The sub-techniques beta is now live! Read the release blog post for more info.


MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to FIN7, but the group is believed to be a distinct group possibly motivated by espionage.[1][2][3]

ID: G0069
Associated Groups: Seedworm, TEMP.Zagros
Version: 2.1
Created: 18 April 2018
Last Modified: 28 June 2019

Associated Group Descriptions

Name Description
Seedworm [2]
TEMP.Zagros [4]

Techniques Used

Domain ID Name Use
Enterprise T1088 Bypass User Account Control

MuddyWater uses various techniques to bypass UAC.[3]

Enterprise T1191 CMSTP

MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.[4]

Enterprise T1059 Command-Line Interface

MuddyWater has used a custom tool for creating reverse shells.[2]

Enterprise T1500 Compile After Delivery

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[3]

Enterprise T1175 Component Object Model and Distributed COM

MuddyWater has used malware that has the capability to execute malware via COM and Outlook.[6]

Enterprise T1090 Connection Proxy

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.[2]

Enterprise T1003 Credential Dumping

MuddyWater has performed credential dumping with Mimikatz, LaZagne, and other tools, including by dumping passwords saved in victim web browsers and email.[1][2]

Enterprise T1503 Credentials from Web Browsers

MuddyWater has run a tool that steals passwords saved in victim web browsers.[2]

Enterprise T1081 Credentials in Files

MuddyWater has run a tool that steals passwords saved in victim email.[2]

Enterprise T1002 Data Compressed

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

MuddyWater decoded base64-encoded PowerShell commands using a VBS file.[4][7][3]

Enterprise T1173 Dynamic Data Exchange

MuddyWater has used malware that can execute PowerShell scripts via DDE.[6]

Enterprise T1083 File and Directory Discovery

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[6]

Enterprise T1036 Masquerading

MuddyWater has used filenames and Registry key names associated with Windows Defender. The group has also stored obfuscated JavaScript code in an image file named temp.jpg.[4][5][3]

Enterprise T1170 Mshta

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[4][6]

Enterprise T1104 Multi-Stage Channels

MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back. [5]

Enterprise T1027 Obfuscated Files or Information

MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.[1][8][1][4][6][5]

Enterprise T1086 PowerShell

MuddyWater has used PowerShell for execution.[4][7][6][2][3][5]

Enterprise T1057 Process Discovery

MuddyWater has used malware to obtain a list of running processes on the system.[6]

Enterprise T1060 Registry Run Keys / Startup Folder

MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.[4][6][5]

Enterprise T1105 Remote File Copy

MuddyWater has used malware that can upload additional files to the victim’s machine.[6][3]

Enterprise T1085 Rundll32

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[6]

Enterprise T1113 Screen Capture

MuddyWater has used malware that can capture screenshots of the victim’s machine.[6]

Enterprise T1064 Scripting

MuddyWater has used VBScript and JavaScript files to execute its POWERSTATS payload. MuddyWater has also used Microsoft scriptlets, macros, and PowerShell scripts.[[4][7][6][2][3]

Enterprise T1063 Security Software Discovery

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[6]

Enterprise T1193 Spearphishing Attachment

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[1][4][6]

Enterprise T1082 System Information Discovery

MuddyWater has used malware that can collect the victim’s OS version and machine name.[6][5]

Enterprise T1016 System Network Configuration Discovery

MuddyWater has used malware to collect the victim’s IP address and domain name.[6]

Enterprise T1033 System Owner/User Discovery

MuddyWater has used malware that can collect the victim’s username.[6]

Enterprise T1204 User Execution

MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[1][4][6][5]

Enterprise T1047 Windows Management Instrumentation

MuddyWater has used malware that leveraged WMI for execution and querying host information.[6][3][5]


ID Name References Techniques
S0349 LaZagne [2] Credential Dumping, Credentials from Web Browsers, Credentials in Files
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0223 POWERSTATS [1] [4] [3] [2] Account Discovery, Commonly Used Port, Component Object Model and Distributed COM, Connection Proxy, Data Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Disabling Security Tools, Dynamic Data Exchange, File Deletion, Masquerading, Mshta, Obfuscated Files or Information, PowerShell, Remote File Copy, Scheduled Task, Scheduled Transfer, Screen Capture, Scripting, Security Software Discovery, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, Uncommonly Used Port, Windows Management Instrumentation