Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0069

MuddyWater

Aliases

Seedworm, TEMP.Zagros, Mango Sandstorm

Type

Group

Target

Energy, Government, Telecom Sector

Malware

POWERSTATS, various backdoors, legitimate RMM tools

Country

Iran Iran

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for MuddyWater

Who is MuddyWater?

MuddyWater is a cyberespionage group linked to Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group’s main goal is intelligence gathering. They support Iranian state interests by targeting strategic sectors.

Their campaigns focus on government and private organizations in the Middle East, Europe, and North America. MuddyWater is known for its continuous activity and for updating its tools to evade detection.

Common Tactics and Tools

MuddyWater’s main entry points are spear-phishing and exploiting public-facing applications. They use malicious documents or exploit known software bugs to gain initial access.

The group uses a mix of custom scripts and legitimate software to blend in with normal network traffic.

  • POWERSTATS: The group’s signature PowerShell-based backdoor. It is used to establish a foothold, execute commands, and download additional tools.
  • Living off the Land: MuddyWater heavily uses legitimate tools already on a system, like PowerShell, to carry out its attacks. This makes their activity difficult to spot.
  • Remote Management Tools (RMM): The group often abuses legitimate RMM software, like ConnectWise Control, to maintain persistent access and control over compromised systems.

How to Defend Against MuddyWater

Defense against MuddyWater requires strong email security and a focus on detecting abuse of legitimate tools.

  • Enhance email security: Use advanced email gateways to scan for and block malicious attachments. Train users to spot and report spear-phishing attempts.
  • Prioritize software patching: Keep all internet-facing applications, like Microsoft Exchange, fully patched to close the security holes MuddyWater uses.
  • Restrict malicious scripts: Use application control to block or monitor the use of PowerShell and other scripting languages that attackers abuse.
  • Adopt an Assume Breach mindset: Attackers are becoming adept at bypassing endpoint security. Strong network security is vital. Use Network Detection and Response (NDR), like Lumu, to monitor traffic and detect the abuse of legitimate tools and C2 communications.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.