MuddyWater
G00694 reportsAnalyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), T1069.001 (Local Groups).
- Primary targeting: IR, US, KP, KR.
- Activity accelerating: 3 report(s) in last 30d vs 1 prior (+200%).
- Recent movement: 3 new technique(s), 26 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 78% of 9 observed techniques (2 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Vulnerabilities in this actor's reporting · 4
- CVE-2025-48595KEV1 rpt
- CVE-2026-20230KEV1 rpt
- CVE-2026-28318KEV1 rpt
- CVE-2026-410891 rpt
Overview
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFeeds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: NaumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_MuddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar2026)
ATT&CK technique matrix
- T1588.006 · Vulnerabilitiesconf 602
- T1589.001 · Credentialsconf 602
- T1069.001 · Local Groupsconf 601
- T1027.003 · Steganographyconf 601
- T1001.002 · Steganographyconf 601
- T1543.003 · Windows Serviceconf 601evidence: 8th June – Threat Intelligence Report
- T1195 · Supply Chain Compromiseconf 601evidence: 8th June – Threat Intelligence Report
- T1684.001 · Impersonationconf 601evidence: 8th June – Threat Intelligence Report
- AML.T0073 · Impersonationconf 601evidence: 8th June – Threat Intelligence Report
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|