Request a Demo Contact Us
Bugcrowd Acquires Informer to Enhance Offerings Across Attack Surface Management and Penetration Testing
Learn More


MuddyWater is a threat actor group believed to be closely aligned and part of Iran’s Ministry of Intelligence and Security (MOIS).

MuddyWater is a threat actor group believed to be closely aligned and part of Iran’s Ministry of Intelligence and Security (MOIS). Threat researchers believe that MuddyWater has targeted a broad mix of government and private enterprises since approximately 2017. For example, on a wide scale, MuddyWater has attacked the telecommunications industry, local and municipal governments, the oil and gas industry, and the defense industry. Further, these attacks have happened across the Middle East, Africa, Asia, North America, and Europe.

MITRE ATT&CK notes that MuddyWater is the same or closely aligned with Earth Vetala, Mercury, Static Kitten, Seedworm, and Temp.Zagros as of November 2022. MuddyWater has been observed by threat researchers within the FBI, CISA, The US Cyber Command Cyber National Mission Force (CNMF), and the NCSK-UK conducting the malicious cyber activity and cyber espionage. These government agencies view MuddyWater as an Iranian government-sponsored advanced persistent threat.

It should be noted that MOIS is a threat actor group reporting to MOIS. In support of their mission, MuddyWater has provided a wide variety of stolen data to the Iranian government and likely shares it with other threat actors. In addition, MuddyWater tends to move quickly to exploit publicly reported vulnerabilities that are still not remediated by the targeted organizations. MuddyWater also uses open-source tools to gain access to the targeted victim’s systems. They then exfiltrate sensitive data and apply the coup de grâce, the deployment of ransomware for extortion funds.

MuddyWater has used various tactics, techniques, and procedures (TTPs) on its targeted networks. These include maintaining persistence on the targeted networks by side-loading dynamic link libraries and obfuscating PowerShell scripts to hide command and control activity.

FBI, CISA, CNMF, and NCSC-UK have documented, at high probability, MuddyWater actors recently malware such as PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS as part of their ongoing threat activity. Additionally, MuddyWater has also been observed utilizing spear phishing. During a spear phishing campaign, the MuddyWater threat actors lure their targeted victim into downloading ZIP files containing malicious code.


Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

Get started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.