Formally attributedActiveMITRE G0069 →

MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low

13.4

High signal strength

Mentions21

Sources3

High conf.10

Last seenJun 2026

First observed

2018-04-18

Last active

Active

Origin

Iran — attributed by US CYBERCOM and multiple Western governments to MOIS

Aliases

Techniques

Campaigns

Iran — attributed by US CYBERCOM and multiple Western governments to MOIShigh confidence

TargetsGovernmentTelecommunicationsDefenceOil & Gas

RegionsMiddle EastEuUsTrPk

Attribution signals

21 mentions · 3 sources

#1attributed with high confidencehigh

InfrastructureTTP matchMalware

groupib

May 2026

"a new cyber campaign attributed with high confidence to the Iranian threat actor known as MuddyWater"

Campaign: Operation Olalampo

#2attributed tohigh

Unspecified

eset

May 2026

"ESET has documented multiple campaigns attributed to MuddyWater"

#3Iran-alignedhigh

TTP match

eset

May 2026

"We observed a continued increase in spearphishing activities of the Iran-aligned MuddyWater."

#4impersonateshigh

TTP matchMalwareGeopolitical

wechat-qax-ti

May 2026

"APT group MuddyWater impersonates Chaos ransomware, conducts social engineering through Microsoft Teams and screen sharing"

#5orchestrated byhigh

TTP match

eset

May 2026

"The campaign was orchestrated by the MuddyWater cyberespionage group"

#6linkedhigh

MalwareTTP match

checkpoint

May 2026

"Researchers linked Iran's MuddyWater to using the Chaos ransomware as cover for espionage and data theft."

#7identifiedhigh

Infrastructure

eset

May 2026

"MuddyWater remains very much active in 2026 – last month, security researchers at Broadcom's Symantec and Carbon Black identified the group in the networks of multiple US entities, including an airport, a bank, and a software firm with ties to Israel"

#8usedhigh

Infrastructure

checkpoint

Jun 2026

"MuddyWater, Agrius, and Nimbus Manticore used this infrastructure for attacks that enabled remote access, credential theft, and scanning"

#9documentedhigh

Unspecified

security-affairs

May 2026

"In March 2026, Ctrl-Alt-Intel published a report documenting active exploitation of CVE-2025-34291 by MuddyWater, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks."

#10linkingmoderate

Infrastructure

groupib

May 2026

"Infrastructure overlap linking the campaign to historical MuddyWater operations dating back to October 2025"

Campaign: Operation Olalampo

#11probablymoderate

TTP match

eset

May 2026

"MuddyWater has worked closely with Lyceum, a subgroup of OilRig, as well as probably acted as an initial access broker (IAB) for other Iran-aligned groups"

#12linkingmoderate

TTP matchMalware

checkpoint

May 2026

"Researchers have published a threat assessment of MuddyWater, linking the Iranian APT group to spear-phishing and LampoRAT."

Hedge terms observed

align withattributed toattributed with high confidenceconsistent withdocumentedexhibiting tactical and technical overlaphas links toidentifiedimpersonatesIran-alignedislinkedlinkingorchestrated byprobablysuggest with moderate confidencesuggestsunspecifiedused