZIP archives or MSI installers from these services by users who do not have a documented business reason.
Endpoint layer
RMM binary installation by non-IT user accounts. The single highest-leverage MuddyWater-specific signal in 2024-2026. Maintain a tight inventory of authorized RMM products in your environment (one vendor per environment is the goal) and alert on installation, registration, or first-run of any other RMM binary. Atera, SimpleHelp, ScreenConnect, RemoteUtilities, Level, PDQ Connect, ConnectWise, and Splashtop have all been used.
PowerShell with
-EncodedCommand,-NoProfile,-WindowStyle Hidden, or-ExecutionPolicy Bypassflags. Especially on hosts without a documented administrative role. Enable PowerShell Script Block Logging (Event ID 4104), Module Logging, and Transcription, plus AMSI integration with your EDR.DLL side-loading on
GoogleUpdate.exe. PowGoop loadsGoopdate.dllinto the legitimate signedGoogleUpdate.exe. Sysmon image-load (Event ID 7) onGoogleUpdate.exeis the primary detection vector.Scheduled-task creation by non-administrator processes. MuddyRot and Phoenix both establish persistence via scheduled tasks. Audit
Win32_ScheduledJoband Task Scheduler creations; baseline normal task names per host class.csc.execompilation of in-memory PowerShell artifacts. The Compile After Delivery technique (T1027.004) is a recurring MuddyWater pattern.mshta.exe,rundll32.exe,cmstp.exeexecution chains. All three are documented MuddyWater system-binary-proxy execution patterns; baseline them at the parent-process-and-command-line level.
Network layer
Raw TCP on port 443 that is not TLS. MuddyRot's signature. Inspect first 64 bytes of port-443 sessions for TLS Client Hello; flag those that lack it.
Outbound HTTP-style C2 to non-standard ports (8043, 8848). Documented in CISA AA22-055A IOC annex.
Telegram-API egress (
api.telegram.org) from non-marketing-or-developer endpoints. Small Sieve uses the Telegram bot API for command and control.DNS query bursts to attacker-controlled second-level domains. Mori's DNS tunneling drives high-volume DNS-over-UDP to a small set of unfamiliar zones. Tune detection on per-host DNS query rate and unique apex-domain count.
Egress to commercial satellite-uplink IP ranges (e.g., Starlink AS numbers) from non-mobile workstations. Update your egress GeoIP and ASN allow-lists.
Egress to cloud-storage exfiltration endpoints not on your sanctioned list. Wasabi is documented; Rclone targets vary. Combine DLP egress with policy-driven cloud-storage allow-lists.
Defender hardening recommendations
The list below is concrete enough that a security engineer can convert each line into a ticket. It is opinionated on which controls give the most value against this specific actor.
Patch the eight-CVE shortlist. Treat CVE-2017-0199, CVE-2017-11882, CVE-2018-20250, CVE-2020-0688, CVE-2020-1472, CVE-2021-44228, CVE-2022-26134, and CVE-2023-27350 as floor patches. None of these are zero days; all have vendor remediations.
Audit and lock down RMM inventory. Pick one sanctioned RMM product per environment. Block installation and execution of all other RMM binaries via application allowlisting (Windows Defender Application Control or AppLocker on Windows; Gatekeeper plus MDM on macOS). Audit running-binary inventory weekly. Alert on RMM-binary first-run from non-IT user accounts.
Restrict and instrument PowerShell. Enable constrained-language mode where feasible. Enable Script Block Logging (Event ID 4104), Module Logging, and Transcription. Wire AMSI to your EDR. Block PowerShell access for users without a documented administrative role via WDAC or Group Policy.
Harden Office macro execution and disable Equation Editor. Block macros from the internet for all users. Disable Equation Editor (EQNEDT32.EXE) on all endpoints (CVE-2017-11882 remediation). Block CMSTP, MSHTA, and Rundll32 execution from non-IT user contexts where business workflows permit.
MFA on every perimeter account. Including OWA, VPN, RMM admin consoles, file-sharing services (Egnyte, OneHub, Sync, TeraBox, Mega) accessed from corporate identities, and any internet-facing collaboration platform. Phishing-resistant FIDO2 or platform-bound passkeys where possible.
Identity-tier segmentation. Tier 0 domain controllers and Azure AD privileged-identity-management endpoints should live in a separate logical segment from Tier 1 servers and Tier 2 endpoints. The Zerologon (CVE-2020-1472) exploit path is mitigated by patching plus tier separation plus monitoring of Netlogon traffic patterns.
DNS and egress controls. Enforce DNS resolution through inspected resolvers. Use protective DNS (NextDNS, Cisco Umbrella, Cloudflare for Teams Gateway, Mozilla DNS-over-HTTPS via a CASB) with newly-registered-domain blocking. Alert on DNS query bursts to unfamiliar apex domains (Mori detection).
Inspect TLS on egress. Identify port-443 sessions that lack a TLS Client Hello (MuddyRot raw-TCP signature). Block non-standard ports (8043, 8848) outbound by default.
Update egress GeoIP and ASN allow-lists to reflect 2026 reality. Add satellite-uplink AS numbers (Starlink) and dynamic DNS provider ASNs to your monitoring set. Reset assumptions that adversary C2 originates from "suspicious" geographies; in 2026 it may originate from a Starlink hop.
Mobile-device hygiene for high-value-target users. Block sideloading of Android applications. Enforce MDM-managed app stores. Tag users with diplomatic, energy, or maritime portfolios as high-priority device-attestation candidates given the DCHSpy Android-surveillanceware risk surface.
Continuous offensive validation against the documented TTP set. Run quarterly purple-team exercises that explicitly exercise MuddyWater's heaviest techniques: T1566 phishing simulation, T1219.002 RMM-installation attempts from non-IT contexts, T1574.001 DLL side-loading on
GoogleUpdate.exe, T1003.001 LSASS-dump attempts. This is where Stingrai's penetration-testing services and the PTaaS engagement model add direct defender value: continuous validation rather than annual point-in-time testing.
Forward outlook 2026
Three signals are visible in the named primary-source data published between January and May 2026 that should shape defender planning for the rest of the year.
First, Rust adoption and AI-assisted tradecraft. Unit 42's March 16, 2026 assessment characterizes the operational evolution: "adoption of the Rust programming language and the integration of AI-assisted techniques." That tracks with ESET's December 2025 observation that operators "deliberately avoided hands-on-keyboard interactive sessions," a tell-tale of more automated execution. RustyWater, LampoRAT (Olalampo), and BlackBeard are the three named Rust-based families in the catalog. Defenders should expect the actor's malware corpus to drift toward Rust binaries with smaller statically-linked footprints and reduced telemetry surface, and toward more agent-friendly operational tradecraft.
Second, Starlink and satellite-uplink C2. The pattern of "commercial satellite internet (i.e., Starlink) for command and control" creates a new defender blind spot. Egress GeoIP and ASN allow-lists tuned to legacy threat geographies will miss this. Update playbooks and threat-hunting queries to include satellite-uplink AS numbers.
Third, agent-friendly operational pacing. The shift away from "hands-on-keyboard interactive sessions" is a structural change that aligns MuddyWater with the broader operational pacing of AI-assisted attacker workflows seen across Anthropic's GTG-1002 disclosure of November 13, 2025 and Mandiant's M-Trends 2026 finding that the median initial-access-to-secondary-handoff time collapsed to 22 seconds in 2025. The MuddyWater operational tempo is not yet at the GTG-1002 multi-target machine-speed scale, but the trajectory points in that direction. Stingrai covers this broader trend in detail in our analysis of the AI cyber-attack landscape in 2026 and our defender analysis of the Anthropic Mythos / GTG-1002 disclosure.
The 2026 defender response is not novel. It is fundamentals tuned to the right tempo: patch the documented exploit shortlist, tighten RMM-tool inventory, restrict PowerShell, instrument identity-tier separation, and run continuous offensive validation that exercises the documented technique set. Telemetry that is tuned for human-paced or scanner-paced behavior misses agent-paced behavior; this profile is the input list for what your detection rules should look for.
What this means for Stingrai's clients
Stingrai operates on the defender side of MuddyWater's tradecraft, not the threat-intel reporting side. Three of our service offerings map directly to the MuddyWater technique catalog summarized above:
Network penetration testing. Quarterly external and internal pentests exercise the same initial-access and lateral-movement primitives MuddyWater relies on (T1190, T1003.001, T1574.001, T1219.002). Continuous validation against the documented TTP set is the cheapest way to find your gaps before the actor does.
PTaaS engagements. Continuous, scoped attacker simulation under a managed service model. PTaaS is the right model for organizations in the documented MuddyWater target sectors (telecom, government, defense, oil and gas, finance, education, maritime, aviation), where threat-actor-specific testing should happen more often than annually.
Social-engineering and phishing simulation. MuddyWater's most-used initial-access technique is T1566 phishing, often via compromised legitimate mailboxes (T1534 internal spearphishing). Phishing-simulation exercises that replicate the actor's lure styles and RMM-payload patterns harden users and detection rules together.
We also cover related material in our compromised-credential statistics 2026, phishing statistics 2026, and top industries targeted by hackers 2026 research posts. The MuddyWater target set overlaps heavily with the top-industries list.
Frequently Asked Questions
Who is MuddyWater?
MuddyWater (MITRE ATT&CK G0069) is a state-sponsored cyber-espionage group attributed by US Cyber Command (January 12, 2022) and the five-agency CISA-led joint advisory AA22-055A (February 24, 2022) to Iran's Ministry of Intelligence and Security (MOIS). The same actor is tracked across the threat-intel industry as Earth Vetala, MERCURY, Mango Sandstorm, Static Kitten, Seedworm, TEMP.Zagros, TA450, MuddyKrill, Boggy Serpens, and GreenGolf. The group has been active since at least 2017 and continues to operate as of May 2026.
Who attributed MuddyWater to Iran?
The formal Western-coalition attribution arrived in two steps in early 2022. On January 12, 2022, US Cyber Command tied MuddyWater to Iran's Ministry of Intelligence and Security and posted more than a dozen malware samples to VirusTotal. On February 24, 2022, the CISA-led joint advisory AA22-055A co-authored by FBI, CISA, NSA, US Cyber Command Cyber National Mission Force, and UK NCSC formalized the attribution. On September 9, 2022, US Treasury OFAC sanctioned MOIS itself for cyber-enabled activities.
What sectors does MuddyWater target?
The CISA-led joint advisory documents "telecommunications, defense, local government, and oil and natural gas" sectors. Corroborating Microsoft, Mandiant, Cisco Talos, Proofpoint, and Unit 42 coverage extends the documented set to include finance, education, NGOs, maritime, aviation, government broadly, and critical infrastructure. Regional targeting per CISA covers Asia, Africa, Europe, and North America; Microsoft and Unit 42 (March 16, 2026) add the Middle East (specifically the UAE and Saudi Arabia).
What is the most common MuddyWater initial-access vector?
Spearphishing (MITRE T1566) is the documented primary initial-access vector, often via compromised legitimate mailboxes inside trusted regional organizations (T1534 internal spearphishing). The second documented vector is exploitation of public-facing applications (T1190), including the eight CVEs in the MuddyWater exploit catalog (CVE-2017-0199, CVE-2017-11882, CVE-2018-20250, CVE-2020-0688, CVE-2020-1472, CVE-2021-44228, CVE-2022-26134, and CVE-2023-27350).
What custom malware does MuddyWater use?
MITRE ATT&CK Software catalogs at least 12 named custom families for the group: POWERSTATS, SHARPSTATS, Small Sieve, STARWHALE (Canopy), PowGoop, Mori, MuddyViper, Fooder, Tsundere Botnet, LP-Notes, RustyWater, and the Android-platform DCHSpy. Western-vendor research has also documented BugSleep (2024), MuddyRot (2024), Phoenix Backdoor v4 (2025), and the new LampoRAT, BlackBeard, Nuso, UDPGangster, and GhostBackDoor families per Unit 42's March 16, 2026 assessment.
What CVEs has MuddyWater exploited?
Eight CVEs verified at NIST NVD form the documented exploit catalog: CVE-2017-0199 (Office RCE), CVE-2017-11882 (Equation Editor memory corruption), CVE-2018-20250 (WinRAR path traversal), CVE-2020-0688 (Exchange RCE), CVE-2020-1472 (Zerologon, Netlogon EoP), CVE-2021-44228 (Log4Shell), CVE-2022-26134 (Confluence OGNL injection), and CVE-2023-27350 (PaperCut auth bypass to SYSTEM RCE). All eight have vendor remediations and should sit on every defender's patch-priority floor.
