MuddyWater

Search IOCs, vulnerabilities, APT…

216.73.217.80

← Back to intrusion sets

· Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 · Source: The MITRE Corporation

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 04/05/2026 16:33
Updated at: 04/05/2026 16:33
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 18 reports, 105 attack patterns (mitre), 39 malware, 13 sectors, 25 countries, 100 indicators, 18 vulnerabilities (cve), 5 tool

Aliases

Earth Vetala Static Kitten TEMP.Zagros Mango Sandstorm MERCURY TA450 Seedworm

Description

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)

Marking (TLP)

External references

Trend Micro Muddy Water March 2021
Cloudflare 2026 Threat Report New Threat Actors March 2026
CYBERCOM Iranian Intel Cyber January 2022
Talos MuddyWater Jan 2022
Microsoft Threat Actor Naming July 2023
FalconFeeds_Iran_Mar2026
Anomali Static Kitten February 2021
Symantec MuddyWater Dec 2018
FireEye MuddyWater Mar 2018
ClearSky MuddyWater June 2019
Unit 42 MuddyWater Nov 2017
ClearSky MuddyWater Nov 2018
mitre-attack (G0069)
Reaqta MuddyWater November 2017
AlienVault
AlienVault
AlienVault
Proofpoint TA450 Phishing March 2024
DHS CISA AA22-055A MuddyWater February 2022
AlienVault

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (18)

Iran-Linked Hackers Breached Korean Electronics Maker in Global …

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
DinDoor Backdoor: Deno Runtime Abuse and 20 Active …

18 MITREs 5 Malwares 20 Observables 1 APT
Iranian APT Seedworm Targets Global Organizations via Microsoft …

19 MITREs 2 Malwares 28 Observables 1 APT
Unmasking an Attack Chain of MuddyWater

9 MITREs 1 Malware 5 Observables 1 APT
Iranian APT on Networks of U.S. Bank, Airport, …

2 CVEs 8 Malwares 25 Observables 1 APT
MuddyWater Exposed: Inside an Iranian APT operation

13 CVEs 4 Malwares 14 Observables 1 APT
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters …

19 MITREs 6 Malwares 5 Observables 1 APT
Operation Olalampo: Inside MuddyWater's Latest Campaign

17 MITREs 4 Malwares 14 Observables 1 APT
Chronology of MuddyWater APT Attacks Targeting the Middle …

14 MITREs 6 Malwares 20 Observables 1 APT
Reborn in Rust: MuddyWater Evolves Tooling with RustyWater …

3 Malwares 12 Observables 1 APT
MuddyWater: Snakes by the riverbank

7 MITREs 6 Malwares 9 Observables 1 APT
UDPGangster Campaigns Target Multiple Countries

17 MITREs 2 Malwares 15 Observables 1 APT

← Previous

Page / 2

1–12 of 18

T1534 uses

Internal Spearphishing MITRE
T1555 uses

Credentials from Password Stores MITRE
T1085 uses

MITRE
TA0037 uses

MITRE
T1589 uses

Gather Victim Identity Information MITRE
Multi-Stage Channels uses

T1104 MITRE
T1566 uses

Phishing MITRE
T1574 uses

Hijack Execution Flow MITRE
T1003 uses

OS Credential Dumping MITRE
T1003.002 uses

Security Account Manager MITRE
T1102 uses

Web Service MITRE
T1587.001 uses

Malware MITRE

← Previous

Page / 9

13–24 of 105

Phoenix uses

Family
NetBird uses

Family
UDPGangster uses

Family
SHARPSTATS uses
LP-Notes uses

AlienVault Confidence 100

[LP-Notes](https://attack.mitre.org/software/S9036) is a C/C++ Windows credential stealer used by [MuddyWater](https://attack.mitre.org/groups/G0069). [LP-Notes](https://attack.mitre.org/software/S9036) was named after the `lp-notes.txt` file that is used to store stolen credentials.(Citation: ESET_MuddyWater_Dec2025)

First seen 01/01/1970 · Last seen 16/11/5138 ·
PersianC2 uses

Family
PhonyC2 uses

Family
Archer RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Phoenix Backdoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Atera Agent uses

Family
Mori uses
MuddyWater uses

← Previous

Page / 4

1–12 of 39

Technology targets

← Previous

Page / 2

13–13 of 13

Pakistan targets
Colombia targets
Algeria targets
Italy targets
Russian Federation targets
Philippines targets
Chile targets
Argentina targets
Qatar targets
Central African Republic targets
Iraq targets
Azerbaijan targets

← Previous

Page / 3

1–12 of 25

424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4 related
209.99.189.170 related

stix 100/100 Revoked

· Valid until 17/05/2026 · Source: AlienVault
cside.site related

stix 100/100

· Valid until 30/07/2026 · Source: AlienVault
https://timetrakr.cloud/sp.ps1' related

stix 100/100 Revoked

· Valid until 10/06/2026 · Source: AlienVault
25325dc4b8dcf3711e628d08854e97c49cfb904c0816129ed1d432c6bfff576b related
694b72f8eb7d5c37deb3493e74fb973df20359111d0d96076d3da50dbcb5d9d8 related
5.196.249.162 related
0be499354dc498248d27f6d186eb3bb75a607ae4a2c0a6734c76f1a1b7b1d316 related

stix 100/100

· Valid until 13/03/2027 · Source: AlienVault
d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc related

stix 100/100

· Valid until 08/05/2027 · Source: AlienVault
fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430 related

stix 100/100

· Valid until 06/12/2026 · Source: AlienVault
https://dd3.filedwnl.top related
91.121.240.106 related

← Previous

Page / 9

1–12 of 100

Vulnerabilities (CVE) (18)

CVE-2023-6895 related

6.3 Medium

A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of …

Attack vector: ADJACENT_NETWORK
Published: 17/12/2023
Modified: 06/03/2026

CVE-2021-44228 KEV related

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2025-54068 KEV related

9.2 Critical

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve …

Attack vector: NETWORK
Complexity: LOW
Published: 17/07/2025
Modified: 27/03/2026

CWE-94 Awaiting Analysis

CVE-2025-5777 KEV related

9.3 Critical

Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread …

Attack vector: Network
Published: 10/07/2025
Modified: 21/12/2025

Received

CVE-2025-52691 KEV related

10.0 Critical

SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files …

Attack vector: NETWORK
Published: 29/12/2025
Modified: 05/03/2026

Awaiting Analysis

CVE-2025-68613 KEV related

9.9 Critical

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical …

Attack vector: Network
Published: 20/12/2025
Modified: 12/03/2026

Awaiting Analysis

← Previous

Page / 2

13–18 of 18

LaZagne uses

The MITRE Corporation Confidence 100

[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
RemoteUtilities uses

The MITRE Corporation Confidence 100

[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)
ConnectWise uses

The MITRE Corporation Confidence 100

[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct…
Out1 uses

The MITRE Corporation Confidence 100

[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)
CrackMapExec uses

The MITRE Corporation Confidence 100

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…

Contact About Legal notice Privacy policy Terms of use

MuddyWater

Essential information

Aliases

Description

Marking (TLP)

External references

Related entities

Reports (18)

Attack patterns (MITRE) (105)

Malware (39)

Sectors (13)

Countries (25)

Indicators (100)

Vulnerabilities (CVE) (18)

Tool (5)