MuddyWater
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 18 reports, 105 attack patterns (mitre), 39 malware, 13 sectors, 25 countries, 100 indicators, 18 vulnerabilities (cve), 5 tool
Aliases
Earth Vetala Static Kitten TEMP.Zagros Mango Sandstorm MERCURY TA450 Seedworm
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Trend Micro Muddy Water March 2021
- Cloudflare 2026 Threat Report New Threat Actors March 2026
- CYBERCOM Iranian Intel Cyber January 2022
- Talos MuddyWater Jan 2022
- Microsoft Threat Actor Naming July 2023
- FalconFeeds_Iran_Mar2026
- Anomali Static Kitten February 2021
- Symantec MuddyWater Dec 2018
- FireEye MuddyWater Mar 2018
- ClearSky MuddyWater June 2019
- Unit 42 MuddyWater Nov 2017
- ClearSky MuddyWater Nov 2018
- mitre-attack (G0069)
- Reaqta MuddyWater November 2017
- AlienVault
- AlienVault
- AlienVault
- Proofpoint TA450 Phishing March 2024
- DHS CISA AA22-055A MuddyWater February 2022
- AlienVault
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (18)
-
AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
-
18 MITREs 5 Malwares 20 Observables 1 APT
-
19 MITREs 2 Malwares 28 Observables 1 APT
-
9 MITREs 1 Malware 5 Observables 1 APT
-
2 CVEs 8 Malwares 25 Observables 1 APT
-
13 CVEs 4 Malwares 14 Observables 1 APT
-
19 MITREs 6 Malwares 5 Observables 1 APT
-
17 MITREs 4 Malwares 14 Observables 1 APT
-
14 MITREs 6 Malwares 20 Observables 1 APT
-
3 Malwares 12 Observables 1 APT
-
7 MITREs 6 Malwares 9 Observables 1 APT
-
17 MITREs 2 Malwares 15 Observables 1 APT
Attack patterns (MITRE) (105)
-
T1059.003 usesWindows Command Shell MITRE
-
Email Accounts usesT1585.002 MITRE
-
T1497 usesVirtualization/Sandbox Evasion MITRE
-
T1552.001 usesCredentials In Files MITRE
-
T1078 usesValid Accounts MITRE
-
T1049 usesSystem Network Connections Discovery MITRE
-
T1596 MITRE
-
T1036.004 usesMasquerade Task or Service MITRE
-
T1547.001 usesRegistry Run Keys / Startup Folder MITRE
-
T1598.002 usesSpearphishing Attachment MITRE
-
T1584 usesCompromise Infrastructure MITRE
-
T1110 usesBrute Force MITRE
Malware (39)
-
Phoenix usesFamily
-
NetBird usesFamily
-
UDPGangster usesFamily
-
SHARPSTATS uses
-
LP-Notes usesAlienVault Confidence 100
[LP-Notes](https://attack.mitre.org/software/S9036) is a C/C++ Windows credential stealer used by [MuddyWater](https://attack.mitre.org/groups/G0069). [LP-Notes](https://attack.mitre.org/software/S9036) was named after the `lp-notes.txt` file that is used to store stolen credentials.(Citation: ESET_MuddyWater_Dec2025)
First seen 01/01/1970 · Last seen 16/11/5138 · -
PersianC2 usesFamily
-
PhonyC2 usesFamily
-
Archer RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Phoenix Backdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Atera Agent usesFamily
-
Mori uses
-
MuddyWater uses
Sectors (13)
-
Hospitality targets
-
Media targets
-
High-tech targets
-
Employment targets
-
Defense targets
-
Energy targets
-
Pharmacy and drugs manufacturing targets
-
Government targets
-
Transportation targets
-
Engineering consulting targets
-
Education targets
-
Aerospace targets
Countries (25)
-
Pakistan targets
-
Colombia targets
-
Algeria targets
-
Italy targets
-
Russian Federation targets
-
Philippines targets
-
Chile targets
-
Argentina targets
-
Qatar targets
-
Central African Republic targets
-
Iraq targets
-
Azerbaijan targets
Indicators (100)
-
424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4related -
https://timetrakr.cloud/sp.ps1'relatedstix 100/100 Revoked· Valid until 10/06/2026 · Source: AlienVault -
25325dc4b8dcf3711e628d08854e97c49cfb904c0816129ed1d432c6bfff576brelated -
694b72f8eb7d5c37deb3493e74fb973df20359111d0d96076d3da50dbcb5d9d8related -
5.196.249.162related -
stix 100/100· Valid until 13/03/2027 · Source: AlienVault
-
stix 100/100· Valid until 08/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 06/12/2026 · Source: AlienVault
-
https://dd3.filedwnl.toprelated -
91.121.240.106related
Vulnerabilities (CVE) (18)
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive …
- Attack vector
- Network
- Complexity
- Low
- EPSS
- 0.0246 (P84.8%)
- Published
- 06/12/2025
- Modified
- 23/05/2026
Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or …
- Attack vector
- Network
- Published
- 09/10/2024
- Modified
- 05/03/2026
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Published
- 29/01/2026
- Modified
- 27/03/2026
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially …
- Attack vector
- NETWORK
- Published
- 22/08/2025
- Modified
- 21/12/2025
Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.9410 (P99.9%)
- Published
- 06/05/2017
- Modified
- 22/04/2026
CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists that could cause denial of service, device reboot, or an attacker …
- Attack vector
- PHYSICAL
- Published
- 12/06/2024
- Modified
- 05/03/2026
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 13/12/2022
- Modified
- 20/12/2025
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …
- Attack vector
- Network
- Published
- 14/01/2025
- Modified
- 27/05/2026
Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern …
- Published
- 01/05/2023
- Modified
- 20/12/2025
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
- Published
- 05/03/2026
- Modified
- 05/03/2026
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
Tool (5)
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
RemoteUtilities usesThe MITRE Corporation Confidence 100
[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)
-
ConnectWise usesThe MITRE Corporation Confidence 100
[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct…
-
Out1 usesThe MITRE Corporation Confidence 100
[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)
-
CrackMapExec usesThe MITRE Corporation Confidence 100
[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…