Connect with us

Hi, what are you looking for?



U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

Also tracked as MERCURY, Seedworm, and Static Kitten, MuddyWater was initially detailed in 2017. The threat actor is known for conducting espionage campaigns focused on entities in the Middle East, but has targeted entities in Europe and North America as well.

The hacking group, the military agency notes, employs various open-source tools that allow it to maintain access to compromised networks, and administrators should assume they have been compromised if they identify multiple such tools in their environment.

“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” CYBERCOM says.

U.S. Cyber Command believes MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of anti-regime activists abroad.

To help network defenders better protect their environments against MuddyWater attacks, CYBERCOM has uploaded 17 malware samples associated with the group’s activities to VirusTotal, including PowGoop samples and variants and a Mori backdoor sample.

First observed in 2020, PowGoop is a downloader that contains a DLL loader, along with a PowerShell-based downloader that decrypts and runs it. The malicious tool was used in attacks against a wide range of entities in the education, government, oil and gas, real estate, telecoms, and technology sectors.

Older than PowGoop and observed in numerous MuddyWater intrusions, the Mori backdoor relies on DNS tunneling for communication with the command and control (C&C) server, and is believed to be employed for espionage purposes.

Advertisement. Scroll to continue reading.

Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t detected as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

Related: U.S. Cyber Command Shares More Russian Malware Samples

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights