SOCRadar® Cyber Intelligence Inc. | Dark Web Profile: MuddyWater APT Group


Jan 02, 2023
16 Mins Read

Dark Web Profile: MuddyWater APT Group

[Update] April 19, 2023: Added subheading: “MuddyWater Uses SimpleHelp Tool for Persistence on Victim Devices”

Security concerns grow day by day with the rise of cyberattacks. Among the threats, 
cyber espionage is one of the prominent activities. It can be used to get a hold of sensitive or classified data that may be intellectual property, government, or trade secrets. The threat actors’ goals might be financial gain, reputational harm, political interests, or cyberwarfare. Today, we’ll review a high-profile cyber espionage group MuddyWater. 

Who is MuddyWater?

Stuxnet was a big hit on Iran’s nuclear program in 2010. Iran took that as a wake-up call and began investing in and improving its cyberwarfare capabilities. In 2011, Iranian threat actors began to be involved in sophisticated attacks. One area they focused on is cyber espionage campaigns. The first major campaign was observed in 2012, called the Madi campaign.

Operation categories of MuddyWater
Operation categories of MuddyWater

MuddyWater, also known as Static Kitten, UNC3313, or MERCURY, is an Iranian state-sponsored APT group. According to the FBI and other US and UK-based agencies, they operate as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS). It is believed that they have been active since late 2017 and have been in close contact with MOIS since 2018. 

MuddyWater was observed to be conducting malicious activities across Europe, Asia, Africa, and North America. However, their main focus primarily resides on the middle east, per other Iranian threat actors. They are targeting private and government organizations listed below: 

  • Defense 
  • Education 
  • Energy 
  • Financial Services
  • Government and administration agencies 
  • Healthcare
  • High-Tech 
  • International Organizations 
  • Media
Countries affected by MuddyWater
Countries affected by MuddyWater

They are primarily conducting cyber espionage activities and intellectual property (IP) theft attacks, but on some occasions, they have deployed ransomware on the targets. However, it is believed they deployed ransomware to cover their tracks. 

How does MuddyWater Attack?

MuddyWater’s arsenal is vast. The group exploits various known vulnerabilities and uses a wide range of tools.

For initial access, the group commonly leverages spear-phishing and tries to trick the victims into opening malicious documents hosted in commercial file-sharing services. After obtaining initial access, they usually drop web shell and gain local administrator access on the infected machine. On the compromised machine, they use tools such as Mimikatz to dump credentials. To broaden the compromise, they laterally move by leveraging in-built or deployed tools within the network.

MuddyWater generally uses DNS to communicate with their C2 servers while using tools such as PowerShell, vpnui[.]exe (a unique version of Ligolo), and remote monitoring software such as ScreenConnectRemote Utilities, and eHorus

The figure below shows an instance of the MuddyWater attack chain observed by Microsoft.

MuddyWater attack chain (Source: Microsoft)
MuddyWater attack chain (Source: Microsoft)

Which Tools and Vulnerabilities MuddyWater Use? 

  • PowGoop DLL Loader: PowGoop malware is a malicious DLL loader. It disguises itself as a legitimate Google Update executable. 
  • Small Sieve: Small Sieve is a simple Python backdoor used to distribute Nullsoft Scriptable Install System (NSIS) installer. 
  • Canopy: Canopy is a spyware. It collects the victim’s username, computer name, and IP address and sends it to the MuddyWater group. Canopy malware is also known as Starwhale malware. 
  • Mori: Mori is a backdoor that uses Domain Name System tunneling to communicate with the group’s C2 infrastructure. 
  • POWERSTATS: POWERSTATS is a backdoor that runs PowerShell scripts to maintain persistent access on the victim systems.

MuddyWater Uses SimpleHelp Tool for Persistence on Victim Devices

Researchers found that MuddyWater is using the legitimate SimpleHelp remote support tool to establish persistence on victim devices. While using remote access tools is not a new method for MuddyWater, the SimpleHelp tool expands its toolkit.

The tool is not compromised, but the threat actors have discovered a way to download it from the official website to use in their attacks. The SimpleHelp client can be run as a system service on victim devices, enabling attackers to access it anytime, including after a reboot.

