A malware campaign linked to Iran-backed hackers targeted various sectors globally, using obfuscated scripts and malicious documents to compromise systems and steal information.

Who is behind the attack?

The threat actors are from MuddyWater, a cyber-espionage group sponsored by the Iranian government and known for targeting strategic sectors worldwide.

What was the goal of the attack?

The primary goals were surveillance, data theft, and maintaining persistent access to victim networks for espionage purposes.

Organizations in telecommunications, defense, local government, and oil and gas sectors across Asia, Africa, Europe, and North America.

How did the attackers operate?

They used a mix of renamed DLLs, malicious Excel files, JavaScript droppers, and PowerShell scripts to run commands remotely and exfiltrate data silently.

Why are these sectors attractive to attackers?

These sectors hold valuable strategic, political, and economic data that can support intelligence gathering and geopolitical objectives.

What can organizations do to protect themselves?

Improve detection of script-based threats, limit macro execution, monitor for suspicious network behavior, and block communication with known malicious IPs.

Is this a widespread issue or a targeted one?

The campaign shows signs of being targeted toward specific sectors and regions, though the tools and infrastructure could be reused for broader campaigns.

Threats Feed|MuddyWater|Last Updated 23/06/2025|AuthorCertfa Radar|Publish Date24/02/2022

Analysis of MuddyWater Malware Targeting Diverse International Sectors

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Fileless malware,Malicious Macro,Trojan
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

The analysis by multiple cybersecurity agencies, including the FBI and NSA, reveals MuddyWater's extensive use of the POWGOOP malware family among other malicious tools in cyber espionage activities. Targeting sectors such as telecommunications, defense, local government, and oil and natural gas, MuddyWater has impacted organizations across Asia, Africa, Europe, and North America. The analyzed malware employed techniques like DLL side-loading, PowerShell scripts for command execution, and data exfiltration via encrypted channels to C2 servers. These actions are part of a broader Iranian government-sponsored initiative, indicating a significant threat to global security infrastructure.

Reference and Credit: CISA - February 2022

MAR–10369127–1.v1 – MuddyWater

Detected Targets

Type	Description	Confidence
Sector	Defense	Verified
Sector	Government Agencies and Services	Verified
Sector	Oil and Gas	Verified
Sector	Telecommunication	Verified
Region	United States	High
Region	European Countries	Verified

Extracted IOCs

026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a
3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8
42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986
4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f
7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4
9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7
9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2
b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504
b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a
c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0
dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13
e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca
ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
185[.]117.75.34
185[.]118.164.21
185[.]183.96.44
185[.]183.96.7
192[.]210.191.188
5[.]199.133.149
88[.]119.170.124

download

Tip: 30 related IOCs (7 IP, 0 domain, 0 URL, 0 email, 23 file hash) to this threat have been found.

FAQs

Understanding the MuddyWater Malware Campaign

: A malware campaign linked to Iran-backed hackers targeted various sectors globally, using obfuscated scripts and malicious documents to compromise systems and steal information.
: The threat actors are from MuddyWater, a cyber-espionage group sponsored by the Iranian government and known for targeting strategic sectors worldwide.
: The primary goals were surveillance, data theft, and maintaining persistent access to victim networks for espionage purposes.
: Organizations in telecommunications, defense, local government, and oil and gas sectors across Asia, Africa, Europe, and North America.
: They used a mix of renamed DLLs, malicious Excel files, JavaScript droppers, and PowerShell scripts to run commands remotely and exfiltrate data silently.
: These sectors hold valuable strategic, political, and economic data that can support intelligence gathering and geopolitical objectives.
: Improve detection of script-based threats, limit macro execution, monitor for suspicious network behavior, and block communication with known malicious IPs.
: The campaign shows signs of being targeted toward specific sectors and regions, though the tools and infrastructure could be reused for broader campaigns.

About Affiliation

MuddyWater

Associate threats