MuddyWater

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to intrusion sets

· Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 · Source: The MITRE Corporation

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 04/05/2026 16:33
Updated at: 04/05/2026 16:33
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 18 reports, 105 attack patterns (mitre), 39 malware, 13 sectors, 25 countries, 100 indicators, 18 vulnerabilities (cve), 5 tool

Aliases

Earth Vetala Static Kitten TEMP.Zagros Mango Sandstorm MERCURY TA450 Seedworm

Description

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)

Marking (TLP)

External references

Trend Micro Muddy Water March 2021
Cloudflare 2026 Threat Report New Threat Actors March 2026
CYBERCOM Iranian Intel Cyber January 2022
Talos MuddyWater Jan 2022
Microsoft Threat Actor Naming July 2023
FalconFeeds_Iran_Mar2026
Anomali Static Kitten February 2021
Symantec MuddyWater Dec 2018
FireEye MuddyWater Mar 2018
ClearSky MuddyWater June 2019
Unit 42 MuddyWater Nov 2017
ClearSky MuddyWater Nov 2018
mitre-attack (G0069)
Reaqta MuddyWater November 2017
AlienVault
AlienVault
AlienVault
Proofpoint TA450 Phishing March 2024
DHS CISA AA22-055A MuddyWater February 2022
AlienVault

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (18)

Iran-Linked Hackers Breached Korean Electronics Maker in Global …

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
DinDoor Backdoor: Deno Runtime Abuse and 20 Active …

18 MITREs 5 Malwares 20 Observables 1 APT
Iranian APT Seedworm Targets Global Organizations via Microsoft …

19 MITREs 2 Malwares 28 Observables 1 APT
Unmasking an Attack Chain of MuddyWater

9 MITREs 1 Malware 5 Observables 1 APT
Iranian APT on Networks of U.S. Bank, Airport, …

2 CVEs 8 Malwares 25 Observables 1 APT
MuddyWater Exposed: Inside an Iranian APT operation

13 CVEs 4 Malwares 14 Observables 1 APT
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters …

19 MITREs 6 Malwares 5 Observables 1 APT
Operation Olalampo: Inside MuddyWater's Latest Campaign

17 MITREs 4 Malwares 14 Observables 1 APT
Chronology of MuddyWater APT Attacks Targeting the Middle …

14 MITREs 6 Malwares 20 Observables 1 APT
Reborn in Rust: MuddyWater Evolves Tooling with RustyWater …

3 Malwares 12 Observables 1 APT
MuddyWater: Snakes by the riverbank

7 MITREs 6 Malwares 9 Observables 1 APT
UDPGangster Campaigns Target Multiple Countries

17 MITREs 2 Malwares 15 Observables 1 APT

← Previous

Page / 2

1–12 of 18

T1518 uses

Software Discovery MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1134 uses

Access Token Manipulation MITRE
T1218.003 uses

CMSTP MITRE
T1567.002 uses

Exfiltration to Cloud Storage MITRE
T1132.001 uses

Standard Encoding MITRE
T1132 uses

Data Encoding MITRE
T1592 uses

Gather Victim Host Information MITRE
T1199 uses

Trusted Relationship MITRE
T1071.002 uses

File Transfer Protocols MITRE
T1027.002 uses

Software Packing MITRE
T1021.001 uses

Remote Desktop Protocol MITRE

← Previous

Page / 9

1–12 of 105

Phoenix uses

Family
NetBird uses

Family
UDPGangster uses

Family
SHARPSTATS uses
LP-Notes uses

Family
PersianC2 uses

Family
PhonyC2 uses

Family
Archer RAT uses

Family
Phoenix Backdoor uses

Family
Atera Agent uses

Family
Mori uses
MuddyWater uses

← Previous

Page / 4

1–12 of 39

Hospitality targets
Media targets
High-tech targets
Employment targets
Defense targets
Energy targets
Pharmacy and drugs manufacturing targets
Government targets
Transportation targets
Engineering consulting targets
Education targets
Aerospace targets

← Previous

Page / 2

1–12 of 13

Pakistan targets
Colombia targets
Algeria targets
Italy targets
Russian Federation targets
Philippines targets
Chile targets
Argentina targets
Qatar targets
Central African Republic targets
Iraq targets
Azerbaijan targets

← Previous

Page / 3

1–12 of 25

424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4 related
209.99.189.170 related
cside.site related
https://timetrakr.cloud/sp.ps1' related

stix 100/100 Revoked

· Valid until 10/06/2026 · Source: AlienVault
25325dc4b8dcf3711e628d08854e97c49cfb904c0816129ed1d432c6bfff576b related
694b72f8eb7d5c37deb3493e74fb973df20359111d0d96076d3da50dbcb5d9d8 related
5.196.249.162 related
0be499354dc498248d27f6d186eb3bb75a607ae4a2c0a6734c76f1a1b7b1d316 related
d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc related

stix 100/100

· Valid until 08/05/2027 · Source: AlienVault
fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430 related
https://dd3.filedwnl.top related
91.121.240.106 related

← Previous

Page / 9

1–12 of 100

Vulnerabilities (CVE) (18)

CVE-2025-34291 KEV targets

9.4 Critical

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive …

Attack vector: Network
Complexity: Low
EPSS: 0.0246 (P84.8%)
Published: 06/12/2025
Modified: 23/05/2026

CWE-346 Awaiting Analysis

CVE-2024-23113 KEV targets

9.8 Critical

Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or …

Attack vector: Network
Published: 09/10/2024
Modified: 05/03/2026

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

CVE-2025-4609 targets

9.6 Critical

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially …

Attack vector: NETWORK
Published: 22/08/2025
Modified: 21/12/2025

CVE-2017-7921 KEV targets

9.8 Critical

Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …

Attack vector: NETWORK
Complexity: LOW
EPSS: 0.9410 (P99.9%)
Published: 06/05/2017
Modified: 22/04/2026

CWE-287

CVE-2024-5559 targets

6.1 Medium

CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists that could cause denial of service, device reboot, or an attacker …

Attack vector: PHYSICAL
Published: 12/06/2024
Modified: 05/03/2026

Received

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2021-45046 KEV related

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern …

Published: 01/05/2023
Modified: 20/12/2025

CVE-2025-9316 related

6.9 Medium

N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.

Published: 05/03/2026
Modified: 05/03/2026

Awaiting Analysis

CVE-2026-1731 KEV related

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

← Previous

Page / 2

1–12 of 18

LaZagne uses

The MITRE Corporation Confidence 100

[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
RemoteUtilities uses

The MITRE Corporation Confidence 100

[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)
ConnectWise uses

The MITRE Corporation Confidence 100

[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct…
Out1 uses

The MITRE Corporation Confidence 100

[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)
CrackMapExec uses

The MITRE Corporation Confidence 100

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…

Contact About Legal notice Privacy policy Terms of use

MuddyWater

Essential information

Aliases

Description

Marking (TLP)

External references

Related entities

Reports (18)

Attack patterns (MITRE) (105)

Malware (39)

Sectors (13)

Countries (25)

Indicators (100)

Vulnerabilities (CVE) (18)

Tool (5)