Furthermore, SimpleHelp operators can execute commands on the victim’s device, including those that require administrator privileges. They can secretly gain control of the target device using the “Connect in Terminal Mode” command.

The initial method of infection is currently unknown but is suspected to be phishing. Researchers also discovered novel infrastructure and publicly known IP addresses used by the attackers during its latest analysis of MuddyWater. Security experts advise companies to use corporate email security tools to prevent email as an attack vector.

MuddyWater associated tools & vulnerabilities provided by SOCRadar
MuddyWater-associated tools & vulnerabilities provided by SOCRadar

Who Did MuddyWater Target in Their Campaigns?

MuddyWater campaign timeline
MuddyWater campaign timeline

MuddyWater’s targets are mostly the neighbors of Iran in the middle east region. If we analyze the graphic below, we can see that Turkey, Israel, Iraq, UAE, and Pakistan are among the top targets of MuddyWater. Observations may show that MuddyWater acts according to the political interests of the Iranian state through the connection of MOIS. So, countries in which Iran has political interests should be aware of MuddyWater’s cyber espionage campaigns.

Countries targeted by MuddyWater
Countries targeted by MuddyWater

Motivations Behind MuddWater’s Attacks in the Last 2 Years

In September 2020, a series of agreements called the Abraham Accords were signed between Israel, United Arab Emirates, and Bahrain. These countries signed these agreements intending to normalize diplomatic relations in the region. The US brokered the agreements, a major diplomatic breakthrough in the Middle East. 

The Abraham Accords can be an improvement in the region from a neutral point of view, but some may feel uneasy about these agreements. In particular, Iran may have felt concerned about the Abraham Accords because they could lead to closer ties between Israel and other countries in the region, potentially undermining Iran’s influence. 

With these developments in mind, we may deduce that the cyber-espionage activities carried out by MuddyWater between September 2020 and March 2021 were a reaction to these agreements. MuddyWater, as far as known, primarily conducted campaigns in the middle east and its neighboring regions in late 2020 and early 2021. 

  • September 2020 – Operation Quicksand – Israel: According to ClearSky, MuddyWater targeted many prominent Israeli organizations. In this specific campaign, security researchers observed that the threat actor used a variant of Shamoon to encrypt data. However, it is believed that the intent of using Shamoon was not to deploy ransomware but to disrupt operations.
Operation Quicksand
Operation Quicksand (Source: SOCRadar)
  • March 2021 – Earth Vetala Campaign: According to Trend Micro, Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates were the targets of the campaign. Government agencies, academia, and tourism were some of the targeted sectors. 

Latest Attacks of the Threat Actor 

In January 2022, cybersecurity researchers reported that MuddyWater targeted Turkish private organizations and governmental agencies. They used multiple malicious PDFs and MS Office documents during the campaign. With the spear phishing technique, the threat actors tried to convince the victims that the documents were from the Turkish Health and Internal Affairs Ministries.

Malicious PDF used in Turkey campaign (Source: Cisco Talos)
Malicious PDF used in Turkey campaign (Source: Cisco Talos)

In another incident on December 2022, Deep Instinct reported that MuddyWater, conducted malicious activities, again using spear phishing through emails. Israeli insurance companies were the targets of the attacks. As an evolving threat actor, they added a new tool for remote access, Syncro, to their arsenal. 

Email from MuddyWater's Israel attack(Deep Instinct)
Email from MuddyWater’s Israel attack (Source: Deep Instinct)


Observations of MuddyWater’s cyber espionage activities can lead to a conclusion that they act according to Iran’s political strategies through MOIS. Whether it is because of the political implications, or another reason, Israel and Turkey seem to be significant targets for the MuddyWater. 

If you are an organization residing in the middle east, there might be a possibility of being a target of MuddyWater. What can you do to defend against them? Excluding the technical mitigations, keeping up with the political climate of the middle east region might give a heads-up if the tension rises. On the technical side, MuddyWater evolves with each attack they perform, but they still bear similar techniques. You can apply the following recommendations per your needs. 

