06 MuddyWater

MuddyWater

Region

Middle East and Africa

Industries

Financial Services,

Government,

Healthcare,

Logistics & Transportation,

Science & Engineering,

Software & IT

First seen

2017

Cybercrime

Intelligence gathering and cyberespionage

Heritage

Also known by the aliases TA450 and Seedworm

Categorizations

Nation-state adversary

Aliases

TEMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens, MERCURY, Mango Sandstorm, Earth Vetala, Mercury, Cobalt Ulster, ATK51, T-APT-14, Yellow Nix

About

MuddyWater is another hacker group of cyber spies. Believed to be a subset of Iran’s Ministry of Intelligence and Security (MOIS), these Masked Actors target government entities and various enterprises. MuddyWater made a mistake in 2019, allowing Group-IB experts to identify the threat actor’s real IP address — located in Tehran. Nevertheless, they’re still at large.

Learn more about MuddyWater from Group-IB’s research

Catching fish in muddy waters

ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims

SimpleHarm: Tracking MuddyWater’s infrastructure

We find many things that others do not even see

Intelligence Insights, META – December 2024

Mapping the Infrastructure and Malware Ecosystem of MuddyWater

Victims

A range of government and private organizations across sectors, including finance, education, transport, government, military, IT, and healthcare. Typically, these victims are in the Middle East, Asia, and NATO-affiliated countries, with notable victims in Turkey, Afghanistan, Iraq, and Azerbaijan.

What we know about MuddyWater members

No known identities. Like OilRig above, MuddyWater is an APT group affiliated with the Iranian government.

Motivations

Cyber espionage, stealing intelligence that’s in Iran’s national interest via phishing campaigns.