MuddyWater Exposed: Inside an Iranian APT operation

216.73.216.36

MuddyWater Exposed: Inside an Iranian APT operation

· Published 05/03/2026 15:18 · Modified 05/03/2026 15:50

Essential information

Published: 05/03/2026 15:18
Modified: 05/03/2026 15:50
Tags: 2026-03-05 CVE-2022-42475 CVE-2024-23113 CVE-2024-55591 CVE-2025-34291 CVE-2025-52691 CVE-2025-54068 CVE-2025-55182 CVE-2025-5777 CVE-2025-68613 CVE-2025-9316 CVE-2026-1281 CVE-2026-1731 arenac2 command and control cyber espionage exfiltration geopolitical conflict iranian apt keyc2 mois persianc2 reconnaissance tsundere botnet vulnerability exploitation
Related entities: 13 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 4 malware, 12 others

Description

Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfiltration techniques. Targets included organizations in Israel, Jordan, Egypt, UAE, Portugal, and the US. Notable findings include the use of Ethereum smart contracts for C2 communication, multiple custom C2 frameworks, and exploitation of various CVEs. The group showed a pattern of rapid adoption of public exploits and development of custom tools, while also exhibiting operational security failures that enabled this research.