MuddyWater

Repository Navigation

• Actor workbench: MuddyWater
• TTP-to-detection matrix: all mapped techniques
• Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution; Email, Cloud-Service, IMAP, And DNS C2
• Detection status: dashboard
• Hunt workflow: hunt workflow
• ATT&CK mappings: T1566 Phishing (M2); T1059.001 PowerShell (M2); T1219 Remote Access Software (M3); T1567.002 Exfiltration to Cloud Storage (M2)
• Mapped detections: DET-002 Suspicious RMM Installer Download From User Context (Pilot, DRL-6); DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
• Mapped hunts: HUNT-002 If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled paths; HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
• IOC reference sources: SRC-MITRE-G0069 Technique references; SRC-AP-MUDDYWATER Malware/tool references; ATT&CK mappings; campaign IOCs; SRC-THREAT-HUNTER-V3 Domains; IPs; Rclone destinations; Dindoor/Fakeset references; SRC-INCD-MUDDYWATER-2024 Domains; hashes; tools; infrastructure; TTPs
• Tool detail pages: Remote Monitoring and Management tools; Dindoor; Fakeset; BugSleep; BlackBeard; Fooder / MuddyViper; ConnectWise; CrackMapExec; DCHSpy; Empire; Koadic; LaZagne; LP-Notes; Mimikatz; Mori; Out1; PowerSploit; POWERSTATS; PowGoop; Rclone; RemoteUtilities; RustyWater; SHARPSTATS; Small Sieve; STARWHALE; Tsundere Botnet
• Tool matrix: all actor-linked tools (26 mapped tool row(s))
• Evidence records: EVD-004 / CLM-MUDDYWATER-001
• Imported research intakes: MuddyWater Deep Research Intake (High, Needs source validation)
• Intel update candidates: 1 current candidate(s)
• Source IDs in structured data: SRC-AP-MUDDYWATER, SRC-CP-BUGSLEEP, SRC-ESET-MUDDYWATER-SNAKES, SRC-INCD-MUDDYWATER-2024, SRC-INCD-MUDDYWATER-PHISHING, SRC-MITRE-G0069, SRC-THREAT-HUNTER-V3

Aliases: Mango Sandstorm, Boggy Serpens (Microsoft, current), Static Kitten, Seedworm, MERCURY (Microsoft, retired April 2023), TEMP.Zagros, TA450 (Proofpoint), Earth Vetala (Trend Micro).

Assessed sponsor: Iran MOIS-aligned in public reporting.

Relevance

MuddyWater is high priority for Israeli government and regional public-sector defense because MITRE records targeting of government, local government, telecommunications, defense, and oil and gas organizations across the Middle East and other regions.

Defensive Focus

• Spearphishing and malicious document delivery.
• PowerShell execution and script-based collection.
• Legitimate remote access tool abuse.
• Credential collection and lateral movement preparation.

Field Manual Cross-Reference

Full public-source case study with PIR/SIR decomposition, alias table, sponsor assessment, ATT&CK mapping with quality levels, telemetry requirements, and DRL-1 hunt hypotheses: CTI Analyst Field Manual — MuddyWater Worked Example.

Detection Ideas

• RMM execution from user download folders.
• PowerShell encoded commands launched by Office, browser, archive, or script-host processes.
• New persistence from suspicious scheduled tasks or registry run keys.

Sources: SRC-MITRE-G0069, SRC-CISA-AA22-055A, SRC-INCD-MUDDYWATER-2024, SRC-INCD-MUDDYWATER-PHISHING, SRC-ESET-MUDDYWATER-SNAKES, SRC-CP-BUGSLEEP, SRC-KASPERSKY-ICS-Q4-2025, SRC-BRANDEFENSE-MUDDYWATER-2025, SRC-AP-MUDDYWATER.

Source note: Kaspersky ICS and Brandefense are Score B synthesis sources in this repository. Use them for collection planning and cross-checking, then anchor high-impact claims to ESET, INCD, CISA, MITRE, or Check Point.