MuddyWater
Aliases: Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.
Open interactive actor investigation
ATT&CK techniques
T1566.002
Spearphishing LinkT1137.001
Office Template MacrosT1574.002
DLL Side-LoadingT1588.002
ToolT1218.005
MshtaT1047
Windows Management InstrumentationT1003.004
LSA SecretsT1566.001
Spearphishing AttachmentT1559.001
Component Object ModelT1059.003
Windows Command ShellT1218.003
CMSTPT1036.005
Match Legitimate Name or LocationT1562.001
Disable or Modify ToolsT1087.002
Domain AccountT1059.007
JavaScriptT1583.006
Web ServicesT1059.005
Visual BasicT1016
System Network Configuration DiscoveryT1547.001
Registry Run Keys / Startup FolderT1140
Deobfuscate/Decode Files or InformationT1559.002
Dynamic Data ExchangeT1027.010
Command ObfuscationT1027.004
Compile After DeliveryT1518.001
Security Software DiscoveryT1074.001
Local Data StagingT1113
Screen CaptureT1071.001
Web ProtocolsT1518
Software DiscoveryT1083
File and Directory DiscoveryT1548.002
Bypass User Account ControlT1105
Ingress Tool TransferT1573.001
Symmetric CryptographyT1555.003
Credentials from Web BrowsersT1560.001
Archive via UtilityT1059.006
PythonT1049
System Network Connections DiscoveryT1082
System Information DiscoveryT1555
Credentials from Password StoresT1057
Process DiscoveryT1132.001
Standard EncodingT1104
Multi-Stage ChannelsT1204.001
Malicious LinkT1027.003
SteganographyT1003.001
LSASS MemoryT1053.005
Scheduled TaskT1090.002
External ProxyT1204.002
Malicious FileT1033
System Owner/User DiscoveryT1219
Remote Access SoftwareT1041
Exfiltration Over C2 ChannelT1059.001
PowerShellT1102.002
Bidirectional CommunicationT1218.011
Rundll32T1552.001
Credentials In FilesT1190
Exploit Public-Facing ApplicationT1210
Exploitation of Remote ServicesT1203
Exploitation for Client ExecutionT1003.005
Cached Domain CredentialsT1589.002
Email Addresses
Spearphishing LinkT1137.001
Office Template MacrosT1574.002
DLL Side-LoadingT1588.002
ToolT1218.005
MshtaT1047
Windows Management InstrumentationT1003.004
LSA SecretsT1566.001
Spearphishing AttachmentT1559.001
Component Object ModelT1059.003
Windows Command ShellT1218.003
CMSTPT1036.005
Match Legitimate Name or LocationT1562.001
Disable or Modify ToolsT1087.002
Domain AccountT1059.007
JavaScriptT1583.006
Web ServicesT1059.005
Visual BasicT1016
System Network Configuration DiscoveryT1547.001
Registry Run Keys / Startup FolderT1140
Deobfuscate/Decode Files or InformationT1559.002
Dynamic Data ExchangeT1027.010
Command ObfuscationT1027.004
Compile After DeliveryT1518.001
Security Software DiscoveryT1074.001
Local Data StagingT1113
Screen CaptureT1071.001
Web ProtocolsT1518
Software DiscoveryT1083
File and Directory DiscoveryT1548.002
Bypass User Account ControlT1105
Ingress Tool TransferT1573.001
Symmetric CryptographyT1555.003
Credentials from Web BrowsersT1560.001
Archive via UtilityT1059.006
PythonT1049
System Network Connections DiscoveryT1082
System Information DiscoveryT1555
Credentials from Password StoresT1057
Process DiscoveryT1132.001
Standard EncodingT1104
Multi-Stage ChannelsT1204.001
Malicious LinkT1027.003
SteganographyT1003.001
LSASS MemoryT1053.005
Scheduled TaskT1090.002
External ProxyT1204.002
Malicious FileT1033
System Owner/User DiscoveryT1219
Remote Access SoftwareT1041
Exfiltration Over C2 ChannelT1059.001
PowerShellT1102.002
Bidirectional CommunicationT1218.011
Rundll32T1552.001
Credentials In FilesT1190
Exploit Public-Facing ApplicationT1210
Exploitation of Remote ServicesT1203
Exploitation for Client ExecutionT1003.005
Cached Domain CredentialsT1589.002
Email Addresses
Correlated CTI and IR reports
MuddyWater G0069
MITRE ATT&CK · direct source mappingStryker Handala MOIS and MuddyWater: Full Kill Chain and Unified Detection Pack v3
ThreatHunter.ai · direct source mappingMuddyWater: Snakes by the riverbank
ESET Research · actor referenceNew BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
Check Point Research · actor referenceOverview of Recent Phishing
