Analytics Story: MuddyWater

Date: 2026-03-10 ID: 6e912210-02ec-488a-aafb-06e7d531886a Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

MuddyWater is an Iranian-linked APT group (also tracked as MERCURY, Static Kitten) attributed to Iran's Ministry of Intelligence and Security. It has been active since at least 2017 and uses script-based malware (PowerShell, VBScript, JavaScript), malicious documents (PDF, Word, Excel), living-off-the-land binaries, and RATs such as SloughRAT. Campaigns employ obfuscation, anti-sandbox techniques, and have leveraged Log4j exploits against SysAid Server. Targets include government, military, and private sector organizations across the Middle East, Turkey, South Asia, and elsewhere. Detection focuses on document-based initial access, script execution patterns, and post-exploitation behavior consistent with Talos and industry reporting.

Why it matters

MuddyWater operates as a conglomerate of sub-groups with regionally focused campaigns rather than a single monolithic actor. The group conducts espionage, intellectual property theft, and at times ransomware or destructive operations. Recent activity includes the BlackWater campaign with new anti-detection methods and canary tokens to track infections and evade sandboxes. Initial access has shifted from phishing documents to exploitation of vulnerable internet-facing services (e.g., SysAid). Analysts should correlate document lures, script-based payloads, and RAT indicators with geographic and sector targeting to distinguish MuddyWater from other Iranian or regional threat activity.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Malicious PowerShell Process - Execution Policy Bypass	PowerShell	Anomaly
PowerShell 4104 Hunting	PowerShell	Hunting
Powershell Fileless Script Contains Base64 Encoded Content	Obfuscated Files or Information, PowerShell	TTP
Powershell Processing Stream Of Data	PowerShell	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Suspicious mshta child process	Mshta	TTP
Windows Office Product Loaded MSHTML Module	Spearphishing Attachment	Anomaly
Windows Office Product Loading VBE7 DLL	Spearphishing Attachment	Anomaly
Windows Office Product Spawned Uncommon Process	Spearphishing Attachment	TTP
Windows Phishing PDF File Executes URL Link	Spearphishing Attachment	Anomaly
Windows System Reboot CommandLine	System Shutdown/Reboot	Anomaly
Windows System Shutdown CommandLine	System Shutdown/Reboot	Anomaly
Wscript Or Cscript Suspicious Child Process	Process Injection, Parent PID Spoofing, Create or Modify System Process	TTP
Windows Spearphishing Attachment Connect To None MS Office Domain	Spearphishing Attachment	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1