Threats Feed|MuddyWater|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date02/01/2023

MuddyWater APT: Iran's Cyber Espionage Across the Middle East and Beyond

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malware,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

Reference and Credit: SOCRadar - January 2023

Dark Web Profile: MuddyWater APT Group

Detected Targets

TypeDescriptionConfidence
SectorDefense
High
SectorHigh-Tech
High
SectorEducation
High
SectorEnergy
High
RegionArmenia
Verified
RegionAzerbaijan
Verified
RegionEgypt
Verified
RegionIraq
Verified
RegionIsrael
Verified
RegionJordan
Verified
RegionOman
Verified
RegionQatar
Verified
RegionTajikistan
Verified
RegionUnited Arab Emirates
Verified

Extracted IOCs

  • 0431445d6d6e5802c207c8bc6a6402ea
  • 15fa3b32539d7453a9a85958b77d4c95
  • 5763530f25ed0ec08fb26a30c04009f1
  • 6cef87a6ffb254bfeb61372d24e1970a
  • 860f5c2345e8f5c268c9746337ade8b7
  • a27655d14b0aabec8db70ae08a623317
  • b0ab12a5a4c232c902cdeba421872c37
  • cec48bcdedebc962ce45b63e201c0624
  • e75443a5e825f69c75380b6dc76c6b50
  • f5dee1f9cd47dc7bae468da9732c862e
  • 11d594f3b3cf8525682f6214acb7b7782056d282
  • 142b5753c608c65e702e41b52abdeb96cb2f9294
  • 2a6ddf89a8366a262b56a251b00aafaed5321992
  • 3765c1ad8a1d936aad88255aef5d6d4ce24f94e8
  • 5273ee897e67fc01ee5fef08c37400cb4ee15958
  • 6c55d3acdc2d8d331f0d13024f736bc28ef5a7e1
  • 7649c554e87f6ea21ba86bb26ea39521d5d18151
  • 81f46998c92427032378e5dead48bdfc9128b225
  • a8e7659942cc19f422678181ee23297efa55fa09
  • e21d95b648944ad2287c6bc01fcc12b05530e455
  • 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
  • 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f
  • 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8
  • 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
  • 6f8226d890350943a9ef4cc81598e0e953d8ba9746694c0b7e3d99e418701b39
  • 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
  • b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054
  • bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2
  • c514c3f293f0cb4c23662a5ab962b158cb97580b03a22b82e21fa3b26d64809c
  • dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
  • 104[.]208.16.94
  • 13[.]107.4.50
  • 149[.]154.167.220
  • 192[.]168.0.1
  • 192[.]168.0.15
  • 192[.]168.0.25
  • 20[.]189.173.20
  • 20[.]189.173.21
  • 20[.]42.65.92
  • 20[.]42.73.29
  • 209[.]197.3.8
  • 20[.]99.132.105
  • 23[.]216.147.64
  • 23[.]216.147.76
  • 5[.]199.133.149
  • 88[.]119.170.124
  • a83f:8110:0:0:1400:1400:2800:3800
  • a83f:8110:0:0:7f00:0:0:0
  • a83f:8110:492a:d801:d1df:1328:492a:d801
  • a83f:8110:5067:d801:beac:bf78:cce1:d301
  • a83f:8110:e0:ffff:e0:ffff:e0:ffff
download

Tip: 51 related IOCs (21 IP, 0 domain, 0 URL, 0 email, 30 file hash) to this threat have been found.

Overlaps

APT42APT42's Multi-National Cyber Operations: A Focus on Surveillance and Espionage

Source: Cyware - October 2022

Detection (two cases): 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f, 7649c554e87f6ea21ba86bb26ea39521d5d18151

APT42APT42: Uncovering the Iranian Cyber Espionage Operations and Global Targets

Source: Mandiant - September 2022

Detection (two cases): 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f, 7649c554e87f6ea21ba86bb26ea39521d5d18151

MuddyWaterMuddyWater's Strategic Cyber Campaigns Across Turkey, Armenia, and Pakistan

Source: Cisco Talos - March 2022

Detection (four cases): 5[.]199.133.149, 88[.]119.170.124, 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (16 cases): 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 0431445d6d6e5802c207c8bc6a6402ea, 11d594f3b3cf8525682f6214acb7b7782056d282, 15fa3b32539d7453a9a85958b77d4c95, 2a6ddf89a8366a262b56a251b00aafaed5321992, 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8, 3765c1ad8a1d936aad88255aef5d6d4ce24f94e8, 5763530f25ed0ec08fb26a30c04009f1, 81f46998c92427032378e5dead48bdfc9128b225, a27655d14b0aabec8db70ae08a623317, a8e7659942cc19f422678181ee23297efa55fa09, b0ab12a5a4c232c902cdeba421872c37, b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054, bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2, cec48bcdedebc962ce45b63e201c0624, dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

MuddyWaterAnalysis of MuddyWater Malware Targeting Diverse International Sectors

Source: CISA - February 2022

Detection (seven cases): 5[.]199.133.149, 88[.]119.170.124, 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8, 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c, 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051, dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

UNC3313The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected

Source: Mandiant - February 2022

Detection (three cases): 5[.]199.133.149, 15fa3b32539d7453a9a85958b77d4c95, 5763530f25ed0ec08fb26a30c04009f1

MuddyWaterMuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

Source: CISA - February 2022

Detection (nine cases): 5[.]199.133.149, 88[.]119.170.124, 11d594f3b3cf8525682f6214acb7b7782056d282, 15fa3b32539d7453a9a85958b77d4c95, 2a6ddf89a8366a262b56a251b00aafaed5321992, 5763530f25ed0ec08fb26a30c04009f1, a27655d14b0aabec8db70ae08a623317, b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054, bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2

MuddyWaterUnveiling Small Sieve: A Python Backdoor with Advanced Evasion Techniques

Source: NCSC - February 2022

Detection (six cases): 11d594f3b3cf8525682f6214acb7b7782056d282, 15fa3b32539d7453a9a85958b77d4c95, 2a6ddf89a8366a262b56a251b00aafaed5321992, 5763530f25ed0ec08fb26a30c04009f1, b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054, bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2

MuddyWaterEvolving Threat: MuddyWater APT's Multi-National Cyber Espionage Activities

Source: Cisco Talos - January 2022

Detection (two cases): 5[.]199.133.149, 88[.]119.170.124

MuddyWaterEvolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East

Source: Sentinel Labs - January 2022

Detection (three cases): 81f46998c92427032378e5dead48bdfc9128b225, cec48bcdedebc962ce45b63e201c0624, dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

SeedwormSeedWorm Malware Campaign: Unveiling the LisfonService Backdoor Variants

Source: Rewterz - February 2019

Detection (two cases): 6f8226d890350943a9ef4cc81598e0e953d8ba9746694c0b7e3d99e418701b39, c514c3f293f0cb4c23662a5ab962b158cb97580b03a22b82e21fa3b26d64809c

SeedwormSeedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors

Source: Symantec - December 2018

Detection (two cases): e75443a5e825f69c75380b6dc76c6b50, f5dee1f9cd47dc7bae468da9732c862e

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights