Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

Also tracked as MERCURY, Seedworm, and Static Kitten, MuddyWater was initially detailed in 2017. The threat actor is known for conducting espionage campaigns focused on entities in the Middle East, but has targeted entities in Europe and North America as well.

The hacking group, the military agency notes, employs various open-source tools that allow it to maintain access to compromised networks, and administrators should assume they have been compromised if they identify multiple such tools in their environment.

“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” CYBERCOM says.

U.S. Cyber Command believes MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of anti-regime activists abroad.

To help network defenders better protect their environments against MuddyWater attacks, CYBERCOM has uploaded 17 malware samples associated with the group’s activities to VirusTotal, including PowGoop samples and variants and a Mori backdoor sample.

First observed in 2020, PowGoop is a downloader that contains a DLL loader, along with a PowerShell-based downloader that decrypts and runs it. The malicious tool was used in attacks against a wide range of entities in the education, government, oil and gas, real estate, telecoms, and technology sectors.

Older than PowGoop and observed in numerous MuddyWater intrusions, the Mori backdoor relies on DNS tunneling for communication with the command and control (C&C) server, and is believed to be employed for espionage purposes.

Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t detected as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

Related: U.S. Cyber Command Shares More Russian Malware Samples

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.