MuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors
- Actor Motivations: Espionage,Extortion
- Attack Vectors: Vulnerability Exploitation,Backdoor,Malware,Spear Phishing
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
The Iranian government-sponsored APT group, MuddyWater, has been conducting cyber operations against government and private sector organizations across Asia, Africa, Europe, and North America. The targeted sectors include telecommunications, defense, local government, oil and natural gas. MuddyWater's campaigns involve the exploitation of public vulnerabilities, usage of open-source tools, spear-phishing, and the deployment of multiple types of malware such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS. The group has been active since 2018 and is known for maintaining persistence on victim networks and obfuscating PowerShell scripts to hide C2 functions.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Oil and Gas | Verified |
| Sector | Telecommunication | Verified |
| Region | Middle East Countries | High |
| Region | United States | High |
| Region | European Countries | High |
Extracted IOCs
- 15fa3b32539d7453a9a85958b77d4c95
- 218d4151b39e4ece13d3bf5ff4d1121b
- 52299ffc8373f58b62543ec754732e55
- 5763530f25ed0ec08fb26a30c04009f1
- a27655d14b0aabec8db70ae08a623317
- 11d594f3b3cf8525682f6214acb7b7782056d282
- 28e799d9769bb7e936d1768d498a0d2c7a0d53fb
- 2a6ddf89a8366a262b56a251b00aafaed5321992
- 8344f2c1096687ed83c2bbad0e6e549a71b0c0b1
- ca97ac295b2cd57501517c0efd67b6f8a7d1fbdf
- 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
- 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
- b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054
- bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2
- ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
- 3c9fa512e7360fecc4db3196e850db8b398d1950a21a3a1f529bbc0a1323cc3b4c8d1bf95acb9ceaa794cf135a56c0e761976f17326594ce08c89117b1700514
- 6c9dc3ae0d3090bab57285ac1bc86d0fa60096221c99a383cc1a5a7da1c0614dfdbe4e6fa2aea9ff1e8d3415495d2d444c2f15ad9a1fd3847ddb0fc721f101a2
- 8f859945f0c3e590db99bb35f4127f34910268c44f94407e98a5399fec44d92523d07230e793209639914afe61d17dfb41273193e30bbfb950b29ffce3d4b9d5
- 164[.]132.237.65
- 185[.]117.75.34
- 185[.]118.164.21
- 185[.]141.27.143
- 185[.]141.27.248
- 185[.]183.96.44
- 185[.]183.96.7
- 185[.]25.51.108
- 185[.]45.192.228
- 192[.]210.191.188
- 192[.]210.226.128
- 45[.]142.212.61
- 45[.]142.213.17
- 45[.]153.231.104
- 46[.]166.129.159
- 5[.]199.133.149
- 80[.]85.158.49
- 87[.]236.212.22
- 88[.]119.170.124
- 88[.]119.171.213
- 89[.]163.252.232
- 95[.]181.161.49
- 95[.]181.161.50
Tip: 41 related IOCs (23 IP, 0 domain, 0 URL, 0 email, 18 file hash) to this threat have been found.
Overlaps
Source: Deep Instinct - November 2023
Detection (one case): 164[.]132.237.65
Source: Deep Instinct - June 2023
Detection (one case): 87[.]236.212.22
Source: Group-IB - April 2023
Detection (one case): 164[.]132.237.65
Source: NTT Security - May 2022
Detection (nine cases): 164[.]132.237.65, 185[.]141.27.143, 185[.]141.27.248, 185[.]183.96.44, 185[.]183.96.7, 185[.]45.192.228, 192[.]210.191.188, 192[.]210.226.128, 80[.]85.158.49
Source: Cisco Talos - March 2022
Detection (two cases): 5[.]199.133.149, 88[.]119.170.124
Source: Picussecurity - March 2022
Detection (12 cases): 11d594f3b3cf8525682f6214acb7b7782056d282, 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa, 15fa3b32539d7453a9a85958b77d4c95, 218d4151b39e4ece13d3bf5ff4d1121b, 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82, 28e799d9769bb7e936d1768d498a0d2c7a0d53fb, 2a6ddf89a8366a262b56a251b00aafaed5321992, 5763530f25ed0ec08fb26a30c04009f1, 8344f2c1096687ed83c2bbad0e6e549a71b0c0b1, a27655d14b0aabec8db70ae08a623317, b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054, bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2
Source: CISA - February 2022
Detection (10 cases): 185[.]117.75.34, 185[.]118.164.21, 185[.]183.96.44, 185[.]183.96.7, 192[.]210.191.188, 5[.]199.133.149, 88[.]119.170.124, 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa, 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82, ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
Source: Mandiant - February 2022
Detection (six cases): 45[.]142.213.17, 45[.]153.231.104, 5[.]199.133.149, 95[.]181.161.50, 15fa3b32539d7453a9a85958b77d4c95, 5763530f25ed0ec08fb26a30c04009f1
Source: NCSC - February 2022
Detection (six cases): 11d594f3b3cf8525682f6214acb7b7782056d282, 15fa3b32539d7453a9a85958b77d4c95, 2a6ddf89a8366a262b56a251b00aafaed5321992, 5763530f25ed0ec08fb26a30c04009f1, b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054, bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2
Source: Cisco Talos - January 2022
Detection (two cases): 5[.]199.133.149, 88[.]119.170.124
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.