Threats Feed|MuddyWater|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date24/02/2022

Analysis of MuddyWater Malware Targeting Diverse International Sectors

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Fileless malware,Malicious Macro,Trojan
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

The analysis by multiple cybersecurity agencies, including the FBI and NSA, reveals MuddyWater's extensive use of the POWGOOP malware family among other malicious tools in cyber espionage activities. Targeting sectors such as telecommunications, defense, local government, and oil and natural gas, MuddyWater has impacted organizations across Asia, Africa, Europe, and North America. The analyzed malware employed techniques like DLL side-loading, PowerShell scripts for command execution, and data exfiltration via encrypted channels to C2 servers. These actions are part of a broader Iranian government-sponsored initiative, indicating a significant threat to global security infrastructure.

Reference and Credit: CISA - February 2022

MAR–10369127–1.v1 – MuddyWater

Detected Targets

TypeDescriptionConfidence
SectorDefense
Verified
SectorGovernment Agencies and Services
Verified
SectorOil and Gas
Verified
SectorTelecommunication
Verified
RegionUnited States
High
RegionEuropean Countries
Verified

Extracted IOCs

  • 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
  • 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
  • 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
  • 255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a
  • 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8
  • 42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986
  • 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
  • 5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f
  • 7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4
  • 9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7
  • 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
  • 9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2
  • b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
  • b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504
  • b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a
  • c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
  • ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
  • d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0
  • dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
  • e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13
  • e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca
  • ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
  • f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
  • 185[.]117.75.34
  • 185[.]118.164.21
  • 185[.]183.96.44
  • 185[.]183.96.7
  • 192[.]210.191.188
  • 5[.]199.133.149
  • 88[.]119.170.124
download

Tip: 30 related IOCs (7 IP, 0 domain, 0 URL, 0 email, 23 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater APT: Iran's Cyber Espionage Across the Middle East and Beyond

Source: SOCRadar - January 2023

Detection (seven cases): 5[.]199.133.149, 88[.]119.170.124, 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8, 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c, 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051, dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

ENT-11ENT-11: Iranian APT Group's PowGoop Attacks Uncovered

Source: NTT Security - May 2022

Detection (four cases): 185[.]183.96.44, 185[.]183.96.7, 192[.]210.191.188, 9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7

MuddyWaterMuddyWater's Strategic Cyber Campaigns Across Turkey, Armenia, and Pakistan

Source: Cisco Talos - March 2022

Detection (eight cases): 5[.]199.133.149, 88[.]119.170.124, 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c, c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e, d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0, ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418, f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (11 cases): 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa, 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82, 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8, 42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986, b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c, b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504, c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e, d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0, dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92, ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418

UNC3313The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected

Source: Mandiant - February 2022

Detection (one case): 5[.]199.133.149

MuddyWaterMuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

Source: CISA - February 2022

Detection (10 cases): 185[.]117.75.34, 185[.]118.164.21, 185[.]183.96.44, 185[.]183.96.7, 192[.]210.191.188, 5[.]199.133.149, 88[.]119.170.124, 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa, 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82, ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9

MuddyWaterEvolving Threat: MuddyWater APT's Multi-National Cyber Espionage Activities

Source: Cisco Talos - January 2022

Detection (three cases): 5[.]199.133.149, 88[.]119.170.124, b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c

MuddyWaterEvolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East

Source: Sentinel Labs - January 2022

Detection (three cases): 7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4, b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504, dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the MuddyWater Malware Campaign

A malware campaign linked to Iran-backed hackers targeted various sectors globally, using obfuscated scripts and malicious documents to compromise systems and steal information.

The threat actors are from MuddyWater, a cyber-espionage group sponsored by the Iranian government and known for targeting strategic sectors worldwide.

The primary goals were surveillance, data theft, and maintaining persistent access to victim networks for espionage purposes.

Organizations in telecommunications, defense, local government, and oil and gas sectors across Asia, Africa, Europe, and North America.

They used a mix of renamed DLLs, malicious Excel files, JavaScript droppers, and PowerShell scripts to run commands remotely and exfiltrate data silently.

These sectors hold valuable strategic, political, and economic data that can support intelligence gathering and geopolitical objectives.

Improve detection of script-based threats, limit macro execution, monitor for suspicious network behavior, and block communication with known malicious IPs.

The campaign shows signs of being targeted toward specific sectors and regions, though the tools and infrastructure could be reused for broader campaigns.

About Affiliation
MuddyWater
View MuddyWater's Insights