Threat-actor profile

← Back to main site

Home/ Threat Actors/ MuddyWater

🇮🇷MuddyWater

🇮🇷 MuddyWater is a tracked threat actor in the Clankerusecase corpus. Attributed to IR. Primary motivation: State. We map 26 detection use cases to this actor across 85 MITRE ATT&CK techniques, with 4 threat-intel articles citing them. Active in our corpus from 2025-10-27 to 2026-03-12.

crit 2high 1med 1

View full actor card → All threat actors MITRE ATT&CK group spec (G0069) ↗

26Use cases

4Articles

85Techniques

0IOCs

Known aliases

MuddyWaterEarth VetalaMERCURYStatic KittenMango SandstormTEMP.ZagrosSeedwormTA450MuddyKrill

Top techniques

T1190 · Exploit Public-Facing Application T1059.001 · PowerShell T1204.002 · Malicious File

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1003.004 · LSA Secrets T1003.005 · Cached Domain Credentials T1016 · System Network Configuration Discovery T1021.002 · SMB/Windows Admin Shares T1027.003 · Steganography T1027.004 · Compile After Delivery T1027.010 · Command Obfuscation T1033 · System Owner/User Discovery T1036.005 · Match Legitimate Resource Name or Location T1041 · Exfiltration Over C2 Channel T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1057 · Process Discovery T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.006 · Python T1059.007 · JavaScript T1071.001 · Web Protocols T1074.001 · Local Data Staging T1082 · System Information Discovery T1083 · File and Directory Discovery T1087 · Account Discovery T1087.002 · Domain Account T1090 · Proxy T1090.002 · External Proxy T1098.005 · Device Registration T1102.002 · Bidirectional Communication T1104 · Multi-Stage Channels T1105 · Ingress Tool Transfer T1110.003 · Password Spraying T1112 · Modify Registry T1113 · Screen Capture T1132.001 · Standard Encoding T1134.001 · Token Impersonation/Theft T1137.001 · Office Template Macros T1140 · Deobfuscate/Decode Files or Information T1195.002 · Compromise Software Supply Chain T1199 · Trusted Relationship T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.004 · Malicious Copy and Paste T1210 · Exploitation of Remote Services T1218 · System Binary Proxy Execution T1218.003 · CMSTP T1218.005 · Mshta T1218.011 · Rundll32 T1219 · Remote Access Tools T1219.002 · Remote Desktop Software T1486 · Data Encrypted for Impact T1518 · Software Discovery T1518.001 · Security Software Discovery T1534 · Internal Spearphishing T1547.001 · Registry Run Keys / Startup Folder T1548.002 · Bypass User Account Control T1552.001 · Credentials In Files T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1556.006 · Multi-Factor Authentication T1559.001 · Component Object Model T1559.002 · Dynamic Data Exchange T1560.001 · Archive via Utility T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1569.002 · Service Execution T1571 · Non-Standard Port T1573.001 · Symmetric Cryptography T1574.001 · DLL T1574.002 · T1574.002 T1583.001 · Domains T1583.006 · Web Services T1588.001 · Malware T1588.002 · Tool T1590.004 · Network Topology T1620 · Reflective Code Loading T1621 · Multi-Factor Authentication Request Generation T1684.001 · Impersonation T1685 · Disable or Modify Tools

Detection use cases (26)

MuddyWater (Mango Sandstorm / TA450) RMM-installer delivery: cloud-hosted Atera/ScreenConnect/SimpleHelp/RemoteUtilities executed after emai AI · profile SDD MuddyWater PowerShell loader chain: Office/HTA → encoded PowerShell → MuddyC2Go/PHONYC2/POWERSTATS beacon AI · profile SΣDD MuddyWater SimpleHelp RMM client spawning shell or recon LOLBin Bespoke Iran-aligned MFA push-bombing followed by new auth method registered (AA24-290A) Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal Trusted vendor binary / installer launching unusual children Internal MuddyWater Fooder loader (OsUpdater.exe) execution from Downloads Bespoke 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match

Threat-intel articles (4)

crit Cyber fallout from the Iran war: What to have on your radar · 2026-03-12

med MuddyWater: Snakes by the riverbank · 2025-12-02

crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06

high How MDR can give MSPs the edge in a competitive market · 2025-10-27

Tracked indicators

CVEs (2)

CVE-2024-42009 CVE-2025-8088