Formally attributedActiveMITRE G0069 →

MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low

12.6

High signal strength

Mentions20

Sources3

High conf.9

Last seenMay 2026

First observed

2018-04-18

Last active

Active

Origin

Iran — attributed by US CYBERCOM and multiple Western governments to MOIS

Aliases

Techniques

Campaigns

Iran — attributed by US CYBERCOM and multiple Western governments to MOIShigh confidence

TargetsGovernmentTelecommunicationsDefenceOil & Gas

RegionsMiddle EastEuUsTrPk

Attribution signals

20 mentions · 3 sources

#1attributed with high confidencehigh

InfrastructureTTP matchMalware

groupib

May 2026

"a new cyber campaign attributed with high confidence to the Iranian threat actor known as MuddyWater"

Campaign: Operation Olalampo

#2attributed tohigh

Unspecified

eset

May 2026

"ESET has documented multiple campaigns attributed to MuddyWater"

#3documentedhigh

Unspecified

security-affairs

May 2026

"In March 2026, Ctrl-Alt-Intel published a report documenting active exploitation of CVE-2025-34291 by MuddyWater, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks."

#4orchestrated byhigh

TTP match

eset

May 2026

"The campaign was orchestrated by the MuddyWater cyberespionage group"

#5linkedhigh

MalwareTTP match

checkpoint

May 2026

"Researchers linked Iran's MuddyWater to using the Chaos ransomware as cover for espionage and data theft."

#6identifiedhigh

Infrastructure

eset

May 2026

"MuddyWater remains very much active in 2026 – last month, security researchers at Broadcom's Symantec and Carbon Black identified the group in the networks of multiple US entities, including an airport, a bank, and a software firm with ties to Israel"

#7impersonateshigh

TTP matchMalwareGeopolitical

wechat-qax-ti

May 2026

"APT group MuddyWater impersonates Chaos ransomware, conducts social engineering through Microsoft Teams and screen sharing"

#8Iran-alignedhigh

TTP match

eset

May 2026

"We observed a continued increase in spearphishing activities of the Iran-aligned MuddyWater."

#9has links tomoderate

Geopolitical

eset

May 2026

"It is one of the most active Iran-aligned APT groups tracked by ESET researchers and has links to the Ministry of Intelligence and National Security of Iran"

#10linkingmoderate

TTP matchMalware

checkpoint

May 2026

"Researchers have published a threat assessment of MuddyWater, linking the Iranian APT group to spear-phishing and LampoRAT."

#11align withmoderate

TTP match

groupib

May 2026

"These attacks follow similar patterns and align with the killchains previously observed in MuddyWater attacks"

Campaign: Operation Olalampo

#12probablymoderate

TTP match

eset

May 2026

"MuddyWater has worked closely with Lyceum, a subgroup of OilRig, as well as probably acted as an initial access broker (IAB) for other Iran-aligned groups"

Hedge terms observed

align withattributed toattributed with high confidenceconsistent withdocumentedexhibiting tactical and technical overlaphas links toidentifiedimpersonatesIran-alignedislinkedlinkingorchestrated byprobablysuggest with moderate confidencesuggestsunspecified