MuddyWater (CHKP), Mango Sandstorm (MS), Mercury (MS)
MuddyWater, also known as MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.
The group employs various tactics, techniques, and procedures (TTPs) to infiltrate and persist within target networks. These include exploiting publicly reported vulnerabilities, using open-source tools, and deploying malware such as PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS. MuddyWater actors have been observed maintaining persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs) to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
In addition to cyber espionage, MuddyWater has been linked to ransomware deployments, indicating a multifaceted threat profile. The group's activities underscore the importance of robust cybersecurity measures, including timely patching of vulnerabilities, user training to recognize phishing attempts, and the implementation of multi-factor authentication.