CTI & OSINT

INTELLIGENCE REPORT : MERCURY (MuddyWater)

by  • 

TLP:CLEAR | CTI Team | Updated: March 2026

1. IDENTIFICATION & ATTRIBUTION

Designations (vendor aliases)

The group is tracked under the following designations by vendors: MERCURY (Microsoft, historical designation), MuddyWater (ClearSky, common usage designation), Mango Sandstorm (Microsoft, current designation), Seedworm (Symantec/Broadcom), Static Kitten (CrowdStrike), Earth Vetala (Trend Micro), TEMP.Zagros (Mandiant/FireEye pre-attribution), TA450 (Proofpoint), Boggy Serpens (Palo Alto Unit 42). Additional documented aliases: MuddyC2 (operational), G0069 (MITRE ATT&CK).

Origin

Iran.

Presumed sponsor

The group is assessed as a subordinate element within the MOIS : Ministry of Intelligence and Security (Vezarat-e Ettelaat va Amniat-e Keshvar) (1). This attribution was formalized in a joint advisory published on February 24, 2022 by the FBI, CISA, CNMF, and NCSC-UK, with high confidence. MERCURY/MuddyWater operates under the same institutional authority as APT39 (MOIS) but constitutes a distinct activity cluster by its targets, tools, and operational objectives. Group actors are assessed as being positioned to share access and data with other Iranian malicious cyber actors (1). An operational link with the Storm-1084 (DarkBit) cluster has been documented by Microsoft.

Sophistication level

Tier 2 : Moderate to High, with consistent progression. The group’s evolution over the 2017-2026 period is structured in three documented phases (2):

Phase I (2017-2022): script-centric operations based on PowerShell/VBS. Core arsenal: POWERSTATS, PowGoop, Small Sieve, Canopy/Starwhale, Mori.

Phase II (2023-2024): doctrinal shift toward abuse of legitimate Remote Monitoring and Management (RMM) tools as primary C2 vector (SimpleHelp, ScreenConnect, N-able), combined with the emergence of first next-generation custom backdoors (BugSleep/MuddyRot).

Phase III (2024-2026): rapid iteration on custom malware, adoption of Rust as a development language (RustyWater), documented integration of generative AI in tool development, C2 via Telegram bots, and geographic extension toward the United States and Canada (Dindoor campaign, March 2026).

Motivation

Broad-spectrum strategic espionage and targeted disruption. Intelligence collection against government, military, and critical infrastructure targets in support of MOIS objectives. Since 2024, documented correlation between compromised cyber accesses (live CCTV feeds) and Iranian kinetic operations (missile strikes). Occasional ransomware deployment (Thanos, 2020-2021; 2024 variants) as a secondary disruption or extortion vector.

Status

ACTIVE : last documented activity: March 2026. Dindoor campaigns (Broadcom/Symantec, March 2026), RustyWater (January 2026), Operation Olalampo (Group-IB, January-February 2026), with confirmed compromises targeting U.S., Israeli, and Canadian entities (3)(4)(5).

Targeted sectors

  • Government, local and national administrations
  • Defense, defense contractors, and aerospace
  • Telecommunications
  • Energy, oil and gas, critical infrastructure
  • Financial institutions
  • Academic sector and research
  • NGOs and humanitarian organizations
  • Technology industry and IT service providers (supply chain targeting documented)
  • Transportation and maritime sector

Targeted geographic areas

  • Middle East (Israel: documented priority target since 2020; Saudi Arabia, UAE, Turkey, Jordan, Iraq, Qatar, Kuwait)
  • North Africa (Egypt, Sudan, Tunisia, Morocco)
  • Central and South Asia (Pakistan, Afghanistan, Turkmenistan, India)
  • Europe (Austria, Germany, United Kingdom, Eastern European countries)
  • North America (United States, Canada: extension documented in 2025-2026)

2. INFRASTRUCTURE & TTPs

C2 Infrastructure

MERCURY/MuddyWater’s C2 infrastructure has evolved significantly over the 2017-2026 period. Three generations of custom C2 frameworks have been developed and deployed in rapid succession:

PhonyC2 (2023): Python-based PowerShell C2 framework mimicking legitimate communications, infrastructure shared with VPS servers in Europe.

MuddyC2Go / MuddyC3 (2023-2024): Go-compiled C2 framework, evolution toward compiled binaries to reduce signatures.

DarkBeatC2 (2024): latest documented C2 framework pre-Phase III, VPS infrastructure in known MuddyWater subnets, domains mimicking legitimate Google services (googleonlinee[.]com).

Since 2024 (Phase III): growing use of Telegram bots as C2 channels (Operation Olalampo, CHAR backdoor) and legitimate cloud services (Cloudflare, Wasabi cloud storage for exfiltration via Rclone). Legitimate RMMs (SimpleHelp, ScreenConnect) are maintained as first-tier C2 components, delivered via password-protected archives on legitimate file-sharing platforms (5).

MITRE ATT&CK TTP Table

PhaseTechniqueATT&CK IDAssociated Procedure
Initial AccessSpear-phishing AttachmentT1566.001Office documents with macros, malicious ZIP archives, LNK files
Initial AccessSpear-phishing LinkT1566.002Links to archives or RMM from compromised emails
Initial AccessExploit Public-Facing ApplicationT1190CVE exploitation on exposed servers (Fortinet, Exchange)
Initial AccessSupply Chain CompromiseT1195IT provider compromise (Rashim, 2024) for access to downstream clients
ExecutionPowerShellT1059.001POWERSTATS, PowGoop, DarkBeatC2, PhonyC2 : omnipresent PowerShell
ExecutionWindows Script FileT1059.005Canopy/Starwhale, Small Sieve (VBScript)
ExecutionUser Execution: Malicious FileT1204.002VBA macro activation in Office documents
PersistenceDLL Side-LoadingT1574.002PowGoop: GoogleUpdate.exe loads malicious goopdate.dll
PersistenceRegistry Run KeysT1547.001POWERSTATS, BugSleep, RustyWater
PersistenceScheduled Task/JobT1053.005PowGoop, Mori, Phoenix
Defense EvasionObfuscated Files or InformationT1027Obfuscated PowerShell scripts, XOR/subtraction encoding (BugSleep)
Defense EvasionMasqueradingT1036PowGoop mimicking GoogleUpdate.exe; VAXOne mimicking Veeam/AnyDesk
Defense EvasionProcess InjectionT1055BugSleep injected into browser and admin processes
Defense EvasionVirtualization/Sandbox EvasionT1497.003Sleep API and game-based delays to evade sandboxes
Credential AccessOS Credential DumpingT1003Custom Mimikatz loader (MuddyViper)
Credential AccessCredentials from Web BrowsersT1555.003CE-Notes, Blub, MuddyViper
CollectionScreen CaptureT1113BugSleep, MuddyViper, RustyWater
CollectionKeyloggingT1056.001MuddyViper, RustyWater
CollectionVideo CaptureT1125Access to live CCTV feeds (documented Amazon TI, November 2024)
C2Application Layer Protocol: WebT1071.001HTTPS toward dedicated C2 servers, legitimate cloud services
C2Application Layer Protocol: MessagingT1071.003Telegram Bot API (CHAR backdoor, Operation Olalampo 2026)
C2Remote Access SoftwareT1219SimpleHelp, ScreenConnect, N-able, Atera, ConnectWise
Lateral MovementRemote ServicesT1021RMM tools deployed as lateral movement vectors
ExfiltrationExfiltration Over Web ServiceT1567Rclone to Wasabi cloud storage (Dindoor campaign, 2026)
ImpactData Encrypted for ImpactT1486Thanos ransomware (Operation Quicksand, 2020-2021)

3. MALWARE & TOOLING

POWERSTATS (alias POWBAT variant)

  • Type: PowerShell backdoor
  • Function: Remote access, command execution, system reconnaissance, persistence. First emblematic MERCURY custom backdoor publicly documented
  • C2 channel / specifics: HTTPS; base64-encoded obfuscated scripts; persistence via registry run keys and scheduled tasks (1)
  • First identified: Reaqta, ClearSky : 2017
  • Status: Legacy (superseded by newer tools, but patterns observed in recent campaigns)

PowGoop

  • Type: PowerShell DLL loader
  • Function: First-stage loader masquerading as a legitimate Google Update process; loads a PowerShell beacon script (goopdate.dat/config.txt) that communicates with C2 and downloads additional payloads
  • C2 channel / specifics: DLL side-loading via legitimate GoogleUpdate.exe and goopdate86.dll; modified base64 encoding for C2 communications; infrastructure shared with POWERSTATS (1)
  • First identified: CISA/FBI/CNMF : 2022
  • Status: Active (variants documented in 2024)

Small Sieve

  • Type: Python backdoor (compiled to EXE via PyInstaller)
  • Function: Lightweight remote access, file download, command execution, persistence
  • C2 channel / specifics: Communication via Telegram Bot API : first documented use of Telegram as C2 by MERCURY; attributed with high confidence by NCSC-UK and CISA (1)
  • First identified: CISA/FBI/CNMF/NCSC-UK : 2022
  • Status: Legacy, superseded by more recent variants

Canopy / Starwhale

  • Type: VBScript backdoor (Windows Script File)
  • Function: Command execution, system information collection, data exfiltration via HTTP requests
  • C2 channel / specifics: Distributed via spear-phishing emails with malicious Excel attachment containing VBA macros encoding two WSF files; CISA and NCSC-UK attribute these samples with high confidence (1)
  • First identified: CISA/FBI/CNMF/NCSC-UK : 2022
  • Status: Legacy

Mori

  • Type: Windows backdoor
  • Function: Remote access, command execution, persistence
  • C2 channel / specifics: Uses DNS tunneling for C2 communications : distinctive technique enabling bypass of HTTP/HTTPS filtering (6)
  • First identified: CNMF / VirusTotal : 2022
  • Status: Legacy

PhonyC2 / MuddyC2Go / DarkBeatC2

  • Type: Custom C2 frameworks (server-side infrastructure)
  • Function: PowerShell-based server-side command-and-control frameworks for managing implants deployed on victims; evolving infrastructure succeeding SimpleHarm and MuddyC3
  • C2 channel / specifics: PhonyC2: Python, SQLite structure; MuddyC2Go: compiled Go for portability; DarkBeatC2: VPS in known MuddyWater subnets, domains mimicking Google services, PowerShell beacon with 20-second interval and jitter (7)
  • First identified: Deep Instinct : 2024 (DarkBeatC2); Sekoia : 2023 (PhonyC2)
  • Status: DarkBeatC2 active; PhonyC2/MuddyC2Go in parallel use

BugSleep (alias MuddyRot)

  • Type: Custom backdoor deployed via process injection
  • Function: Remote access, command execution, file upload/download, screen capture; injected into legitimate browser or administrative processes to conceal presence
  • C2 channel / specifics: Obfuscation via XOR/subtraction encoding; sandbox evasion via Sleep API and game-based delay mechanisms; first documented simultaneously by Check Point Research and Sekoia TDR in July 2024 (8)
  • First identified: Check Point Research / Sekoia TDR : July 2024
  • Status: Active

MuddyViper (alias Fooder)

  • Type: Modular implant framework
  • Function: Multi-component backdoor including: VAXOne (Veeam/AnyDesk masquerade), CE-Notes (browser credential theft), LP-Notes (fake Windows Security dialogs for credential harvesting), Blub (browser credential theft), custom Mimikatz credential dumper
  • C2 channel / specifics: Deployed against Israeli organizations between September 2024 and March 2025; modular structure enabling adaptation to target profile (9)
  • First identified: ESET : December 2024
  • Status: Active

RustyWater

  • Type: Rust-based RAT (Remote Access Trojan)
  • Function: Remote access, keylogging, screen capture, credential theft, data exfiltration : first documented Rust implant by MERCURY, significant for its resistance to static analysis and cross-platform portability
  • C2 channel / specifics: Persistence via registry modifications; delivered via ZIP archive containing executable disguised as PDF with PDF icon; initial loader deploys RustyWater as secondary payload (10)
  • First identified: CloudSEK / Rescana / CSO Online : January 2026
  • Status: Active

Dindoor

  • Type: JavaScript backdoor (Deno runtime)
  • Function: Remote access, command execution, exfiltration preparation; exploits the Deno runtime for JavaScript execution outside the browser : an uncommon Living-off-the-Land technique enabling evasion of Node.js-targeted detections
  • C2 channel / specifics: Data exfiltration via Rclone to a Wasabi cloud storage bucket; campaign confirmed in February-March 2026 targeting a U.S. financial institution, a U.S. airport, a Canadian non-profit, and the Israeli subsidiary of a defense/aerospace software vendor (3)
  • First identified: Broadcom/Symantec / The Hacker News : March 2026
  • Status: Active (campaign ongoing at time of writing)

CHAR / GhostBackDoor / GhostFetch / HTTP_VIP

  • Type: Operation Olalampo malware families (2026)
  • Function: CHAR: backdoor with C2 via Telegram bot; GhostBackDoor: second-stage backdoor; GhostFetch: payload download component; HTTP_VIP: alternative HTTP communication component. Together, these four families constitute the new toolkit deployed in Operation Olalampo (4)
  • C2 channel / specifics: Documented AI-assisted development; CHAR uses a Telegram bot as C2, providing researchers with visibility into post-exploitation activity; memory-safe languages (Rust notably); polymorphic variants generated to bypass antiviral signatures
  • First identified: Group-IB : January-February 2026
  • Status: Active

DCHSpy

  • Type: Android spyware
  • Function: Mobile surveillance targeting individuals via malicious Android applications: geolocation, call interception, SMS reading, contact and file access
  • C2 channel / specifics: Deployed in dissident and journalist surveillance campaigns; Lookout documented DCHSpy as a MuddyWater Android spyware variant (11)
  • First identified: Lookout : 2022
  • Status: Active

Legitimate RMM tools repurposed

SimpleHelp, ScreenConnect (ConnectWise), N-able Advanced Monitoring Agent, Atera, AnyDesk, Supremo : delivered in password-protected archives via legitimate file-sharing platforms (OneDrive, Google Drive, WeTransfer) and deployed as legitimate C2 agents for persistence and lateral movement.

Third-party tools and LOLBAS used

Chisel (network tunneling), Rclone (cloud exfiltration), custom Mimikatz loader (credential dumping), nbtscan, mshta.exe, regsvr32.exe, rundll32.exe, certutil.exe : intensive use of legitimate Windows binaries (LOLBins) for payload execution and EDR solution bypass.

4. CAMPAIGN HISTORY

PeriodCampaignTargetsVectorTooling
2017-2019Initial operationsMiddle East and South Asian governments and telecomsSpear-phishing, Office macrosPOWERSTATS, custom Python tools
2020-2021Operation QuicksandIsraeli organizationsSpear-phishing, vulnerability exploitationThanos ransomware, POWERSTATS, PowGoop
2022Multi-sector campaignsGovernments, defense, telecoms in Asia, Africa, Europe, North America (1)Spear-phishing, CVE-2020-1472 and CVE-2020-0688 exploitationPowGoop, Small Sieve, Canopy/Starwhale, Mori
2023PhonyC2 campaignIsraeli organizations, Middle EastSpear-phishing, RMM abusePhonyC2, MuddyC2Go, SimpleHelp
2024 (Jan.)DarkBeatC2 campaignMiddle East and international organizationsSpear-phishing, Office documentsDarkBeatC2, RMM tools, PowGoop
2024 (Mar.)Rashim supply chainIsraeli organizations via IT provider Rashim compromiseSupply chain : IT provider compromiseLord Nemesis persona, custom tools
2024 (Jul.)BugSleep campaignsMiddle East organizations, IsraelSpear-phishingBugSleep/MuddyRot, RMM tools
2024 (Nov.)CCTV/kinetic correlationIsraeli and Red Sea CCTV infrastructureSpear-phishing, exploitationLive CCTV access correlated with missile strikes (Amazon TI)
2024-2025MuddyViper/Fooder campaign : ESETIsraeli organizations : government, defense, energy (9)Multi-stage spear-phishingMuddyViper, VAXOne, CE-Notes, LP-Notes, Blub
2026 (Jan.)Operation OlalampoMENA organizations, Western defense contractors (4)Spear-phishing Office macros, exposed server exploitationCHAR, GhostBackDoor, GhostFetch, HTTP_VIP
2026 (Jan.-Feb.)RustyWater campaignIsraeli government, military, finance, telecoms; UAE, Turkmenistan (10)Spear-phishing ZIP with executable disguised as PDFRustyWater (Rust RAT), initial loader
2026 (Feb.-Mar.)Dindoor campaignU.S. financial institution, U.S. airport, Canadian non-profit, Israeli subsidiary of defense/aerospace software vendor (3)Spear-phishingDindoor (Deno JavaScript runtime), Rclone Wasabi exfiltration

5. INDICATORS OF COMPROMISE (IoCs)

EXPIRATION WARNING : The IoCs listed below are derived exclusively from public sources. Their operational validity is subject to expiration. Do not implement as production blocking rules without validation in your specific context. Maximum estimated validity: 90 days from the source publication date.

Characteristic network patterns

  • Outbound HTTPS traffic from powershell.exe toward recently registered domains mimicking Google services (google[...]online.com, googlevalues[.]com, googleonlinee[.]com)
  • Connections from powershell.exe toward the Telegram API (api.telegram.org) outside known administrative application context
  • Outbound traffic from legitimate RMM tools (SimpleHelp, ScreenConnect) installed without documented IT action
  • DNS requests toward domains with naming patterns nc6[0-9]+[.]biz or similar
  • Regular beacon (20-second interval with jitter) toward VPS hosted in Western Europe (OVH, Hetzner, Leaseweb)
  • Execution of rclone.exe or a renamed binary with parameters pointing toward Wasabi or S3-compatible cloud services
  • Presence of the deno.exe process on non-developer systems with outbound network connections

Historically documented domains (public sources)

Source: Deep Instinct, CISA, Broadcom, Group-IB : public reports 2022-2026. Reduced detection value : threat hunting use only.

  • googleonlinee[.]com : Deep Instinct / DarkBeatC2, 2024
  • googlevalues[.]com : Deep Instinct, 2024
  • nc6010721b[.]biz : Deep Instinct, historical MuddyWater
  • travelsreservation[.]com : CISA advisory, 2022
  • cloudfleard[.]com : Broadcom, 2025 campaigns

Documented public hashes

Refer to source reports for complete values.

ToolSHA256 (partial)SourceYear
PowGoop (goopdate.dll)12db8bce...517a22efCISA/Picus2022
PowGoop (goopdate.dat)2471a039...a14d3600CISA/Picus2022
BugSleep7a3f1c9b...2e8d4a0fCheck Point / Sekoia2024
RustyWater loaderf2a8c4e1...9b7d3c0aCloudSEK / Rescana2026
Dindoor3c9e7a2f...1b8d5f4cBroadcom / Symantec2026

Unauthorized RMM presence indicators

  • Installation of SimpleHelp, ScreenConnect, N-able, Atera on endpoints without associated IT ticket
  • Presence of these RMMs in %APPDATA%, %TEMP%, or %ProgramData% rather than standard program directories
  • Outbound connections from RMM tools toward SimpleHelp or ScreenConnect servers not referenced in IT inventory

Recommended real-time IoC sources

6. DETECTION & COUNTERMEASURES

PowGoop : GoogleUpdate DLL side-loading : False positive rate: Low

process.name = 'GoogleUpdate.exe'
AND process.path NOT CONTAINS ['\\Google\\Update\\', 'C:\\Program Files']
AND process.child.dll CONTAINS 'goopdate.dll'
AND NOT file.signer = 'Google LLC'

Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Sysmon (Event ID 7 : Image Loaded).

PowerShell beacon DarkBeatC2 / POWERSTATS : False positive rate: Medium

process.name = 'powershell.exe'
AND network.http.method = 'POST'
AND network.destination NOT IN whitelist_domains
AND beacon.interval APPROXIMATELY 20_seconds
AND process.command_line CONTAINS ['-EncodedCommand', 'Invoke-Expression', 'IEX', 'DownloadString']
AND NOT process.parent IN ['wsus.exe', 'sccm.exe', 'approved_admin_tools']

Recommended tools: Microsoft Defender for Endpoint, Elastic SIEM, Splunk ES (beacon correlation).

Unauthorized RMM installed on an endpoint : False positive rate: Low

process.name IN ['simplehelp.exe', 'ScreenConnect.ClientService.exe', 'AteraAgent.exe', 'supremo.exe']
AND NOT asset.tag IN ['approved_rmm_endpoints']
AND install.path NOT IN ['C:\\Program Files\\', 'C:\\Program Files (x86)\\']
    OR install.event.source NOT IN ['SCCM', 'GPO', 'approved_deployment']

Recommended tools: CrowdStrike Falcon, Microsoft Defender for Endpoint, ITAM/CMDB solutions with alerting on new installations.

BugSleep : injection into browser/admin process : False positive rate: Medium

event.type = 'process_injection'
AND source.process.name IN ['powershell.exe', 'cmd.exe', 'wscript.exe']
AND target.process.name IN ['chrome.exe', 'firefox.exe', 'msedge.exe', 'explorer.exe', 'msiexec.exe']
AND NOT source.process.signed = true

Recommended tools: CrowdStrike Falcon, SentinelOne, Sysmon Event ID 8 (CreateRemoteThread).

Dindoor : Deno execution with network connections : False positive rate: Low (outside developer environments)

process.name IN ['deno.exe', 'deno']
AND network.connection.outbound = true
AND NOT asset.tag IN ['developer_workstation']
AND NOT process.parent IN ['vscode.exe', 'code.exe', 'approved_dev_tools']

Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, Elastic SIEM.

Rclone exfiltration toward non-approved cloud services : False positive rate: Medium

process.name IN ['rclone.exe']
    OR (process.name != 'rclone.exe'
        AND process.command_line CONTAINS ['--config', 'remote:', 'copy', 's3://'])
AND network.destination CONTAINS ['wasabi.com', 's3.amazonaws.com', 'storj.io']
AND NOT process.parent IN ['backup_software_whitelist']
AND network.bytes_out > 10_MB

Recommended tools: Palo Alto Cortex XDR, CrowdStrike Falcon, network DLP.

Organizational countermeasures

  • Block execution of uninventoried RMM binaries via AppLocker or WDAC (Windows Defender Application Control) policy : MuddyWater drops these tools in non-standard directories
  • Disable or strictly restrict PowerShell in Constrained Language Mode on all non-administrator endpoints; enable PowerShell ScriptBlock logging (Event ID 4104) and Module logging
  • Proactively monitor outbound connections toward the Telegram API (api.telegram.org) from endpoints not linked to approved enterprise Telegram applications
  • Regular review of RMM tools installed in the environment and correlation with IT tickets/CMDB : remove any unapproved tool
  • Priority patch management on Fortinet, Microsoft Exchange, and other exposed network equipment : MERCURY regularly exploits CVEs on these systems
  • Protection of CCTV feeds and industrial video surveillance systems: network isolation, strong authentication, credential rotation : the group has demonstrated the ability to access live CCTV feeds as kinetic operation support
  • Deploy YARA rules covering PowGoop, BugSleep, RustyWater families and documented C2 frameworks on endpoints and network sandboxing solutions
  • Train SOC teams to detect PowerShell beacon patterns with regular intervals toward recently registered domains

SOURCES

  1. FBI / CISA / CNMF / NCSC-UK : Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks : https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a : 2022
  2. Andrey Pautov / InfoSec Write-ups : CTI Research: MuddyWater/Seedworm (Mango Sandstorm) : https://infosecwriteups.com/cti-research-muddywater-seedworm-mango-sandstorm-ebf6af5ba061 : 2026
  3. The Hacker News / Broadcom : Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor : https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html : 2026
  4. Dark Reading / Group-IB : Iran’s MuddyWater Targets Orgs With Fresh Malware : https://www.darkreading.com/threat-intelligence/iran-muddywater-new-malware-tensions-mount : 2026
  5. ExtraHop : The Digital Front of Iranian Cyber Offensive and Defensive Response : https://www.extrahop.com/blog/the-digital-front-of-iranian-cyber-offensive-and-defensive-response : 2026
  6. CNMF : Iranian intel cyber suite of malware uses open source tools : https://www.cybercom.mil/Media/News/Article/2897964/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/ : 2022
  7. Deep Instinct : DarkBeatC2: The Latest MuddyWater Attack Framework : https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework : 2024
  8. Check Point Research / Sekoia TDR : BugSleep / MuddyRot : https://research.checkpoint.com/ : 2024
  9. ESET Research : MuddyViper / Fooder campaign against Israeli organizations : https://www.welivesecurity.com/ : 2024
  10. CloudSEK / Rescana : RustyWater: Iranian MuddyWater APT Targets Israeli Government : https://www.rescana.com/post/rustywater-iranian-muddywater-apt-targets-israeli-government-and-infrastructure-with-advanced-rust : 2026
  11. Lookout : DCHSpy surveillance Android malware : https://www.lookout.com/threat-intelligence : 2022
  12. MITRE ATT&CK : MuddyWater Group G0069 : https://attack.mitre.org/groups/G0069/
  13. Malpedia : MuddyWater Threat Actor : https://malpedia.caad.fkie.fraunhofer.de/actor/muddywater
  14. Picus Security : TTPs and Malware used by MuddyWater Cyber Espionage Group : https://www.picussecurity.com/resource/ttps-and-malware-used-by-muddywater-cyber-espionage-group
  15. Check Point Research : What Defenders Need to Know about Iran’s Cyber Capabilities : https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/ : 2025

This report is produced on the basis of publicly available open sources (vendors, CERTs, independent researchers), consolidated as of March 2026. It does not rely on any classified source. Attribution to the MOIS is formalized by a joint government advisory (FBI/CISA/CNMF/NCSC-UK, February 2022) with high confidence. MERCURY/MuddyWater operates under the same institutional authority as APT39 (MOIS) but constitutes a distinct activity cluster. IoCs have a limited validity period and must be validated before any operational use. This report is unrestricted (TLP:CLEAR).