How does MuddyWater abuse RMM tools?
MuddyWater first deployed SimpleHelp on June 30, 2022 and has since cycled through ScreenConnect, Syncro, RemoteUtilities, Atera Agent, ConnectWise, Level, PDQ Connect, and Splashtop as first-stage payloads. Trojanized RMM installers are distributed via spearphishing with PDF attachments containing embedded links to file-sharing platforms (Egnyte, OneHub, Sync, TeraBox, Mega). Defenders should treat any RMM binary outside the sanctioned organizational standard as a hard alert.
What is the MuddyRot implant?
Sekoia documented MuddyRot in July 2024 as a custom backdoor that replaced Atera as MuddyWater's first-stage validator. MuddyRot supports "Upload file, Download file, Reverse shell, Kill process, Delete Task, Create scheduled task," establishes persistence through scheduled tasks, and communicates "via raw TCP on port 443" (not TLS). Defenders should flag port-443 sessions without a TLS Client Hello as a possible MuddyRot signal.
How do defenders detect MuddyWater activity?
Five high-leverage detection signals: (1) RMM binary installation by non-IT user accounts; (2) PowerShell with -EncodedCommand, -NoProfile, -WindowStyle Hidden, or -ExecutionPolicy Bypass flags from non-administrative contexts; (3) DLL side-loading on GoogleUpdate.exe (PowGoop indicator); (4) raw TCP on port 443 lacking a TLS Client Hello (MuddyRot indicator); (5) scheduled-task creation by non-administrator processes (Phoenix and MuddyRot persistence). Unit 42's March 2026 guidance emphasizes detecting "underlying behavioral anomalies" rather than relying on sender reputation or static IOCs.
What recent MuddyWater activity should defenders watch for in 2026?
Unit 42's Boggy Serpens Threat Assessment (March 16, 2026) documents a four-wave campaign against Middle East energy and maritime targets running August 16, 2025 through February 11, 2026, plus the introduction of Rust-based RustyWater and Starlink-based command-and-control communications. The operational signature drift is toward (a) Rust binaries with smaller statically-linked footprints, (b) commercial satellite-uplink egress that bypasses legacy GeoIP and ASN allow-lists, and (c) AI-assisted and agent-friendly operational pacing that aligns with the broader trend documented in Anthropic's GTG-1002 disclosure of November 13, 2025 and Mandiant's M-Trends 2026.
References
CISA, FBI, NSA, US Cyber Command CNMF, UK NCSC. Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks (Advisory AA22-055A). February 24, 2022. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a. The foundational five-agency joint advisory naming MuddyWater as a MOIS-subordinate element and enumerating malware variants and target sectors.
US Cyber Command (via The Record / Recorded Future News). Cyber Command ties hacking group to Iranian intelligence. January 12, 2022. https://therecord.media/cyber-command-ties-hacking-group-to-iranian-intelligence. The first US-government public attribution and the VirusTotal malware-sample release.
US Department of the Treasury. Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities (Press Release JY0941). September 9, 2022. https://home.treasury.gov/news/press-releases/jy0941. OFAC designation of MOIS and the Minister of Intelligence for cyber-enabled activities.
MITRE Corporation. MITRE ATT&CK Group G0069 MuddyWater. Last modified May 12, 2026. https://attack.mitre.org/groups/G0069/. The canonical technique-and-software dossier for the group.
MITRE Corporation. MITRE ATT&CK Software entries for POWERSTATS (S0223), SHARPSTATS (S0450), Small Sieve (S1035), STARWHALE (S1037), PowGoop (S1046), Mori (S1047), DCHSpy (S1243), Mimikatz (S0002), PowerSploit (S0194), Koadic (S0250), Empire (S0363), LaZagne (S0349), CrackMapExec (S0488), ConnectWise (S0591), RemoteUtilities (S0592), Out1 (S0594), and Rclone (S1040). https://attack.mitre.org/software/. Canonical software-catalog entries.
Microsoft Threat Intelligence. MERCURY and DEV-1084: Destructive attack on hybrid environment and related Mango Sandstorm reporting. 2023. Coverage of MERCURY / Mango Sandstorm activity tied to CVE-2023-27350 exploitation and destructive-wiper campaigns under the DarkBit persona. https://www.microsoft.com/en-us/security/blog/threat-intelligence/.
Cisco Talos. Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups. March 10, 2022, Malhotra, Ventura, Zobec. https://blog.talosintelligence.com/iranian-supergroup-muddywater/. Primary write-up of MuddyWater as a conglomerate of regional subgroups.
Palo Alto Networks Unit 42. Boggy Serpens Threat Assessment. March 16, 2026. https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/. Most recent comprehensive Unit 42 assessment, documenting the August 2025 to February 2026 four-wave Middle East energy and maritime campaign, the Rust-based tooling generation, and Starlink C2 abuse.
Proofpoint. Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. March 21, 2024. https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign. Documents the March 2024 PDF-and-AteraAgent phishing campaign and the actor's RMM-tooling history.
Proofpoint. Around the World in 90 Days: State-Sponsored Actors Try ClickFix. April 17, 2025. https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix. Documents the November 13-14, 2024 TA450 ClickFix campaign against at least 39 Middle East organizations and the actor's first observed SimpleHelp use on June 30, 2022.
Sekoia.io. MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign. July 15, 2024 (originally published June 20, 2024). https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/. Primary MuddyRot disclosure with C2 IOCs and capability list.
HarfangLab. MuddyWater campaign abusing Atera Agents. April 22, 2024. https://harfanglab.io/insidethelab/muddywater-rmm-campaign/. Documents SimpleHelp (2023) and Atera (2023-2024) infection-chain telemetry.
Recorded Future, Insikt Group. Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations. Original research on Iran-nexus APT infrastructure overlaps. https://www.recordedfuture.com/research/iranian-cyber-operations-infrastructure.
CrowdStrike. Static Kitten Adversary Profile. https://www.crowdstrike.com/adversaries/static-kitten/. CrowdStrike's profile naming Static Kitten with primary tooling list (POWERSTATS, NTSTATS, DCHSpy, BugSleep, MuddyRot).
National Institute of Standards and Technology, National Vulnerability Database. Verified CVE entries for CVE-2017-0199, CVE-2017-11882, CVE-2018-20250, CVE-2020-0688, CVE-2020-1472, CVE-2021-44228, CVE-2022-26134, and CVE-2023-27350. https://nvd.nist.gov/.
Cisco Talos. Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike. January 30, 2025. https://blog.talosintelligence.com/talos-ir-trends-q4-2024/. Quarterly IR-engagement statistics on RMM-tool abuse (Splashtop in 75 percent of ransomware engagements; AteraAgent in roughly 40 percent of engagements) used as defender-context corroboration.
Fortinet FortiGuard Labs. MuddyWater Threat Actor profile. https://fortiguard.fortinet.com/threat-actor/5571/muddy-water. Vendor-aggregated profile referenced for 2025-2026 commodity-tool chronology and the Starlink C2 observation.
Stingrai. AI Cyber Attack Statistics 2026. https://www.stingrai.io/blog/ai-cyber-attack-statistics-2026. Stingrai's research post on the AI cyber-attack landscape in 2026, used for cross-context on AI-assisted operational tradecraft.
Stingrai. Anthropic Mythos / GTG-1002 Disclosure: A Defender's Analysis for 2026. https://www.stingrai.io/blog/anthropic-mythos-gtg1002-defender-analysis. Stingrai's defender analysis of the GTG-1002 disclosure, used for the 2026 forward-outlook discussion of agent-paced tradecraft.
Anthropic. Disrupting AI espionage (GTG-1002 disclosure). November 13, 2025. https://www.anthropic.com/news/disrupting-AI-espionage. Cited for the 2026 forward outlook on AI-assisted operational pacing.
Mandiant (Google Cloud Threat Intelligence). M-Trends 2026. March 2026. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026. Cited for the 22-second median initial-access-to-handoff time in 2025 referenced in the 2026 forward outlook.
This profile is original Stingrai threat-intel research. Lead data is full-year 2025 telemetry and 2026 disclosures published between January and May 2026, the freshest available as of May 26, 2026. Every figure links to a named primary publisher so any claim can be audited.