Israel National Cyber Directorate · actor referenceUnmasking: Technological Advancement and Evolution of MuddyWater in 2024
Israel National Cyber Directorate · actor referenceCTI Research: MuddyWater/Seedworm Mango Sandstorm
Andrey Pautov · actor reference1. Executive Summary
Israel Threat Actors CTI · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionAndrey Pautov Medium Articles
Israel Threat Actors CTI · explicit report mentionBlue-Team IOC Tables — Consolidated
1200km CTI repository · explicit report mentionCTI
1200km CTI repository · explicit report mentionCTI Research Template
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionIOC Tables — MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionMuddyWater / Seedworm
CTI Analyst Field Manual · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionWorked Cases
Israel Threat Actors CTI · explicit report mentionCTI Analyst Field Manual Complete Reference
1200km Medium · authored report mentionCTI Led Defensive Strategy for a Cellular Provider Case Study
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mentionBoggy Serpens Threat Assessment
Unit 42 · actor contextIranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
CISA · actor contextIranian Government-Sponsored Threat Actor MuddyWater
Israel National Cyber Directorate · actor contextIranian MOIS Actors and the Cyber Crime Connection
Check Point Research · actor contextMERCURY and DEV-1084: Destructive attack on hybrid environment
Microsoft Security · actor contextAPT and financial attacks on industrial organizations in Q4 2025
Kaspersky ICS CERT · actor contextMuddyWater APT 2025
Brandefense · actor context
MITRE ATT&CK · direct source mappingStryker Handala MOIS and MuddyWater: Full Kill Chain and Unified Detection Pack v3
ThreatHunter.ai · direct source mappingMuddyWater: Snakes by the riverbank
ESET Research · actor referenceNew BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
Check Point Research · actor referenceOverview of Recent Phishing
Israel National Cyber Directorate · actor referenceUnmasking: Technological Advancement and Evolution of MuddyWater in 2024
Israel National Cyber Directorate · actor referenceCTI Research: MuddyWater/Seedworm Mango Sandstorm
Andrey Pautov · actor reference1. Executive Summary
Israel Threat Actors CTI · explicit report mentionActor Deep Research Prompts
Israel Threat Actors CTI · explicit report mentionAndrey Pautov Medium Articles
Israel Threat Actors CTI · explicit report mentionBlue-Team IOC Tables — Consolidated
1200km CTI repository · explicit report mentionCTI
1200km CTI repository · explicit report mentionCTI Research Template
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionIOC Tables — MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionIsrael Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mentionMuddyWater / Seedworm
CTI Analyst Field Manual · explicit report mentionRelease Notes
Israel Threat Actors CTI · explicit report mentionReport Index
Israel Threat Actors CTI · explicit report mentionResearch Intake Upgrade Summary
Israel Threat Actors CTI · explicit report mentionWorked Cases
Israel Threat Actors CTI · explicit report mentionCTI Analyst Field Manual Complete Reference
1200km Medium · authored report mentionCTI Led Defensive Strategy for a Cellular Provider Case Study
1200km Medium · authored report mentionCTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mentionBoggy Serpens Threat Assessment
Unit 42 · actor contextIranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
CISA · actor contextIranian Government-Sponsored Threat Actor MuddyWater
Israel National Cyber Directorate · actor contextIranian MOIS Actors and the Cyber Crime Connection
Check Point Research · actor contextMERCURY and DEV-1084: Destructive attack on hybrid environment
Microsoft Security · actor contextAPT and financial attacks on industrial organizations in Q4 2025
Kaspersky ICS CERT · actor contextMuddyWater APT 2025
Brandefense · actor context