diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 9c60b80ece..52cef222b8 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -58,6 +58,7 @@ tags: - DarkCrystal RAT - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 6247821b89..efd8ad0758 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,7 +1,7 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 22 -date: '2026-02-25' +version: 23 +date: '2026-03-10' author: Michael Haag, Splunk status: production type: Hunting @@ -237,6 +237,7 @@ tags: - GhostRedirector IIS Module and Rungan Backdoor - Hellcat Ransomware - Microsoft WSUS CVE-2025-59287 + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 3a05cd5255..f149652fee 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -61,6 +61,7 @@ tags: - Hellcat Ransomware - Microsoft WSUS CVE-2025-59287 - NetSupport RMM Tool Abuse + - MuddyWater mitre_attack_id: - T1027 - T1059.001 diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index cae060d340..eab377ac4d 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -62,6 +62,7 @@ tags: - IcedID - XWorm - MoonPeak + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 7deb59acb4..b7678a75a1 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -76,6 +76,7 @@ tags: - Lokibot - ValleyRAT - Castle RAT + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index d75d032205..d510613aad 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -57,6 +57,7 @@ tags: - Suspicious MSHTA Activity - Living Off The Land - Lumma Stealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml index 913c45beb5..700d2aef7d 100644 --- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -39,6 +39,7 @@ tags: - Spearphishing Attachments - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - MuddyWater asset_type: Endpoint cve: - CVE-2021-40444 diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml index bd39c5a18b..0ec71d35b3 100644 --- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -46,6 +46,7 @@ tags: - Remcos - PlugX - NjRAT + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index 59cd836f86..859e68e949 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -110,6 +110,7 @@ tags: - Trickbot - Warzone RAT - APT37 Rustonotto and FadeStealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 99c4784caf..39735a6a4d 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -48,6 +48,7 @@ tags: analytic_story: - Spearphishing Attachments - Snake Keylogger + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 01f3a39281..a460d62962 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -59,6 +59,7 @@ tags: - DarkCrystal RAT - MoonPeak - Scattered Lapsus$ Hunters + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1529 diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index a1b5df237c..9cd3da353d 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -43,6 +43,7 @@ tags: - MoonPeak - Scattered Lapsus$ Hunters - ZOVWiper + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1529 diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index 7b588d6f6b..a952339f70 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -59,6 +59,7 @@ tags: - Unusual Processes - ShrinkLocker - 0bj3ctivity Stealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1055 diff --git a/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index bc9c1a5439..912f9c9fa2 100644 --- a/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -1,7 +1,7 @@ name: Windows Spearphishing Attachment Connect To None MS Office Domain id: 1cb40e15-cffa-45cc-abbd-e35884a49766 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-03-10' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -18,6 +18,7 @@ tags: analytic_story: - Spearphishing Attachments - AsyncRAT + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/stories/muddywater.yml b/stories/muddywater.yml new file mode 100644 index 0000000000..c2c2e01a03 --- /dev/null +++ b/stories/muddywater.yml @@ -0,0 +1,24 @@ +name: MuddyWater +id: 6e912210-02ec-488a-aafb-06e7d531886a +version: 1 +date: '2026-03-10' +author: Teoderick Contreras, Splunk +status: production +description: | + MuddyWater is an Iranian-linked APT group (also tracked as MERCURY, Static Kitten) attributed to Iran's Ministry of Intelligence and Security. It has been active since at least 2017 and uses script-based malware (PowerShell, VBScript, JavaScript), malicious documents (PDF, Word, Excel), living-off-the-land binaries, and RATs such as SloughRAT. Campaigns employ obfuscation, anti-sandbox techniques, and have leveraged Log4j exploits against SysAid Server. Targets include government, military, and private sector organizations across the Middle East, Turkey, South Asia, and elsewhere. Detection focuses on document-based initial access, script execution patterns, and post-exploitation behavior consistent with Talos and industry reporting. +narrative: | + MuddyWater operates as a conglomerate of sub-groups with regionally focused campaigns rather than a single monolithic actor. The group conducts espionage, intellectual property theft, and at times ransomware or destructive operations. Recent activity includes the BlackWater campaign with new anti-detection methods and canary tokens to track infections and evade sandboxes. Initial access has shifted from phishing documents to exploitation of vulnerable internet-facing services (e.g., SysAid). Analysts should correlate document lures, script-based payloads, and RAT indicators with geographic and sector targeting to distinguish MuddyWater from other Iranian or regional threat activity. +references: + - https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/ + - https://blog.talosintelligence.com/iranian-supergroup-muddywater + - https://blog.talosintelligence.com/recent-muddywater-associated-blackwater + - https://blog.talosintelligence.com/iranian-apt-muddywater-targets-turkey/ + - https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection