Iran’s MOIS doesn’t need to be your most sophisticated adversary to be your most persistent one. MuddyWater has operated without interruption since at least 2017, targeting governments, telecoms, defence contractors, and critical infrastructure across a geography that spans the Middle East, Turkey, Pakistan, Europe, and the United States. Their tooling is not always cutting-edge. Their operational discipline is not always perfect. But they show up, repeatedly, across the same sectors and the same geographies, because they have a standing mandate to collect against Iran’s strategic intelligence priorities and they execute against it continuously.
The introduction of ransomware as a false flag — using Chaos ransomware and similar tools not for financial gain but to complicate attribution and mask the underlying intelligence collection — represents an escalation that defenders need to account for. What looks like a financially motivated ransomware attack may be an Iranian espionage operation that chose to leave noise on the way out.
Group Overview
| Attribute | Detail |
|---|---|
| Common names | MuddyWater, Seedworm, Static Kitten, TEMP.Zagros, Cobalt Ulster, Earth Vetala, Yellow Nix, Boggy Serpens |
| Attribution | Iran’s Ministry of Intelligence and Security (MOIS) |
| Confidence | High. Attributed by US Cyber Command (publicly), CISA, UK NCSC, and multiple Five Eyes partners in joint advisory AA22-055A |
| Active since | At least 2017; continuous documented operations |
| Primary mission | Espionage in support of Iranian foreign and security policy; supplementary disruptive operations against adversaries |
| Primary targets | Government, defence, telecoms, oil and gas, financial services |
| Geographic focus | Middle East and North Africa (Turkey, Saudi Arabia, UAE, Israel, Iraq, Jordan), Pakistan, India, Europe, US |
| Distinguishing characteristic | High operational tempo; rapid adoption of new initial access techniques; false flag ransomware to obscure intelligence collection |
MuddyWater is believed to operate as a subordinate element within MOIS, Iran’s civilian intelligence ministry, distinct from the IRGC-affiliated groups (like Charming Kitten) that operate under military intelligence direction. The practical implication: tasking reflects civilian intelligence collection priorities — foreign government networks, diplomatic activity, dissidents and opposition movements — rather than purely military targets.
Operational History
Initial Targeting: Middle East Government Networks (2017-2019)
MuddyWater emerged as a distinct cluster in 2017 with documented targeting of Saudi Arabian and Iraqi government networks. Early operations relied heavily on spearphishing with macro-enabled Office documents delivering custom PowerShell-based backdoors. The group was characterised by relatively simple tooling but high operational persistence — returning to the same targets repeatedly, adapting delivery when previous attempts were blocked.
Targets in this period included foreign affairs ministries, intelligence-adjacent organisations, and telecoms providers across the Gulf. The geographic and sectoral focus directly reflects MOIS collection requirements for Iranian foreign policy: understanding Saudi and Emirati positions on Iran, monitoring Iraqi political developments, and tracking regional opposition activity.
Expansion to European and South Asian Targets (2020-2021)
By 2020, MuddyWater targeting had expanded substantially, with documented intrusions against government and defence organisations in Turkey, Pakistan, Afghanistan, and multiple European countries. Symantec’s Seedworm research documented the expansion of custom tooling in this period, with the group deploying multiple backdoor variants and increasingly using legitimate remote administration tools (specifically Secure Socket Funneling and SimpleHelp remote support software) as C2 infrastructure — a technique that blends with legitimate IT activity.
The expansion into European targets reflects the evolution of MOIS collection priorities toward monitoring Iranian diaspora communities, opposition groups operating in Europe, and bilateral diplomatic intelligence.
Microsoft Teams Abuse for Initial Access (2023)
MuddyWater adopted Microsoft Teams as an initial access vector in 2023, using compromised or fraudulently created Microsoft 365 tenants to send Teams messages impersonating IT support staff. Messages instructed targets to install remote management software (ScreenConnect, AnyDesk) under the guise of legitimate IT assistance. Once remote access was established, operators used it to deploy backdoors, dump credentials, and conduct reconnaissance.
The Teams-based initial access vector is significant because it bypasses email security controls, exploits the implicit trust many users place in internal-looking messaging platforms, and is considerably harder to detect and block than traditional phishing emails. Multiple organisations across government and defence sectors in Europe, the Middle East, and the US were targeted using this technique.
Chaos Ransomware False Flag (2025-2026)
The most significant recent evolution in MuddyWater operations: deployment of Chaos ransomware not for financial gain but as a false flag to mask the underlying intelligence collection mission. Multiple incidents have been attributed to MuddyWater where Chaos ransomware was deployed on victim networks after extended collection periods, with the ransomware apparently intended to: destroy evidence of the collection operation, create a ransomware narrative that displaces APT attribution, and degrade the victim’s ability to conduct incident response and forensic investigation.
This technique requires defenders and incident responders to consider whether a ransomware incident may be the visible endpoint of a longer, quieter collection operation. The presence of ransomware does not rule out state-sponsored espionage motivation.
Tooling
MuddyWater’s custom capability programme has evolved substantially since 2017. Core tools in the current repertoire:
BugSleep (also known as MuddyRot) is the group’s current primary implant: a .NET backdoor supporting file transfer, command execution, screenshot capture, and keylogging. It communicates via HTTP/S with domain-fronting to obscure C2 infrastructure and uses multiple layers of obfuscation to complicate static analysis. BugSleep variants have been deployed extensively across 2024-2026 operations.
MuddyC3 is a Python-based web shell and C2 framework used to maintain persistent access to compromised web servers. It is publicly available in obfuscated form, which complicates attribution to some extent — the tooling can be copied by other actors. However, operational patterns and targeting tie MuddyC3 deployments consistently to MuddyWater.
Ligolo is an open-source network tunnelling tool repurposed by MuddyWater for establishing persistent tunnel infrastructure through victim networks. Using legitimate tools for tunnelling is a consistent evasion technique — traffic over Ligolo is harder to distinguish from legitimate network activity than traffic to custom C2 domains.
PhonyC2 is a custom post-compromise C2 framework. It is less commonly deployed than BugSleep but appears in higher-value intrusions where a more capable and harder-to-detect platform is warranted.
Beyond custom tooling, MuddyWater extensively abuses legitimate remote management software. ScreenConnect, AnyDesk, SimpleHelp, and Atera have all been observed deployed by MuddyWater operators in active intrusions. This approach makes detection harder and incident response more ambiguous — the presence of remote management software on a system is not inherently suspicious.
Current TTPs
Initial Access — Microsoft Teams social engineering. The Teams-based impersonation technique documented in 2023 remains active in MuddyWater operations. Defenders should treat unsolicited Teams messages requesting software installation as high-risk, regardless of apparent sender identity.
Spearphishing with macro-enabled documents. Traditional delivery remains in use, particularly for initial targeting of organisations without mature endpoint security. MuddyWater adapts delivery format to what the target environment will execute.
Credential theft via remote management tools. Once remote access is established, operators systematically dump credentials from memory using Mimikatz variants and from browser stores, enabling lateral movement and persistence beyond the initially compromised system.
Living-off-the-land post-compromise. After credential access, MuddyWater operators rely heavily on native Windows tools (PowerShell, WMI, Task Scheduler) for lateral movement and persistence, generating the same artefacts as legitimate administrative activity.
Targeting Priorities
The most consistent targets across the documented operational history:
- Middle Eastern government and foreign affairs ministries. Saudi Arabia, UAE, Turkey, Iraq, and Jordan feature repeatedly. MOIS requires continuous intelligence on the foreign policy positions and internal deliberations of Iran’s regional adversaries and partners.
- Telecoms providers across the Middle East and South Asia. Telecom access provides passive visibility into communications metadata and sometimes content. Multiple MuddyWater intrusions have been identified in telecom infrastructure.
- Defence contractors and defence-adjacent organisations. Particularly those involved in weapons programmes, military training, or bilateral defence arrangements that affect Iran’s security environment.
- Iranian diaspora and opposition organisations. Monitoring of Iranian opposition movements and dissident communities operating in Europe and North America is a standing MOIS collection requirement.
- Oil and gas sector. Particularly in Gulf states. Energy intelligence is a consistent Iranian priority.
The False Flag Complication
The Chaos ransomware false flag represents the most challenging aspect of defending against MuddyWater in the current period. A ransomware incident that is actually a state-sponsored espionage operation triggers different response procedures, different legal obligations, different remediation strategies, and different threat intelligence conclusions than a financially motivated criminal attack.
Indicators that a ransomware incident may be state-sponsored espionage with a false flag component:
- Extended dwell time prior to ransomware deployment, with evidence of systematic data collection from specific categories of sensitive files
- Ransomware deployed after what appears to be deliberate credential destruction or log wiping
- Ransom note with no active negotiation channel or very low engagement when contacted
- Targeting that does not fit typical criminal ransomware victim selection (government, intelligence-adjacent organisations)
- Technical indicators that overlap with known MOIS infrastructure or tooling
When those indicators are present, treating the incident purely as ransomware is an analytical error. The appropriate response includes counterintelligence consideration of what was accessed, not just remediation of the ransomware deployment.
Defensive Recommendations
Control remote management software deployment. Maintain an approved list of remote management tools. Alert on any deployment of unapproved tools (AnyDesk, ScreenConnect, SimpleHelp) and treat installation of unlisted remote management software as a high-priority investigation trigger.
MFA on all communication platforms. Teams-based social engineering succeeds because users trust the platform and actors can exploit weaknesses in tenant verification. Require phishing-resistant MFA for all M365 access. Alert on logins from unexpected locations or devices.
PowerShell logging and command-line monitoring. MuddyWater’s post-compromise activity is heavily PowerShell-based. Full script block logging and transcript logging for PowerShell, combined with alerting on obfuscated and encoded commands, provides detection coverage for the lateral movement phase.
Treat ransomware as potentially not-ransomware. When a ransomware incident occurs in government, defence, or energy sectors, the initial response should include an explicit assessment of whether state-sponsored collection preceded the ransomware deployment. The forensic investigation should not stop at ransomware identification.