From 61a0fee2b106ae1e99d6bde9def6dc9df5e04ee6 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 10 Mar 2026 12:01:15 +0100 Subject: [PATCH 1/2] muddy_water --- ...hell_process___execution_policy_bypass.yml | 3 ++- .../endpoint/powershell_4104_hunting.yml | 5 +++-- ...script_contains_base64_encoded_content.yml | 3 ++- .../powershell_processing_stream_of_data.yml | 3 ++- .../registry_keys_used_for_persistence.yml | 3 ++- .../suspicious_mshta_child_process.yml | 3 ++- ...ws_office_product_loaded_mshtml_module.yml | 3 ++- ...indows_office_product_loading_vbe7_dll.yml | 3 ++- ...ffice_product_spawned_uncommon_process.yml | 3 ++- ...ws_phishing_pdf_file_executes_url_link.yml | 3 ++- .../windows_system_reboot_commandline.yml | 3 ++- .../windows_system_shutdown_commandline.yml | 3 ++- ...pt_or_cscript_suspicious_child_process.yml | 3 ++- ...hment_connect_to_none_ms_office_domain.yml | 5 +++-- stories/muddywater.yml | 22 +++++++++++++++++++ 15 files changed, 52 insertions(+), 16 deletions(-) create mode 100644 stories/muddywater.yml diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 9c60b80ece..9a61ffd3e0 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,6 +1,6 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 18 +version: 19 date: '2026-03-10' author: Rico Valdez, Mauricio Velazco, Splunk status: production @@ -58,6 +58,7 @@ tags: - DarkCrystal RAT - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 6247821b89..efd8ad0758 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,7 +1,7 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 22 -date: '2026-02-25' +version: 23 +date: '2026-03-10' author: Michael Haag, Splunk status: production type: Hunting @@ -237,6 +237,7 @@ tags: - GhostRedirector IIS Module and Rungan Backdoor - Hellcat Ransomware - Microsoft WSUS CVE-2025-59287 + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 3a05cd5255..85659ab704 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,6 +1,6 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 17 +version: 18 date: '2026-03-10' author: Michael Haag, Splunk status: production @@ -61,6 +61,7 @@ tags: - Hellcat Ransomware - Microsoft WSUS CVE-2025-59287 - NetSupport RMM Tool Abuse + - MuddyWater mitre_attack_id: - T1027 - T1059.001 diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index cae060d340..3401654426 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -1,6 +1,6 @@ name: Powershell Processing Stream Of Data id: 0d718b52-c9f1-11eb-bc61-acde48001122 -version: 15 +version: 16 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -62,6 +62,7 @@ tags: - IcedID - XWorm - MoonPeak + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 7deb59acb4..c4ca79699c 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,6 +1,6 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 29 +version: 30 date: '2026-03-10' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production @@ -76,6 +76,7 @@ tags: - Lokibot - ValleyRAT - Castle RAT + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index d75d032205..dfb04182ad 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -1,6 +1,6 @@ name: Suspicious mshta child process id: 60023bb6-5500-11eb-ae93-0242ac130002 -version: 13 +version: 14 date: '2026-03-10' author: Michael Haag, Teoderick Contreras Splunk status: production @@ -57,6 +57,7 @@ tags: - Suspicious MSHTA Activity - Living Off The Land - Lumma Stealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml index 913c45beb5..241cbda4e5 100644 --- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -1,6 +1,6 @@ name: Windows Office Product Loaded MSHTML Module id: 4cc015c9-687c-40d2-adcc-46350f66e10c -version: 5 +version: 6 date: '2026-03-10' author: Michael Haag, Mauricio Velazco, Splunk status: production @@ -39,6 +39,7 @@ tags: - Spearphishing Attachments - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - MuddyWater asset_type: Endpoint cve: - CVE-2021-40444 diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml index bd39c5a18b..be2545ab0e 100644 --- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -1,6 +1,6 @@ name: Windows Office Product Loading VBE7 DLL id: 7cfec906-2697-43f7-898b-83634a051d9a -version: 5 +version: 6 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -46,6 +46,7 @@ tags: - Remcos - PlugX - NjRAT + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index 59cd836f86..a484ceebe4 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -1,6 +1,6 @@ name: Windows Office Product Spawned Uncommon Process id: 55d8741c-fa32-4692-8109-410304961eb8 -version: 7 +version: 8 date: '2026-03-10' author: Michael Haag, Teoderick Contreras, Splunk status: production @@ -110,6 +110,7 @@ tags: - Trickbot - Warzone RAT - APT37 Rustonotto and FadeStealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 99c4784caf..688812afa0 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -1,6 +1,6 @@ name: Windows Phishing PDF File Executes URL Link id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1 -version: 9 +version: 10 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -48,6 +48,7 @@ tags: analytic_story: - Spearphishing Attachments - Snake Keylogger + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 01f3a39281..3c4c9706dd 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,6 +1,6 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -59,6 +59,7 @@ tags: - DarkCrystal RAT - MoonPeak - Scattered Lapsus$ Hunters + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1529 diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index a1b5df237c..ff75de395a 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,6 +1,6 