MuddyWater

About

MuddyWater is another hacker group of cyber spies. Believed to be a subset of Iran’s Ministry of Intelligence and Security (MOIS), these Masked Actors target government entities and various enterprises. MuddyWater made a mistake in 2019, allowing Group-IB experts to identify the threat actor’s real IP address — located in Tehran. Nevertheless, they’re still at large.

Known aliases

TEMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens, MERCURY, Mango Sandstorm, Earth Vetala, Mercury, Cobalt Ulster, ATK51, T-APT-14, Yellow Nix

Active since

2017

Primary targets

Intelligence gathering and cyberespionage

Motivation

Cyber espionage, stealing intelligence that’s in Iran’s national interest via phishing campaigns.

Heritage

Also known by the aliases TA450 and Seedworm

Learn more about MuddyWater from Group-IB’s research

Blog "Catching fish in muddy waters"

Blog "ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims"

Blog "SimpleHarm: Tracking MuddyWater’s infrastructure"

Blog "We find many things that others do not even see"

META Intelligence Insights Report, December 2024

Blog "Mapping the Infrastructure and Malware Ecosystem of MuddyWater"

Podcast "MuddyWater & OilRig: The Cyber Espionage Playbook"

Blog "Operation Olalampo: Inside MuddyWater’s Latest Campaign"

Victims

A range of government and private organizations across sectors, including finance, education, transport, government, military, IT, and healthcare. Typically, these victims are in the Middle East, Asia, and NATO-affiliated countries, with notable victims in Turkey, Afghanistan, Iraq, and Azerbaijan.

What we know about MuddyWater members

No known identities. Like OilRig above, MuddyWater is an APT group affiliated with the Iranian government.