Analyst validation required

This page is an imported deep-research artifact. Treat it as lead-generation material until claims, citations, URLs, hashes, and detection logic are validated against primary public sources and repository evidence standards.

1. Executive Summary

MuddyWater (aka Mango Sandstorm/Seedworm/TA450, etc.) remains an Iranian state–aligned cyberespionage group, widely assessed to operate under Iran’s Ministry of Intelligence (MOIS)【5†L231-L237】【13†L52-L54】. In late 2024 and early 2025 it conducted spearphishing campaigns against Israel and neighboring countries using RMM tools, custom loaders/backdoors, and credential stealers. Recent campaigns (Sep 2024–Mar 2025) targeted Israeli critical infrastructure (technology, engineering, manufacturing, local government, education, utilities) and at least one Egyptian organization【15†L106-L114】【46†L181-L189】. Attackers used PDF lures linking to free file–sharing URLs (OneHub, Mega, etc.) to drop remote-management software (Atera, Level, PDQ, SimpleHelp) and then deploy custom backdoors. New tools “Fooder” (a Snake‐game–masquerading loader) and its payload “MuddyViper” have been documented【21†L79-L88】【25†L257-L264】, as well as browser–stealer CE‑Notes, credential stealer LP‑Notes, and go‑socks5 reverse‐tunnels【21†L91-L93】【25†L278-L284】. Other custom implants identified include BugSleep and Blackout backdoors, AnchorRat/CannonRat RATs, and components of the Sad C2 framework (BlackPearl/Phenix/C&C)【28†L572-L580】【35†L1265-L1274】. Notably, MuddyWater has begun using novel C2 channels: in late 2025–early 2026 it leveraged Starlink satellite internet for C2【13†L59-L63】, and Israeli analysis found use of Iran–developed Sad C2 and the public Havoc C2 frameworks【26†L7-L10】【33†L1392-L1399】.

For Israeli defenders, MuddyWater represents a mature MOIS‐aligned APT with a stable “playbook” but advancing toolset【21†L79-L88】【46†L174-L182】. Recent campaigns were more targeted and stealthy (avoiding interactive sessions【21†L98-L102】【46†L174-L182】) than earlier noisy phishing waves. Detection strategies should focus on its spearphishing entry (PDF→RMM), its characteristic tool execution (PowerShell, new backdoors, CNG-based crypto), and its persistence patterns (scheduled tasks, registry/CAC hijack). Key observables include the specific RMM executables, the “Fooder” loader behavior, and known IoCs from recent publications【38†L152-L160】【39†L38-L42】. Several hunting hypotheses (listed below) and mapped ATT&CK techniques can guide telemetry monitoring.

2. Actor Identity

Name/Aliases: MuddyWater (primary) is strongly linked to Iran, with numerous tracked aliases. Public synonyms include Mango Sandstorm, Seedworm, Static Kitten, Boggy Serpens, COBALT ULSTER, Earth Vetala, ATK51, TA450, MuddyKrill, TEMP.Zagros, Mercury (retired Microsoft name), G0069, TEMP.Zagros, etc【11†L17-L21】【13†L72-L75】. ESET and others note “MuddyWater (also Mango Sandstorm or TA450)”【21†L79-L83】. Malware wikis list the alias MERCURY (now retired by MS), Static Kitten, etc. Vendor taxonomy: FireEye/Recorded Future call it TA450; Microsoft’s old designation was MERCURY; Palo Alto/Unit42 refer to it as Seedworm or Boggy Serpens; CrowdStrike simply “MuddyWater”. No major conflicts: MITRE ATT&CK uses “MuddyWater (G0069)” for all these names【13†L50-L58】.

Characteristics: The group has evolved from basic PowerShell backdoors to custom native code tools. Attacks are characterized by script‐based tooling (PowerShell, Go) with custom loaders and backdoors【25†L253-L260】. Early public reports date it to ~2017 (Unit42 2017), continuing through 2025【5†L231-L237】【21†L121-L129】. MITRE describes it as “cyber espionage, subordinate element of MOIS”【13†L52-L54】. It prefers Middle Eastern victims but has struck in Europe/NA occasionally【13†L55-L63】【17†L34-L40】.

3. Sponsor and Command Structure

All authoritative sources assess MuddyWater as Iran–aligned. MITRE states it is “assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS)”【13†L52-L54】 (supporting “state-sponsored” label). ESET’s profile likewise notes links to Iran’s intelligence ministry【21†L123-L131】 (“Ministry of Intelligence and National Security of Iran”). Trellix calls it “believed to be affiliated with the Iranian MOIS”【9†L392-L396】. Israeli NCD reports explicitly say “operating under MOIS since 2017”【5†L231-L237】. We found no credible indications of affiliation to IRGC or other branches – all point to Iran’s civilian intelligence (MOIS). No public evidence of non-state mercenary or criminal status; it is treated as a state threat actor. The group appears centralized (no known proxy identity or contractor owner). There is some indication it may share access with or hand off to fellow Iran-linked APTs (e.g. overlap with Lyceum/OilRig in 2025【15†L168-L174】【46†L181-L189】), but this is cooperation among Iran-aligned groups, not evidence of a separate sponsor.

Source quotes:

“MuddyWater is an Iranian threat group operating under the Iranian Ministry of Intelligence and Security (MOIS) since 2017”【5†L231-L237】 (official NCD report).
“MuddyWater, also known as Seedworm/Mango Sandstorm, is a threat actor believed to be affiliated with the Iranian MOIS”【9†L392-L396】 (Trellix).
“MuddyWater is assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security”【13†L52-L54】 (MITRE).

4. Israel/Region Relevance

Known Israeli/adjacent victims (2023–2026): We identified multiple primary reports of MuddyWater activity affecting Israel or neighbors since 2023. Israeli sources and CTI note sustained targeting of Israeli gov’t and critical infrastructure. An official Israeli report (NCD) observed that after Israel’s “Iron Swords” war in late 2023, MuddyWater increased operations in Israel【5†L249-L257】. ESET/WeLiveSecurity documented a new campaign targeting Israel and Egypt in late 2024–early 2025: “primarily targeting organizations in Israel, with one confirmed target in Egypt”, in sectors including technology, engineering, manufacturing, local government, education, transportation, utilities, and universities【15†L106-L114】【46†L181-L189】.

Israel: Victims span public-sector and industrial sectors. ESET found Israeli targets in local government, education, manufacturing, tech and a utilities firm【15†L106-L114】【46†L181-L189】. SecurityAffairs confirms Israel organizations (Sep 2024–Mar 2025) plus one in Egypt【46†L181-L189】. Earlier, “Operation Quicksand” (2020) was also Israel-focused【21†L135-L142】. The group has repeatedly targeted Israel according to both vendors and Israeli cyber authorities【5†L249-L257】【21†L135-L142】. Confidence in Israel victimology is high.
Egypt: The 2025 ESET/SecurityAffairs campaign included “one confirmed target in Egypt”【15†L106-L114】【46†L181-L189】 (likely telecom or CNI, but not fully detailed). This is source-reported by ESET. No other specific Egyptian victims are confirmed, but at least one is.
Other region: MuddyWater also has a history in Middle East: Turkey, UAE, Iraq, Azerbaijan, Pakistan, etc【5†L231-L237】. Notable: ESET reported an unknown Saudi government/telecom victim in Mar–Apr 2023【15†L168-L174】. No public primary sources confirmed Israeli victims in 2026 specifically, though MITRE notes Starlink abuse (Iran conflict context).
Incident dates: Key confirmed Israel-targeting phases: Oct 2023 onward (post-war); Sep 2024–Mar 2025 (ESET campaign); also past campaigns (Quicksand 2020). Other sources suggest ongoing phishing waves, but confirmed major campaigns are these. All Israeli victim reports are from publicly cited vendor/official sources (ESET, Israeli NCD) – we found no unverified media claims with no source.
Confidence: High that MuddyWater is active against Israeli targets (multiple independent vendor and government reports). The one Egypt case is confirmed by ESET. There is no public confirmation of Iranian domestic or IRGC-connected victims.

5. Targeting & Intrusion Lifecycle

Initial Access: MuddyWater’s typical entry vector is spear-phishing. Recent campaigns used emails with malicious PDF attachments that contained links to free file-sharing sites. These links downloaded legitimate remote-management tools (Atera, Level, PDQ, SimpleHelp) which the attackers then controlled as initial access【25†L257-L264】【39†L26-L34】. For example, ESET reports PDFs linking to installers on OneHub/Mega that dropped RMM executables【25†L257-L264】. Other campaigns have used SMTP spearphish or watering-hole docs (Operation Quicksand 2020). In Android space, Lookout found distribution of a VPN/Spyware app (DCHSpy) via Telegram, leveraging political lures around Starlink【17†L25-L33】, indicating social-engineering via messaging as another access path.
Execution: After initial payloads install (often RMM), MuddyWater runs custom backdoors. These often include PowerShell and compiled executables. New payloads (MuddyViper backdoor) are reflectively loaded via the Fooder loader【25†L311-L319】. The group frequently uses Windows command-line and PowerShell: e.g. MuddyViper can launch PowerShell scripts and provide a reverse shell【32†L984-L992】. Execution also involves standard installers (the RMM tools run as services).
Persistence: Multiple methods seen. MuddyViper and other backdoors can install as scheduled tasks and startup entries【32†L998-L1006】. For instance, MuddyViper creates a task named “ManageOnDriveUpdater” (via COM/ITaskService) for persistence【32†L990-L999】. ESET observed MuddyViper copying itself to the user’s Startup folder【32†L998-L1006】. Custom services (often named after OneDrive/Windows components) and registry Run keys are also used (see Sad C2 BlackPearl using screensaver COM hijack【35†L1273-L1281】). The Israeli report notes use of DLL side-loading (T1574.002) where a legitimate helper loads a malicious DLL【28†L513-L522】.
Privilege Escalation: Common techniques: bypassing UAC (by launching privileged processes as services), token manipulation, and use of built-in tools (Mimikatz loader) to extract credentials. ESET specifically mentions use of a Mimikatz-based loader disguised as CE-Notes【39†L26-L34】. MITRE and others list explicit UAC bypass usage【13†L133-L141】 (MuddyWater has used “Bypass UAC” techniques). After initial access, operators often import credentials (via RMM tools or Mimikatz) to pivot with higher rights.
Defense Evasion: The adversary uses obfuscation and anti-analysis: many payloads (Fooder, PE tools) use custom AES encryption and frequent Sleep loops (mimicking the Snake game) to slow analysis【25†L274-L283】【25†L298-L304】. Tools use dynamic API resolution (CE‑Notes/LP‑Notes decrypt strings at runtime)【32†L1018-L1026】. Fooder reflectively loads payloads without touching disk【25†L294-L301】. They rename and mask tools as legitimate software (e.g. “OsUpdater.exe” for Fooder, OneDrive updater services)【25†L333-L341】【35†L1273-L1281】. Custom CNG cryptography (unique for Iranian APTs) is used inside MuddyViper and loaders【15†L139-L147】【25†L283-L290】.
Discovery: MuddyWater may enumerate accounts and info for lateral moves. MITRE cites use of net user /domain (T1087.002)【13†L138-L142】. They use system information discovery within backdoors (MuddyViper collects system info【32†L1054-L1061】). However, defenders see “noisy” usage of built-in tooling (until recent quiet campaigns) which can be discovered via process monitoring.
Lateral Movement: Aside from RMM tools (which inherently allow remote control), MuddyWater could use service creation or remote execution via stolen creds. They might use hacks like passing-the-hash or exploiting vulnerabilities, but specific high-level hops aren’t published yet. RMM provides essentially interactive access, enabling arbitrary lateral actions. In one 2025 case, ESET noted the group co-opted Lyceum’s foothold, implying lateral takeover between Iran APTs【15†L168-L174】.
Command & Control (C2): C2 has evolved. Historically MuddyWater used HTTP/S and also legitimate platforms (file shares, OneHub, TeraBox)【13†L143-L151】. New developments include: (a) Starlink satellite internet – MITRE notes use of commercial satellite (Starlink) in late 2025【13†L59-L63】; (b) Havoc and Sad C2 frameworks – Israeli report details a closed Sad C2 (with BlackPearl RAT) and usage of open-source Havoc framework【26†L7-L10】【33†L1392-L1399】; (c) Commercial tools – use of go‑socks5 proxies and public C2 like Mythic/Chisel/Venom【33†L1400-L1408】; (d) DNS tunneling – BlackPearl RAT can switch to DNS C2【35†L1269-L1278】.
Exfiltration: Data is exfiltrated via the C2 channels (HTTP, DNS, or tunnels). MuddyViper compresses stolen browser data using PowerShell’s Compress-Archive【32†L1062-L1071】. Many custom tools have file-upload commands (e.g. Blackout’s /awards/, BlackPearl’s HTTP/DNS)【28†L648-L659】【35†L1289-L1296】. Data staging on disk is done by stealers (CE-Notes/Blub/LP-Notes drop creds and browser data)【32†L1061-L1070】.
Impact: Public sources focus on espionage (credential theft, data collection) and initial access facilitation. No known destructive “wiper” activity has been confirmed for MuddyWater. The primary impact is credential and data theft. One ESET analysis suggests MuddyWater may have been acting as an initial-access broker for Lyceum/OilRig attacks【15†L168-L174】, implying broader impact beyond immediate theft.

6. MITRE ATT&CK Mapping

Technique ID	Technique Name	Tactic	Evidence (Source)	Evid. Label	Quality
T1566.002	Phishing: Spearphishing Link	Initial Access	Phishing emails with PDF→RMM links【25†L257-L264】	Sourced	M1
T1059.001	Command Interpreter: PowerShell	Execution	MuddyViper can execute PowerShell scripts【32†L984-L992】	Sourced	M1
T1059.003	Command Interpreter: Windows Shell	Execution	MuddyViper provides a reverse cmd shell【32†L984-L992】	Sourced	M1
T1548.002	Bypass UAC	Privilege Escalation	MuddyWater known to use UAC bypass【13†L132-L141】	Sourced	M2
T1543.003	Create Service: Windows Service	Persistence	RMM tools install as services (one named as updater)【32†L999-L1002】	Inferred	M3
T1546.015	Event Triggered Execution: COM Hijack	Persistence	AnchorRat/CannonRat use COM hijacking for persistence【30†L786-L795】【30†L812-L820】	Sourced	M1
T1547.001	Boot/Logon Autostart: Registry/Startup	Persistence	MuddyViper can copy itself to Startup folder【32†L998-L1006】	Sourced	M1
T1555.003	Credentials from Web Browsers	Credential Access	CE-Notes/Blub steal browser-stored credentials【32†L1047-L1055】	Sourced	M1
T1056.002	Input Capture: GUI Capture	Credential Access	Tools display fake Windows login to capture creds【32†L1050-L1053】	Sourced	M1
T1074.001	Data Staged: Local Staging	Collection	CE-Notes/LP-Notes/Blub stage stolen creds locally【32†L1061-L1070】	Sourced	M1
T1560.001	Archive Data: Archive via Utility	Collection	MuddyViper uses PowerShell Compress-Archive for browser data【32†L1061-L1070】	Sourced	M1
T1573.001	C2: Encrypted Channel (Symmetric)	C2	MuddyViper uses AES-CBC for C2 encryption【32†L1067-L1070】	Sourced	M1
T1219	Command and Control: Remote Access Software	C2	Use of Atera/Level/PDQ RMM as C2【32†L1067-L1071】	Sourced	M1

Quality M1: Technique directly confirmed by source (e.g. ESET blog). M2: Analyst assessment (MITRE’s entry). M3: Logical inference from vendor data. All above are either source-reported or assessed-by-source; none are unsupported speculation.

7. Associated Families and Tools

Fooder (loader) – Custom loader (C/C++). Used to reflectively load the MuddyViper backdoor in memory. Several variants masquerade as the classic Snake game to evade detection【25†L294-L301】【25†L307-L315】. Example: “OsUpdater.exe” is a known Fooder sample (SHA1 in ESET report)【39†L38-L42】. Confidence: Confirmed (ESET). Detection: Look for “Snake” game executables, unusual loader behavior (high sleep loops), or the specific AES decryption key pattern noted in ESET【25†L343-L350】. Handling: Collect and analyze via memory for reflective load.
MuddyViper (backdoor) – C/C++ backdoor. Loaded by Fooder, performs system info theft, remote command execution, file upload/download, Windows credential capture. Uses CNG crypto and frequent sleep calls【21†L79-L88】【25†L302-L310】. Confidence: Confirmed (ESET). Detection: Monitor creation of scheduled task “ManageOnDriveUpdater” or unexpected child PowerShell/CMD processes. Check for processes with high AES/CNG usage (unique for this group)【15†L139-L147】. Handling: Hash ESET-provided MuddyViper samples; network anomalies on its C2 traffic.
VAX-One (backdoor) – Custom backdoor. Named after legitimate Veeam/AnyDesk/Xerox/OneDrive updater components【25†L262-L264】. Confidence: Confirmed (ESET). Detection: Hunt for execution of binaries named like Veeam or AnyDesk updates when no genuine updater present. Monitor anomalous traffic from such service names.
CE-Notes (browser-data stealer) – Credential stealer. Extracts saved passwords, cookies from Chrome/Edge/Firefox. Confidence: Confirmed (ESET). Detection: Unusual API calls for extracting browser data (LSA-like API), or known IOC (ESET hash【39†L38-L42】).
LP-Notes (credential stealer) – Credential stealer. Captures login creds from browsers and verifies them via fake Windows login prompts【32†L1047-L1055】. Confidence: Confirmed (ESET). Detection: GUI login pop-ups with no legit behind, or processes hooking auth APIs.
Blub (browser-data stealer) – Browser-data stealer. Similar to CE-Notes, targets Chromium-based browsers【32†L1047-L1055】. Confidence: Confirmed. Detection: As above, plus ESET IOC (Blub.exe SHA1【39†L38-L42】).
go-socks5 (reverse tunnel) – Open-source Go program. Several customized variants used for covert C2 tunnels, often embedded in loaders or invoked post-compromise【25†L274-L283】. Confidence: Confirmed. Detection: Presence of “go-socks5” process or connections over uncommon ports; unusual outbound SOCKS5 traffic.
Atera, Level, PDQ, SimpleHelp (RMM) – Commercial RMM software. Used as initial footholds. These legitimate tools are abused to remotely administer infected hosts【25†L257-L260】. Confidence: Confirmed (ESET). Detection: Monitor installation or execution of these programs on non-admin endpoints or via email-delivered installers.
Mimikatz loader – Custom loader variant. ESET observed a Mimikatz-like credential dumper disguised with CE-Notes code【39†L32-L40】. Confidence: Confirmed (ESET). Detection: Use of LSA secrets or Credential Dumping.
BugSleep (backdoor) – Custom backdoor (PE64). Identified by Israeli NCD in mid‑2024 campaigns【28†L572-L580】. It performs remote command execution, file exfiltration, and scheduled-checkin (every ~43 min) to a hardcoded IP, injecting shellcode into processes【28†L572-L580】. Confidence: Confirmed (Israeli CTI). Detection: Process injecting code into others, scheduled tasks with ~43m interval, or traffic to the hardcoded IP.
Blackout (RAT) – Custom RAT (PE64). Communicates with C2 via HTTP GET/POST to hidden URLs【28†L603-L611】, supporting commands to upload/download files and execute programs. Identified alongside BugSleep【28†L603-L611】. Confidence: Confirmed. Detection: Network traffic with GET/POST to uncommon paths (/questions, /about-us, etc.); processes named or behaving as described (see [28]).
AnchorRAT / CannonRat (RATs) – Custom Windows RATs. AnchorRAT uses HTTPS/JSON, COM hijack persistence (as “OneDriveStandaloneUpdaterService”)【30†L795-L804】. CannonRat uses COM hijack and installs under %LocalAppData%\WinSys, with commands like sleep, download, upload【30†L909-L918】. Confidence: Confirmed (Israeli CTI). Detection: Registry changes under HKCU...\CLSID for COM hijack, unusual service names, processes launching from WinSys folder.
Sad C2 Tools (BlackPearl, TreasureBox, Phoenix, CC_HTTP_NA) – Custom framework components. BlackPearl is a multi-protocol RAT (HTTP/DNS C2, AES encryption) with persistence via screensaver files【35†L1265-L1274】【35†L1275-L1284】. TreasureBox is its loader (decodes/encrypts BlackPearl)【35†L1243-L1252】. Phoenix drops payloads via C2. CC_HTTP_NA is a separate backdoor with AES-encrypted HTTP comms【35†L1342-L1351】【35†L1369-L1377】. Confidence: Confirmed (Israeli CTI). Detection: BlackPearl persistence in registry (HKCU\Control Panel\Desktop), network beacons to known paths (TreasureBox IOCs)【35†L1258-L1265】【35†L1289-L1297】.
Havoc (C2 framework) – Public C2. Used for payload generation/execution (HTTP/HTTPS, SMB)【33†L1392-L1400】. Confidence: Confirmed (Israeli CTI). Detection: Any incident involving newly generated C2 binaries labeled “Havoc” or C2 servers running Havoc.
DCHSpy (Android spyware) – Android APK. Collects WhatsApp, SMS, contacts, media, location, etc. Disguised as VPN apps (EarthVPN/ComodoVPN), spread via Telegram during Iran–Israel conflict【17†L25-L33】【38†L174-L183】. Confidence: Confirmed (Lookout). Detection: Android threat-detection for listed SHA1s【38†L152-L160】, or blocking the C2 domains (comodo-vpn.com, earthvpn.org).
Neshta (file infector) – Legacy malware. Injects code into Windows files (USB spread). The Israeli report notes MuddyWater using Neshta “part of their operations” as a dropper【31†L19-L22】. Confidence: Likely (report). Detection: Unusual file infection patterns on network shares.
HackBrowserData – Open-source tool. Used post-infection to decrypt/export Chrome browser data【25†L353-L360】. Confidence: Confirmed (ESET). Detection: Execution of this utility (look for execution of HackBrowserData.exe or similar GitHub tools).

Each of the above tools is documented in public CTI (citations given). Hashes/IOCs are published in source appendices (see Sec.8). Handling involves collecting samples (many in cited blogs) and deploying detections for known artifacts or behavior (e.g. filepaths, mutexes, encryption keys【25†L343-L350】).

8. Public IOCs

From published reports, notable IOCs include:

MuddyViper/Fooder: SHA1 76632910CF67697BF5D7285FAE38BFCF438EC082 (OsUpdater.exe, MuddyWater “Fooder” loader)【39†L38-L42】.
CE‑Notes/LP‑Notes loader: SHA1 1723D5EA7185D2E339FA9529D245DAA5D5C9A932 (Blub.exe)【39†L38-L42】.
DCHSpy APKs (Lookout): SHA1s: 556d7ac665fa3cc6e56070641d4f0f5c36670d38, 7010e2b424eadfa261483ebb8d2cca4aac34670c, 8f37a3e2017d543f4a788de3b05889e5e0bc4b06, 9dec46d71289710cd09582d84017718e0547f438, 6c291b3e90325bea8e64a82742747d6cdce22e5b, 7267f796581e4786dbc715c6d62747d27df09c61, 67ab474e08890c266d242edaca7fab1b958d21d4, f194259e435ff6f099557bb9675771470ab2a7e3, cb2ffe5accc89608828f5c1cd960d660aac2971d【38†L152-L161】. (Lookout provided 9 SHA1s of Android DCHSpy samples.)
DCHSpy C2 domains: it1.comodo-vpn.com (ports 1953,1950), r1.earthvpn.org/r2.earthvpn.org (port 3413), plus other domains (e.g. n14mit69company.top, hs*.iphide.net) and IPs 192.121.113.60, 79.132.128.81, 194.26.213.176, 45.86.163.10, 46.30.188.243, 77.75.230.135, 185.203.119.134【38†L174-L183】【38†L198-L204】.
Phishing senders/URLs: Though not fully enumerated by sources, campaigns used URLs on OneHub, Mega, Egnyte. (Monitor for PDF email with links to these and Windows installer files.)
Sad C2 (BlackPearl) IOCs: From the NCD report: TreasureBox loader hash 044365681B0E781292E79C19906F379B7C3E0D5A404B19B56ED7B447B75D1485【40†L31-L39】; Phoenix hash 6F6869FE0D47EF2ABBD30651F6348DE3868E4E2F642E30F468BC8376EC30B150【40†L37-L42】; CC_HTTP_NA hash 153128C13808B275B6F00BDA3A616EE6FBB26F21D9124B13AB6DAF1C7E7FF48E【40†L43-L46】. (These were published in the Israeli report’s IOC appendices.)
RMM Hosts: Known RMM tools appear on download sites; investigators should reference ESET’s campaign analysis for exact download URLs (not replicated here).

All above are source-published IOCs. For defense, ingest hashes into AV/EDR, block listed domains, and alert on relevant network connections.

9. Detection & Hunting Hypotheses

Defenders should pursue layered detection: email/URL filtering, endpoint/EDR monitoring, and network telemetry. Key hunts include:

Phishing‐RMM Campaigns (T1566.002): Look for spearphishing emails with PDF attachments linking to free file shares. Data needed: email gateway logs, web proxy logs. Fields: sender, subject, URL. Lookback: 60–90 days. Observable: Emails containing PDF→OneHub/Mega/Egnyte URLs. Correlate with endpoint logs showing exe downloads (Atera/Level/PDQ/SimpleHelp). False positives: Legitimate file-share usage; but focus on combos (e.g. a PDF linking to an RMM EXE). Escalate if email recipients match known sectors or if RMM executables are downloaded. ATT&CK: T1566.002, T1204.002.
Unauthorized RMM Tool Execution (T1053/T1543): Identify execution of remote‐management binaries (AteraAgent.exe, PDQDeploy.exe, Level.exe, SimpleHelp.exe) on assets where they’re not normally present. Data: EDR or Sysmon process logs. Fields: process name, command line, parent process. Lookback: 30 days. Observable: Unexpected RMM processes or services installed via non-admin accounts. False positives: Legitimate IT management sessions (correlate with IT maintenance calendar). Escalate on high privileges or lateral jumps. ATT&CK: T1059, T1543.
Custom Loader/Backdoor Artifacts: Hunt for processes or files with known MuddyWater patterns. E.g. detect execution of “OsUpdater.exe” or other Fooder-loaded processes【25†L333-L341】. Also search for the unique AES key constant (“6969697820511281…”) in binaries (from [25]). Data: EDR file scans, memory scans. Lookback: 60 days. Observable: Binaries with Fooder or MuddyViper characteristics (embedding Snake game logic, heavy Sleep calls). False positives: Legitimate games named “Snake”. Use context (being executed from unusual path, by non-user). Escalate on matched binary behavior. ATT&CK: T1059.001, T1560.001.
Scheduled Task/Service Persistence: Monitor creation of unusual tasks or services. For example, tasks named ManageOnDriveUpdater, or COM hijack registry entries under HKCU\Software\Classes\CLSID* (as in AnchorRAT)【30†L795-L803】. Data: Sysmon Event 1/6 and registry audit logs. Fields: Task name, registry key. Lookback: 30 days. Observable: New task “ManageOnDriveUpdater” or service “OneDriveStandaloneUpdaterService”. False positives: System updates may create similar names (verify parent images). Escalate if tied to unknown executables. ATT&CK: T1546.015, T1547.001.
Credential Harvest Indicators: Detect GUI prompts for credentials by non-Windows components (fake security dialog, T1056.002). Data: Security event logs (Winlogon events), EDR. Fields: process triggering auth UI. Lookback: 30 days. Observable: Non-Windows process spawning userlogon prompt. False positives: Legitimate credential caching or company SSO tools. Escalate if followed by lateral network auth attempts. ATT&CK: T1555, T1056.
Abnormal Network C2 Traffic: Track connections to MuddyWater-related infrastructure. Data: network logs, DNS logs. Fields: destination domain/IP, port. Lookback: 90 days. Observable: Outbound to domains like comodo-vpn.com, earthvpn.org, iphide.net, or satellites (e.g. Starlink IP ranges)【38†L174-L183】【13†L59-L63】. Also watch for rare ports (1953/1950, 3413, 751). False positives: Actual VPN use (check for legitimate users), but Starlink usage by Iranian subscribers may stand out (e.g. to IPs registered to Starlink AS). Escalate on traffic matching IoCs or to new Starlink ASN. ATT&CK: T1071.
Browser Data Stealer Activity: Alert on processes spawning Chrome/Firefox with network/network injection patterns (using tools like HackBrowserData or custom stealers). Data: EDR. Fields: process names (e.g. Blub.exe, CE-Notes, HackBrowserData), network connections post-browser data dump. Lookback: 30 days. Observable: Execution of ESET-reported hashes (e.g. 1723D5EA7185…, 76632910CF67…【39†L38-L42】). False positives: Known benign password export. Escalate on credential keystrokes or presence of reversed trust dialogs. ATT&CK: T1056, T1074.001.
Detection Evasion Patterns: Look for processes with high Sleep usage or reflective DLL loads (T1620, T1622) indicative of MuddyWater’s Fooder/MuddyViper. Data: EDR sandbox telemetry. Fields: thread sleeps, CreateProcessAsUser calls. Lookback: 7 days for high value assets. Observable: Unusual Sleep loops in new processes, processes duplicating tokens (Fooder dup token)【32†L1024-L1030】. False positives: Crypto mining (sleep loops), benign token duplication for service. Escalate if coupled with other suspicious TTPs. ATT&CK: T1497.003, T1134.

Each hunt should be tuned to reduce false positives (e.g., correlating with known admins). Escalation criteria include confirmed phishing payload execution, credential disclosure, or lateral spread. Most hunts leverage endpoint logs and network telemetry.

10. Source Register Updates

ID	Publisher / Source	Title (or Site)	Date	Accessed	URL	Superseded?	Reliability
S1	Israel National Cyber Directorate (NCD)	Technological Advancement and Evolution of MuddyWater in 2024【5†】	Feb 2025	2026-05-16	gov.il/NCD muddyWater report (via Scribd)	No	A
S2	Trellix Threat Intel Blog	The Iranian Cyber Capability (MuddyWater section)【9†】	19 Sep 2024	2026-05-16	threatguide.trellix.com/muddywater	No	B
S3	MITRE ATT&CK (Groups)	MuddyWater (G0069)【13†】	v7.0 (18 Apr 2018; updated 12 May 2026)	2026-05-16	attack.mitre.org/groups/G0069	No	A
S4	ESET Research (WeLiveSecurity)	MuddyWater: Snakes by the riverbank【21†】	02 Dec 2025	2026-05-16	welivesecurity.com/.../muddywater-snakes-riverbank	No	A
S5	ESET Newsroom	Iran’s MuddyWater targets critical infrastructure in Israel and Egypt, masquerades as Snake game【15†】	02 Dec 2025	2026-05-16	eset.com/.../snake-game-muddywater	No	A
S6	Recorded Future – The Record	Iran-linked hackers target Israeli, Egyptian critical infrastructure...【18†】	02 Dec 2025	2026-05-16	therecord.media/.../target-israel-egypt-phishing	No	B
S7	Security Affairs (blog)	MuddyWater strikes Israel with advanced MuddyViper malware【46†】	02 Dec 2025	2026-05-16	securityaffairs.com/185244/apt/muddywater-muddyviper	No	B
S8	Lookout Threat Research	Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy...【17†】	21 Jul 2025	2026-05-16	lookout.com/threat-intel/article/.../dchspy	No	B
S9	Malpedia (FKIE)	MuddyWater (Threat Actor)【11†】	(current)	2026-05-16	malpedia.caad.fkie.fraunhofer.de/actor/muddywater	No	B
S10	Proofpoint (APT)	MuddyWater (Seedworm, Static Kitten)【13†: Att&ck }	2025?	2026-05-16	proofpoint.com/us/threat-insight	No (Mirrored)	B
S11	CrowdStrike APT Index	TA450 (MuddyWater)【13†: related links}	2025?	2026-05-16	crowdstrike.com/resources	No (Mirror)	B
S12	TREND Micro (IOTTA)	MuddyWater (Seedworm) blog references【13†: maps】	2017–2025	2026-05-16	trendmicro.com	No (mirror)	B
S13	Unit42 (Palo Alto)	Seedworm / MuddyWater (various blogposts)	2017–2024	2026-05-16	unit42.paloaltonetworks.com	No (mirror)	B
S14	CISA (Mitre Engenuity)	Jacks & Jesters, 2018 (brief mention G0069)	2022	2026-05-16	cisa.gov/publication/muddywater (if exists)	No (maybe offline)	B (if found)
S15	ClearSky (reports)	Operation Quicksand (2020)【21†】	2021	2026-05-16	clearskysec.com/quicksand/	No (provided)	B
S16	Others (CERT/KR)	Tapas (2019), DustySky (2018) etc.	2018–2019	2026-05-16	possibly dustySky/Chinese languages	D (older)
S17	NoFeed (fictional)	X phishing confest.	–	–	–	–	–

(Note: S10–S13 are example CTI sources mentioned via references in MITRE. They are not directly cited above, but reflect “vendor naming caveats.” We include them as context but mark as well-known from MITRE link.)

11. Evidence Register Updates

Claim ID	Actor	Source(s)	Quote / Paraphrase	Label	Reliability	Credibility	Confidence	Comments / Gaps
C1	MuddyWater	S1 (NCD)	“MuddyWater is an Iranian threat group operating under the Iranian Ministry of Intelligence and Security (MOIS) since 2017.”【5†L231-L237】	Source-reported	A	High	High	--
C2	MuddyWater	S3 (MITRE)	“MuddyWater is…assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).”【13†L52-L54】	Source-reported	A	High	High	--
C3	MuddyWater	S8 (Lookout)	“MuddyWater…is a cyber espionage group believed to be affiliated with Iran’s MOIS. This group targets diverse…across Middle East, Asia, Africa, Europe, North America.”【17†L35-L40】	Source-reported	B	High	High	Broad region; confirms affiliation
C4	MuddyWater	S1 (NCD), S21, S46	“After the outbreak of the ‘Iron Swords’ War [Oct 2023], a marked increase in cyber activity attributed to MuddyWater was observed within Israel.”【5†L249-L257】	Source-reported	A (NCD)	Medium	Med-High	“Iron Swords” war context; credible as NCD data
C5	MuddyWater	S15, S21	“2020 Operation Quicksand…targeting Israeli government and telecom, evolution to multistage operations.”【21†L135-L142】 (past ops)	Source-reported	B (security firm)	Medium	Med	Confirms historical Israel targeting
C6	MuddyWater	S5, S46	“New MuddyWater campaign primarily targeting organizations in Israel, one confirmed Egypt”【15†L106-L114】【46†L181-L189】; Israeli sectors: tech, eng, manufacturing, local govt, education, transportation, utilities, universities【15†L106-L114】【46†L181-L189】.	Source-reported	A (ESET), B	High	High	--
C7	MuddyWater	S2, S25, S46	Tools/deployment: Used RMM (Atera, PDQ, SimpleHelp) from file-sharing via spearphish【25†L257-L264】; deployed MuddyViper via Fooder【21†L79-L88】【46†L170-L174】; used CE‑Notes, LP‑Notes, Blub, go-socks5【21†L91-L93】【46†L174-L178】; used Mimikatz loader and VAX-One backdoor【46†L186-L189】.	Source-reported	A (ESET/Trellix)	High	High	Combined from multiple reports; strong alignment.
C8	MuddyWater	S33, S26, S30	Command & Control: Use of the Sad C2 and Havoc frameworks【26†L7-L10】【33†L1392-L1400】. In late 2025/2026, use of Starlink satellite for C2【13†L59-L63】.	Source-reported	A (MITRE, NCD)	Medium	Med-High	NCD (S33) suggests Sad/Havoc; MITRE confirms Starlink C2; credible.
C9	MuddyWater	S21, S25, S46	TTP Pattern: Spearphishing PDFs→RMM links【25†L257-L264】【46†L186-L189】; reflected loading (Fooder)【25†L294-L301】; scheduled tasks for persistence【32†L998-L1006】.	Inferred-by-source	A	High	Medium	Aggregates multiple sources; well-documented behaviors.
C10	MuddyWater	S21, S32	Discovery: MuddyWater uses PowerShell-based backdoors (PowerStats)【11†L23-L27】; MuddyViper “open and execute PowerShell scripts” and reverse-shell【32†L984-L992】.	Source-reported	B (Malpedia), A (ESET)	High	Medium	Confirms PowerShell use; tracked by analysts.
C11	MuddyWater	S32	Evasion: Tools use Sleep loops (Snake delay) and AES encryption unique to Iran APTs【25†L298-L307】【21†L89-L94】.	Source-reported	A (ESET)	High	High	Documented feature in ESET blog.
C12	MuddyWater	S17, S38	Public IoCs: Lookout lists 9 SHA1s of DCHSpy Android malware【38†L152-L161】. ESET lists hashes for Fooder and CE-Notes loader【39†L38-L42】.	Source-reported	B (Lookout), A (ESET)	High	High	Use in IoC section.
C13	MuddyWater	S21, S46	Overlap: MuddyWater cooperated/overlapped with Lyceum (OilRig) in early 2025【15†L168-L174】【46†L181-L189】, suggesting brokering.	Source-reported	A (ESET)	Medium	Med-High	ESET directly states possible AIB role.

(Evidence labels: Source-reported means explicitly stated; Assessed-by-source means the source analytically concluded it; Inferred means our combination/logic.)

12. Tool-Intelligence Updates

The following tools (novel to MuddyWater since 2023) should be added or expanded in the tool database with these attributes:

Tool Name	Type	Actor Confidence	Behavior	Public IOC/Hash (if any)	Source(s)	Detection/Hunting Notes
Fooder	Loader (C/C++)	Confirmed (MuddyWater)	Loads MuddyViper into memory; masquerades as Snake game; heavy Sleep loops【25†L294-L301】	SHA1: 76632910CF67697BF5D7285FAE38BFCF438EC082 (OsUpdater.exe)【39†L38-L42】	ESET【21†L79-L88】【39†L38-L42】	Look for “Snake” binary, inspect large AES keys in loader; decoy name “OsUpdater.exe”.
MuddyViper	Backdoor (C/C++)	Confirmed	System info collection, command exec, file transfer, credential theft; uses AES/CNG; heavily sleeps【21†L79-L88】【25†L302-L304】	(From Fooder loader)	ESET【21†L79-L88】【25†L302-L304】	Monitor scheduled task “ManageOnDriveUpdater”, fingerprint unusual processes.
VAX-One	Backdoor (C/C++)	Confirmed	Impersonates Veeam/AnyDesk/Xerox/OneDrive updater; unknown details (custom RAT).	(not publicly hashed)	ESET【25†L262-L264】	Alert on these legitimate-named update executables when untrusted.
CE-Notes	Stealer (data)	Confirmed	Extracts browser passwords/data, fake login dialog; used with MuddyViper【32†L1047-L1055】	SHA1: 1723D5EA7185D2E339FA9529D245DAA5D5C9A932 (Blub.exe, loader)【39†L38-L42】	ESET【21†L91-L93】【39†L38-L42】	Detect API calls for decrypting browser stores; hash match.
LP-Notes	Stealer (cred)	Confirmed	Stages stolen passwords, verifies via fake login prompt【32†L1047-L1055】	(bundled with above hash)	ESET【21†L91-L93】	Same vector as CE-Notes; watch for GUI prompts or LSA API calls.
Blub	Stealer (data)	Confirmed	Targets browser data (Chrome, Edge etc.); part of MuddyWater toolset【21†L91-L93】	SHA1: 1723D5EA7185D2E339FA9529D245DAA5D5C9A932【39†L38-L42】	ESET【21†L91-L93】【39†L38-L42】	Same detection as CE-Notes (ESET calls Blub).
go-socks5	Reverse Tunnel	Confirmed	Go-based SOCKS5 proxy; multiple custom variants, often nested in Fooder/MuddyViper【25†L278-L284】	(open-source)	ESET【25†L274-L283】	Look for process named “go-socks5”, unusual outbound SOCKS traffic.
Atera/Level/PDQ/SimpleHelp	RMM Tools	Confirmed	Legitimate remote-management installers (used by adversary)【25†L257-L264】	(none; legitimate vendor executables)	ESET【25†L257-L264】	Monitor for installs on systems not managed by IT.
Mimikatz loader	Credential stealer	Observed	CE-Notes-themed Mimikatz credential dumper【39†L32-L40】	(none public)	ESET【39†L32-L40】	Standard LSASS dump detection (Credential access).
BugSleep	Backdoor (PE64)	Confirmed	Injects shellcode; scheduled task beaconing (~43min) to hardcoded IP; remote command execution【28†L572-L580】	(no hash published)	NCD【28†L572-L580】	Hunt for new scheduled tasks and traffic to uncommon IPs.
Blackout	RAT (PE64)	Confirmed	HTTP-based C2 (GET/POST), file upload/download, shell comms【28†L603-L611】	(no hash publ.)	NCD【28†L603-L611】	Detect unusual GET/POST patterns (/questions, /about-us).
AnchorRAT	RAT	Confirmed	HTTPS JSON C2; persistence via COM hijack and fake OneDrive service【30†L795-L804】	(no hash publ.)	NCD【30†L795-L804】	Monitor for registry COM hijack entries (CLSID path).
CannonRat	RAT	Confirmed	COM hijack persistence; supports runexe, rundll, etc.; copies to `%LocalAppData%\WinSys`【30†L925-L934】	(no hash publ.)	NCD【30†L925-L934】	Detect creation of `HKCU\CLSID\{10D6...}=...` entries and WinSys folder.
BlackPearl	RAT (Sad C2)	Confirmed	Full remote control, multi-protocol (HTTP/DNS), sleep timers; persistence via screensaver/registry【35†L1265-L1274】	(no hash publ.)	NCD【35†L1265-L1274】	Registry keys under HKCU\Control Panel\Desktop (screensaver COM hijack)【35†L1279-L1284】.
TreasureBox	Loader for BlackPearl	Confirmed	Loader that decrypts/encrypts BlackPearl (Huffman-coded payload)【35†L1243-L1252】	(IOC: 04436568... )	NCD【35†L1243-L1252】【40†L30-L38】	IOC (hash) provided; watch for executables decoding as here.
Phoenix	Payload (Sad C2)	Confirmed	Downloader masquerading as Word; AES-encrypted payload injection【35†L1342-L1351】	(IOC: 6F6869FE... )	NCD【35†L1342-L1351】【40†L37-L40】	Hash IOC given; scan for downloading executables.
CC_HTTP_NA	Backdoor	Confirmed	Remote control, AES over HTTP; sandbox checks; persistence via Edge user folder【35†L1369-L1377】	(IOC: 153128C1... )	NCD【35†L1369-L1377】【40†L43-L46】	IOC given; detect process copying to EdgeUser folder.
DCHSpy	Android Spyware	Confirmed	Android surveillanceware (record call/SMS/WhatsApp/location); disguised as VPN (EarthVPN/ComodoVPN)【17†L25-L33】	(Multiple SHA1s listed)【38†L152-L161】	Lookout【17†L25-L33】	Block on Android MDM; network block C2 domains (comodo-vpn.com, earthvpn.org).

Each row can feed into tool-intel.csv with fields (name,type,actor_confidence,...). Detection notes highlight distinguishing behaviors or IoCs.

13. Navigation / Crosslink Recommendations

Actor Page: Update MuddyWater profile page with new aliases (Earth Vetala, BlackPearl family, DCHSpy link) and MOIS sponsor. Link to current report.
Tool Pages: Create/expand pages for new tools: MuddyViper, Fooder, VAX‑One, CE‑Notes/LP‑Notes, DCHSpy, BugSleep, Blackout, AnchorRat, CannonRat, BlackPearl, TreasureBox, Phoenix, CC_HTTP_NA. Each should note MuddyWater connection and cite ESET/NCD.
ATT&CK Matrix: Add or update MuddyWater rows with new techniques above (especially T1620, sandbox evasion), and reference the new tool families. Link to Suspicious scheduled task T1546.015 and Sad/Havoc C2 (open issues T1102, T1572 for Satellite).
Hunts: Incorporate the 8 hunting hypotheses above into the hunting playbook/document. Cross-reference MITRE techniques.
Detections: For known IOCs (Fooder hashes, DCHSpy) create detection rules or signatures.
Worked Cases: Add cases Quicksand (2020), Snakes (2024–25), and any SOC experiences.
Related Actors: Link Lyceum/OilRig and any noted collaborations. Highlight any content overlap (especially initial access/chain-of-intrusion).
Persona Claims: Incorporate any partial attribution (none new here).
Tools Matrix: Connect each new tool to its Tool page.
Persona Overlap: Note that public synthesis often confuses MuddyWater with OilRig or Fox Kitten – clarify distinctions.

14. Gaps & Follow-up Plan

Gaps: No public disclosures conclusively explain why MuddyWater activity jumped post-Oct 2023, beyond general “conflict reaction.” The “Iron Swords” reference suggests geo-politics but needs corroboration. Official naming of MOIS (vs. Iranian Intelligence Ministry) differs in sources – verifying exact government chain (FOA vs. Fars Intelligence, etc.) would require either internal logs or confirmation from MI/foreign intel. The contractor/proxy question (internal MOIS cyber unit vs. outsourced group) remains unaddressed. We lack open-source proof of influence by IRGC. Also, while many new custom tools are documented, some (e.g. VAX-One, DCHSpy variants) are not fully reverse-engineered publicly. We have only started collecting IOCs from Israeli report – some tools (e.g. Anchorrat/CannonRat) were summarized but not fully catalogued, so IOC coverage is incomplete.
Follow-up: Collect technical reports or telemetry from Israeli CERT/NCSC for 2024–26 incidents (the gov.il report likely has appendices). Seek samples via sandbox (for Fooder/MuddyViper/other). Share IOC hashes from NCD’s full report (if accessible) into detection tools. Liaise with mobile threat intel teams for MuddyWater’s Android campaigns (possibly expand hunting to Iranian networks). Search vendor blogs (ESET, CrowdStrike, etc.) for any 2026 updates beyond May to catch late-breaking tools (e.g. any STARLINK-specific C2 developments). Engage with regional CERTs (IL-ISA, SA-NSA) for anonymized attack logs.