Security Recommendations Against MuddyWater 

  • MuddyWater leverages spear phishing. Provide necessary training to your employees for security awareness
  • Gain visibility into external-facing digital assets with an Attack Surface Management solution. 
  • Regularly apply security patches and software updates. 
  • Apply the least privilege principle across the network, especially to critical systems and services 
  • Secure domain controllers (DC) using best practices. 
  • Enable multifactor authentication (MFA) to prevent lateral movement. 
  • Refer to IOCs and take necessary actions toward mitigation. 

SOCRadar’s Attack Surface Management provides visibility into external-facing digital assets. SOCRadar has a predictive, preventive, and proactive approach toward security at its core. With SOCRadar’s Attack Surface Management, security teams can track which CVEs are present in the environment. Knowing which CVEs are present in the organization can give the organization an advantage in defending against MuddyWater.

SOCRadar Attack Surface Management
SOCRadar Attack Surface Management

Most threat actors specializing in cyber espionage widely leverage spear phishing, just as MuddyWater does. If you receive any suspicious email, you can use free SOC Tools on SOCRadar Labs to analyze it.

SOCRadar SOC Tools provided by SOCRadar Labs

MITRE ATT&CK Techniques




Gather Victim Identity Information: Email Addresses


Resource Development

Acquire Infrastructure: Web Services


Obtain Capabilities: Tool


Initial Access

Phishing: Spearphishing Attachment


Phishing: Spearphishing Link



Windows Management Instrumentation


Command and Scripting Interpreter: PowerShell


Command and Scripting Interpreter: Windows Command Shell


Command and Scripting Interpreter: Visual Basic


Command and Scripting Interpreter: Python


Command and Scripting Interpreter: JavaScript


Exploitation for Client Execution


User Execution: Malicious Link


User Execution: Malicious File


Inter-Process Communication: Component Object Model


Inter-Process Communication: Dynamic Data Exchange



Scheduled Task/Job: Scheduled Task


Office Application Startup: Office Template Macros


Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder


Privilege Escalation

Abuse Elevation Control Mechanism: Bypass User Account Control 


Credentials from Password Stores


Credentials from Web Browsers


Defense Evasion

Obfuscated Files or Information




Compile After Delivery


Masquerading: Match Legitimate Name or Location


Deobfuscate/Decode Files or Information


Signed Binary Proxy Execution: CMSTP


Signed Binary Proxy Execution: Mshta


Signed Binary Proxy Execution: Rundll32


Execution Guardrails


Impair Defenses: Disable or Modify Tools


Credential Access

OS Credential Dumping: LSASS Memory


OS Credential Dumping: LSA Secrets


OS Credential Dumping: Cached Domain Credentials


Unsecured Credentials: Credentials In Files



System Network Configuration Discovery


System Owner/User Discovery


System Network Connections Discovery


Process Discovery


System Information Discovery


File and Directory Discovery


Account Discovery: Domain Account


Software Discovery


Security Software Discovery



Screen Capture


Archive Collected Data: Archive via Utility


Command and Control

Application Layer Protocol: Web Protocols


Proxy: External Proxy



Web Service: Bidirectional Communication



Multi-Stage Channels



Ingress Tool Transfer



Data Encoding: Standard Encoding



Data Encoding: Non-Standard Encoding



Remote Access Software





Exfiltration Over C2 Channel




Appendix 1: IOCs of PowGoop


  • MD5: a27655d14b0aabec8db70ae08a623317
  • SHA-1: 7649c554e87f6ea21ba86bb26ea39521d5d18151
  • SHA-256: 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f
  • File type: Win32 DLL
  • File size: 88.50 KB (90624 bytes)


  • MD5: cec48bcdedebc962ce45b63e201c0624
  • SHA-1: 81f46998c92427032378e5dead48bdfc9128b225
  • SHA-256: dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
  • File type: Win32 DLL
  • File size: 91.50 KB (93696 bytes)


  • 104.208.16[.]94:443 (TCP)
  • 20.42.65[.]92:443 (TCP)
  • 20.42.73[.]29:443 (TCP)
  • libpcre2-8-0[.]dll
  • MD5: 860f5c2345e8f5c268c9746337ade8b7
  • SHA-1: 6c55d3acdc2d8d331f0d13024f736bc28ef5a7e1
  • SHA-256: 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
  • File type: Win32 DLL
  • File size: 94.50 KB (96768 bytes)


  • 20.189.173[.]20:443 (TCP)
  • 20.189.173[.]21:443 (TCP)
  • 20.42.73[.]29:443 (TCP)

Appendix 2: IOCs of Small Sieve


  • MD5: 15fa3b32539d7453a9a85958b77d4c95
  • SHA-1: 11d594f3b3cf8525682f6214acb7b7782056d282
  • SHA-256: b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054
  • File type: Win32 EXE
  • File size: 16.21 MB (16999598 bytes)


  • 13.107.4[.]50:80 (TCP)
  • 149.154[.]167.220:443 (TCP)
  • 192.168.0[.]15:137 (UDP)
  • 23.216.147[.]64:443 (TCP)
  • 23.216.147[.]76:443 (TCP)
  • a83f:8110:0:0:1400:1400:2800[:]3800:53 (UDP)


  • MD5: 5763530f25ed0ec08fb26a30c04009f1
  • SHA-1: 2a6ddf89a8366a262b56a251b00aafaed5321992
  • SHA-256: bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2
  • File type: Win32 EXE
  • File size: 16.46 MB (17263089 bytes)


  • 13.107.4[.]50:80 (TCP)
  • 192.168.0[.]1:137 (UDP)
  • 192.168.0[.]25:137 (UDP)
  • 20.99.132[.]105:443 (TCP)
  • 209.197.3[.]8:80 (TCP)
  • 23.216.147[.]64:443 (TCP)
  • a83f:8110:0:0:7f00:0:0[:]0:53 (UDP)
  • a83f:8110:492a:d801:d1df:1328:492a[:]d801:53 (UDP)
  • a83f:8110:5067:d801:beac:bf78:cce1[:]d301:53 (UDP)

Appendix 3: IOCs of Canopy

Cooperation terms[.]xls

  • MD5: b0ab12a5a4c232c902cdeba421872c37
  • SHA-1: a8e7659942cc19f422678181ee23297efa55fa09
  • SHA-256: 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
  • File type: MS Excel Spreadsheet
  • File size: 247.00 KB (252928 bytes)


  • 88.119.170[.]124:80 (TCP)


  • MD5: 6cef87a6ffb254bfeb61372d24e1970a
  • SHA-1: e21d95b648944ad2287c6bc01fcc12b05530e455
  • SHA-256: 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
  • File type: MS Excel Spreadsheet
  • File size: 249.00 KB (254976 bytes)


  • 5.199.133[.]149:80 (TCP)

Appendix 4:IOCs of Mori


  • MD5: 0431445d6d6e5802c207c8bc6a6402ea
  • SHA-1: 3765c1ad8a1d936aad88255aef5d6d4ce24f94e8
  • SHA-256: 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8
  • File type: Win32 DLL
  • File size: 200.65 MB (210397496 bytes)

Appendix 5:IOCs of POWERSTATS


  • MD5: f5dee1f9cd47dc7bae468da9732c862e
  • SHA-1: 5273ee897e67fc01ee5fef08c37400cb4ee15958
  • SHA-256: 6f8226d890350943a9ef4cc81598e0e953d8ba9746694c0b7e3d99e418701b39
  • File type: Win32 EXE
  • File size: 119.00 KB (121856 bytes)


  • MD5: e75443a5e825f69c75380b6dc76c6b50
  • SHA-1: 142b5753c608c65e702e41b52abdeb96cb2f9294
  • SHA-256: c514c3f293f0cb4c23662a5ab962b158cb97580b03a22b82e21fa3b26d64809c
  • File type: Win32 EXE
  • File size: 92.50 KB (94720 bytes)


  • (TCP)
  • a83f:8110:e0:ffff:e0:ffff:e0[:]ffff:53 (UDP)