Connect with us

Hi, what are you looking for?



U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

Also tracked as MERCURY, Seedworm, and Static Kitten, MuddyWater was initially detailed in 2017. The threat actor is known for conducting espionage campaigns focused on entities in the Middle East, but has targeted entities in Europe and North America as well.

The hacking group, the military agency notes, employs various open-source tools that allow it to maintain access to compromised networks, and administrators should assume they have been compromised if they identify multiple such tools in their environment.

“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” CYBERCOM says.

U.S. Cyber Command believes MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of anti-regime activists abroad.

To help network defenders better protect their environments against MuddyWater attacks, CYBERCOM has uploaded 17 malware samples associated with the group’s activities to VirusTotal, including PowGoop samples and variants and a Mori backdoor sample.

First observed in 2020, PowGoop is a downloader that contains a DLL loader, along with a PowerShell-based downloader that decrypts and runs it. The malicious tool was used in attacks against a wide range of entities in the education, government, oil and gas, real estate, telecoms, and technology sectors.

Advertisement. Scroll to continue reading.

Older than PowGoop and observed in numerous MuddyWater intrusions, the Mori backdoor relies on DNS tunneling for communication with the command and control (C&C) server, and is believed to be employed for espionage purposes.

Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t detected as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

Related: U.S. Cyber Command Shares More Russian Malware Samples

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.