🇮🇷

MuddyWater

APT Group Information theft and espionage 33 zero-day CVEs ETDA ✓

Also Known As 11 names

ATK51 Boggy Serpens COBALT ULSTER Earth Vetala G0069 MERCURY Mango Sandstorm Seedworm Static Kitten TA450 TEMP.Zagros

Target Countries 34

Countries highlighted in red

United Arab Emirates Afghanistan Armenia Austria Azerbaijan Bahrain Belarus China Germany Egypt United Kingdom Georgia Israel India Iraq Islamic Republic of Iran Jordan Kuwait Lebanon Mali Netherlands Oman Pakistan Portugal Qatar Saudi Arabia Sudan Thailand Tajikistan Tunisia Turkey United Republic of Tanzania Ukraine United States

Sectors Targeted

Colleges, Universities, and Professional Schools 6113 NGOs Oil and gas Healthcare Data Processing, Hosting, and Related Services 51821 Grantmaking and Giving Services 8132 Employment Placement Agencies and Executive Search Services 56131 Computer Systems Design Services 541512 Gaming High-Tech Education Telecommunications IT Energy Defense Financial Human Resources Consulting Services 541612 Food and Agriculture Commercial Banking 52211 Transportation National Security and International Affairs 9281 National Security and International Affairs 928110 Shipping and Logistics Media Aviation Government

Details

Origin 🇮🇷 IR
Last Updated 27 Oct 2025

Malware Families 25

gramdoor
equationgroup
evilquest
TeamViewer
ascentloader
METASPLOIT
dreambot
phoenix_locker
snifula
agent_tesla
zhmimikatz
ldr4
apk.rat_on
moriagent
pas
phoenix_keylogger
covicli
eternal_petya
saigon
vawtrak
PhantomCard
dbatloader
win.castleloader
agendacrypt
gozi

MITRE ATT&CK 199

T1001 - Data Obfuscation T1003 - OS Credential Dumping T1003.001 T1003.004 T1003.005 T1005 - Data from Local System T1007 T1008 T1011 T1012 - Query Registry T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1021 - Remote Services T1021.001 - Remote Desktop Protocol T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1027.003 T1027.004 T1027.010 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.005 T1041 - Exfiltration Over C2 Channel T1046 - Network Service Scanning T1047 - Windows Management Instrumentation T1048 - Exfiltration Over Alternative Protocol T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.005 T1055 - Process Injection T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1059.005 - Visual Basic T1059.006 - Python T1059.007 - JavaScript T1060 T1068 - Exploitation for Privilege Escalation T1070 - Indicator Removal on Host T1070.001 - Clear Windows Event Logs T1070.004 - File Deletion T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 T1074.001 T1076 T1078 - Valid Accounts T1078.003 - Local Accounts T1078.004 - Cloud Accounts T1081 T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 T1087 - Account Discovery T1087.002 T1089 T1090 - Proxy T1090.002 T1095 - Non-Application Layer Protocol T1102 - Web Service T1102.002 T1102.003 - One-Way Communication T1104 T1105 - Ingress Tool Transfer T1106 - Native API T1107 T1110 T1112 - Modify Registry T1113 - Screen Capture T1114 - Email Collection T1114.001 T1115 T1119 T1120 T1124 T1125 - Video Capture T1127 T1130 T1132 - Data Encoding T1132.001 - Standard Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1136 T1136.001 - Local Account T1137 T1137.001 T1140 - Deobfuscate/Decode Files or Information T1170 T1176 - Browser Extensions T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1193 T1195 - Supply Chain Compromise T1199 - Trusted Relationship T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 T1204.002 - Malicious File T1204.004 T1210 T1213 - Data from Information Repositories T1217 T1218 - Signed Binary Proxy Execution T1218.003 T1218.005 T1218.011 T1219 - Remote Access Software T1219.002 T1220 T1444 T1480 T1485 T1486 T1489 T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1497 T1497.003 T1498 - Network Denial of Service T1499 T1503 T1505.003 T1514 T1518 T1518.001 T1529 T1530 T1531 T1534 T1539 - Steal Web Session Cookie T1543 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1548 - Abuse Elevation Control Mechanism T1548.002 T1550 - Use Alternate Authentication Material T1552 - Unsecured Credentials T1552.001 T1553 - Subvert Trust Controls T1553.002 - Code Signing T1555 T1555.003 - Credentials from Web Browsers T1559 T1559.001 T1559.002 T1560 - Archive Collected Data T1560.001 T1561 T1562 - Impair Defenses T1562.001 T1564 - Hide Artifacts T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 T1567 T1567.002 - Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1569 - System Services T1569.002 - Service Execution T1571 - Non-Standard Port T1572 T1573 - Encrypted Channel T1573.001 - Symmetric Cryptography T1574 - Hijack Execution Flow T1574.001 T1574.002 - DLL Side-Loading T1578.003 T1583 - Acquire Infrastructure T1583.001 - Domains T1583.004 - Server T1583.006 T1584 - Compromise Infrastructure T1584.004 - Server T1585.001 - Social Media Accounts T1585.002 - Email Accounts T1587 - Develop Capabilities T1587.001 - Malware T1588 - Obtain Capabilities T1588.001 - Malware T1588.002 - Tool T1589 - Gather Victim Identity Information T1590 T1590.004 T1591 - Gather Victim Org Information T1592 - Gather Victim Host Information T1595 - Active Scanning T1596 - Search Open Technical Databases T1598.002 T1608 - Stage Capabilities T1608.001 - Upload Malware T1684 T1684.001 T1685 TA0003 TA0010 TA0037

Related Zero-Days 33

CVE-2017-0199 CVE-2017-5638 CVE-2018-8174 CVE-2019-0708 CVE-2019-11510 CVE-2020-1472 CVE-2021-26855 CVE-2021-40444 CVE-2021-44228 CVE-2022-3236 CVE-2022-42475 CVE-2023-20109 CVE-2023-20198 CVE-2023-22515 CVE-2023-27350 CVE-2023-36884 CVE-2023-38831 CVE-2023-46604 CVE-2023-4966 CVE-2024-21412 CVE-2024-23222 CVE-2024-38112 CVE-2024-38193 CVE-2024-4040 CVE-2024-43093 CVE-2024-43461 CVE-2024-47575 CVE-2025-1316 CVE-2025-22457 CVE-2025-27363 CVE-2025-52691 CVE-2025-6218 CVE-2025-8088