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -43,6 +43,7 @@ tags: - MoonPeak - Scattered Lapsus$ Hunters - ZOVWiper + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1529 diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index 7b588d6f6b..4ba41f034a 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,6 +1,6 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -59,6 +59,7 @@ tags: - Unusual Processes - ShrinkLocker - 0bj3ctivity Stealer + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1055 diff --git a/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index bc9c1a5439..912f9c9fa2 100644 --- a/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -1,7 +1,7 @@ name: Windows Spearphishing Attachment Connect To None MS Office Domain id: 1cb40e15-cffa-45cc-abbd-e35884a49766 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-03-10' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -18,6 +18,7 @@ tags: analytic_story: - Spearphishing Attachments - AsyncRAT + - MuddyWater asset_type: Endpoint mitre_attack_id: - T1566.001 diff --git a/stories/muddywater.yml b/stories/muddywater.yml new file mode 100644 index 0000000000..bc927cd50c --- /dev/null +++ b/stories/muddywater.yml @@ -0,0 +1,22 @@ +name: MuddyWater +id: 6e912210-02ec-488a-aafb-06e7d531886a +version: 1 +date: '2026-03-10' +author: Teoderick Contreras, Splunk +status: production +description: MuddyWater is an Iranian-linked APT group (also tracked as MERCURY, Static Kitten) attributed to Iran's Ministry of Intelligence and Security. It has been active since at least 2017 and uses script-based malware (PowerShell, VBScript, JavaScript), malicious documents (PDF, Word, Excel), living-off-the-land binaries, and RATs such as SloughRAT. Campaigns employ obfuscation, anti-sandbox techniques, and have leveraged Log4j exploits against SysAid Server. Targets include government, military, and private sector organizations across the Middle East, Turkey, South Asia, and elsewhere. Detection focuses on document-based initial access, script execution patterns, and post-exploitation behavior consistent with Talos and industry reporting. +narrative: MuddyWater operates as a conglomerate of sub-groups with regionally focused campaigns rather than a single monolithic actor. The group conducts espionage, intellectual property theft, and at times ransomware or destructive operations. Recent activity includes the BlackWater campaign with new anti-detection methods and canary tokens to track infections and evade sandboxes. Initial access has shifted from phishing documents to exploitation of vulnerable internet-facing services (e.g., SysAid). Analysts should correlate document lures, script-based payloads, and RAT indicators with geographic and sector targeting to distinguish MuddyWater from other Iranian or regional threat activity. +references: +- https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/ +- https://blog.talosintelligence.com/iranian-supergroup-muddywater +- https://blog.talosintelligence.com/recent-muddywater-associated-blackwater +- https://blog.talosintelligence.com/iranian-apt-muddywater-targets-turkey/ +- https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 17b981623d4168bb3e86c80b7f3fd3d73f6e4c3e Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Thu, 12 Mar 2026 16:13:16 +0100 Subject: [PATCH 2/2] reduce ver num --- ...hell_process___execution_policy_bypass.yml | 2 +- ...script_contains_base64_encoded_content.yml | 2 +- .../powershell_processing_stream_of_data.yml | 2 +- .../registry_keys_used_for_persistence.yml | 2 +- .../suspicious_mshta_child_process.yml | 2 +- ...ws_office_product_loaded_mshtml_module.yml | 2 +- ...indows_office_product_loading_vbe7_dll.yml | 2 +- ...ffice_product_spawned_uncommon_process.yml | 2 +- ...ws_phishing_pdf_file_executes_url_link.yml | 2 +- .../windows_system_reboot_commandline.yml | 2 +- .../windows_system_shutdown_commandline.yml | 2 +- ...pt_or_cscript_suspicious_child_process.yml | 2 +- stories/muddywater.yml | 30 ++++++++++--------- 13 files changed, 28 insertions(+), 26 deletions(-) diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 9a61ffd3e0..52cef222b8 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,6 +1,6 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 19 +version: 18 date: '2026-03-10' author: Rico Valdez, Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 85659ab704..f149652fee 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,6 +1,6 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 18 +version: 17 date: '2026-03-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 3401654426..eab377ac4d 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -1,6 +1,6 @@ name: Powershell Processing Stream Of Data id: 0d718b52-c9f1-11eb-bc61-acde48001122 -version: 16 +version: 15 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index c4ca79699c..b7678a75a1 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,6 +1,6 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 30 +version: 29 date: '2026-03-10' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index dfb04182ad..d510613aad 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -1,6 +1,6 @@ name: Suspicious mshta child process id: 60023bb6-5500-11eb-ae93-0242ac130002 -version: 14 +version: 13 date: '2026-03-10' author: Michael Haag, Teoderick Contreras Splunk status: production diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml index 241cbda4e5..700d2aef7d 100644 --- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -1,6 +1,6 @@ name: Windows Office Product Loaded MSHTML Module id: 4cc015c9-687c-40d2-adcc-46350f66e10c -version: 6 +version: 5 date: '2026-03-10' author: Michael Haag, Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml index be2545ab0e..0ec71d35b3 100644 --- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -1,6 +1,6 @@ name: Windows Office Product Loading VBE7 DLL id: 7cfec906-2697-43f7-898b-83634a051d9a -version: 6 +version: 5 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index a484ceebe4..859e68e949 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -1,6 +1,6 @@ name: Windows Office Product Spawned Uncommon Process id: 55d8741c-fa32-4692-8109-410304961eb8 -version: 8 +version: 7 date: '2026-03-10' author: Michael Haag, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 688812afa0..39735a6a4d 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -1,6 +1,6 @@ name: Windows Phishing PDF File Executes URL Link id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1 -version: 10 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 3c4c9706dd..a460d62962 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,6 +1,6 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 12 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index ff75de395a..9cd3da353d 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,6 +1,6 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: 13 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index 4ba41f034a..a952339f70 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,6 +1,6 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 13 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production diff --git a/stories/muddywater.yml b/stories/muddywater.yml index bc927cd50c..c2c2e01a03 100644 --- a/stories/muddywater.yml +++ b/stories/muddywater.yml @@ -4,19 +4,21 @@ version: 1 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production -description: MuddyWater is an Iranian-linked APT group (also tracked as MERCURY, Static Kitten) attributed to Iran's Ministry of Intelligence and Security. It has been active since at least 2017 and uses script-based malware (PowerShell, VBScript, JavaScript), malicious documents (PDF, Word, Excel), living-off-the-land binaries, and RATs such as SloughRAT. Campaigns employ obfuscation, anti-sandbox techniques, and have leveraged Log4j exploits against SysAid Server. Targets include government, military, and private sector organizations across the Middle East, Turkey, South Asia, and elsewhere. Detection focuses on document-based initial access, script execution patterns, and post-exploitation behavior consistent with Talos and industry reporting. -narrative: MuddyWater operates as a conglomerate of sub-groups with regionally focused campaigns rather than a single monolithic actor. The group conducts espionage, intellectual property theft, and at times ransomware or destructive operations. Recent activity includes the BlackWater campaign with new anti-detection methods and canary tokens to track infections and evade sandboxes. Initial access has shifted from phishing documents to exploitation of vulnerable internet-facing services (e.g., SysAid). Analysts should correlate document lures, script-based payloads, and RAT indicators with geographic and sector targeting to distinguish MuddyWater from other Iranian or regional threat activity. +description: | + MuddyWater is an Iranian-linked APT group (also tracked as MERCURY, Static Kitten) attributed to Iran's Ministry of Intelligence and Security. It has been active since at least 2017 and uses script-based malware (PowerShell, VBScript, JavaScript), malicious documents (PDF, Word, Excel), living-off-the-land binaries, and RATs such as SloughRAT. Campaigns employ obfuscation, anti-sandbox techniques, and have leveraged Log4j exploits against SysAid Server. Targets include government, military, and private sector organizations across the Middle East, Turkey, South Asia, and elsewhere. Detection focuses on document-based initial access, script execution patterns, and post-exploitation behavior consistent with Talos and industry reporting. +narrative: | + MuddyWater operates as a conglomerate of sub-groups with regionally focused campaigns rather than a single monolithic actor. The group conducts espionage, intellectual property theft, and at times ransomware or destructive operations. Recent activity includes the BlackWater campaign with new anti-detection methods and canary tokens to track infections and evade sandboxes. Initial access has shifted from phishing documents to exploitation of vulnerable internet-facing services (e.g., SysAid). Analysts should correlate document lures, script-based payloads, and RAT indicators with geographic and sector targeting to distinguish MuddyWater from other Iranian or regional threat activity. references: -- https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/ -- https://blog.talosintelligence.com/iranian-supergroup-muddywater -- https://blog.talosintelligence.com/recent-muddywater-associated-blackwater -- https://blog.talosintelligence.com/iranian-apt-muddywater-targets-turkey/ -- https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ + - https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/ + - https://blog.talosintelligence.com/iranian-supergroup-muddywater + - https://blog.talosintelligence.com/recent-muddywater-associated-blackwater + - https://blog.talosintelligence.com/iranian-apt-muddywater-targets-turkey/ + - https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ tags: - category: - - Malware - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - usecase: Advanced Threat Detection \ No newline at end of file + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection