Join the Webinar | Strong Protection Against Cyber Threats


MuddyWater is an Iranian threat group. Researchers at Cisco Talos believe the MuddyWater hackers were “a group of multiple teams working independently rather than a single group of threat actors,” primarily targeting Middle Eastern countries but also European and North American countries, followed by Turkey and other Asian countries. It states that they are aggressors, carrying out campaigns against various sectors, including national and local governments and ministries, universities and private organizations such as telecommunications providers.

In November 2021, Cisco Talos observed a campaign targeting Turkish government institutions, including Tübitak.


MuddyWater has three purposes when performing its attacks:

Cyber Espionage: Occurs when a threat actor attacks an organization for political reasons. In MuddyWater's case, they support the nation-state's political dominance in the Middle East and are motivated in part by nation-state interests.

Intellectual Property Theft: It is done when threat actors aim to capture inventions, patents, and trade secrets of companies or specific individuals. MuddyWater achieves this by running aggressive campaigns against government-affiliated institutions such as research companies and universities.

Ransomware Attacks: Typically, ransomware attacks occur when a threat actor seeks a ransom in exchange for stolen data. In the MuddyWater example, they tried to insert ransomware like Thanos into networks to do two things:

  1. Destroying evidence of their presence on the network or system
  2. Disrupting the operations of private entities.

MuddyWater hosts malicious documents downloaded by malicious PDFs. PDFs are distributed via email and are designed to trick targets into downloading and opening them. Research shows that MuddyWater uses malicious PDFs as entry points for its attacks.

It tries to get the victim to open the sent PDF file. He uses some convincing tactics to get the victim to open the PDF file.


Additionally, a number of malicious Excel spreadsheet files were found distributed with Turkish names, some of which appeared to be legitimate documents obtained from the Turkish Ministries of Health and Internal Affairs.


What is intended to be done here with the value written to the registry is to ensure that it is executed at every system startup, that is, to ensure permanence in the system.


The initial distribution mechanism of infection chains consists of malicious PDF files. URLs corresponding to the download button in PDF files often contain malicious XLS files containing macros that distribute subsequent VBS and PS1 scripts.

However, recently there has been a change in this chain of infection. This second variation consists of PDF pointing to a URL that serves an EXE in the infection chain instead of malicious XLS files.

Some of the precautions that can be taken against MuddyWater threats:

  • Using Multi-Factor Authentication.
  • Enabling anti-malware and anti-virus software.
  • Regularly installing updates and patches for the operating system and software as they are released.
  • Training users to recognize and report social engineering and phishing attempts.
  • Avoid clicking on hyperlinks or attachments in emails or messages from unknown or untrusted sources.


TTP IPTechnical
T1059Command and Scripting Interpreter: Powershell
T1027Obfuscated Files or Information
T1574.002Hijack Execution Flow: DLL Side-Loading
T1132Data Encoding
T1572Protocol Tunneling


TTP IPTechnical
T1566.001Spearphisting Attachment
T1204User Execution
T2059.001Command and Scripting Interpreter: Powershell
T1547.001Registry Run Keys/Startup Folder
T1027Obfuscated Files or Information
T1053.005Scheduled Task/Job: Scheduled Task
T1059.003Command and Scripting Interpreter: Windows Command Shell
T1047Windows Management Instrumentation
T1071Application Layer Protocol
Categories Articles