splunk · nasbench · Mar 12, 2026 · Mar 10, 2026 · Mar 12, 2026 · Mar 12, 2026
@@ -58,6 +58,7 @@ tags:
         - DarkCrystal RAT
         - 0bj3ctivity Stealer
         - APT37 Rustonotto and FadeStealer
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001

@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 22
-date: '2026-02-25'
+version: 23
+date: '2026-03-10'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -237,6 +237,7 @@ tags:
         - GhostRedirector IIS Module and Rungan Backdoor
         - Hellcat Ransomware
         - Microsoft WSUS CVE-2025-59287
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001

@@ -61,6 +61,7 @@ tags:
         - Hellcat Ransomware
         - Microsoft WSUS CVE-2025-59287
         - NetSupport RMM Tool Abuse
+        - MuddyWater
     mitre_attack_id:
         - T1027
         - T1059.001

@@ -62,6 +62,7 @@ tags:
         - IcedID
         - XWorm
         - MoonPeak
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001

@@ -76,6 +76,7 @@ tags:
         - Lokibot
         - ValleyRAT
         - Castle RAT
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1547.001

@@ -57,6 +57,7 @@ tags:
         - Suspicious MSHTA Activity
         - Living Off The Land
         - Lumma Stealer
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.005

@@ -39,6 +39,7 @@ tags:
         - Spearphishing Attachments
         - Microsoft MSHTML Remote Code Execution CVE-2021-40444
         - CVE-2023-36884 Office and Windows HTML RCE Vulnerability
+        - MuddyWater
     asset_type: Endpoint
     cve:
         - CVE-2021-40444

@@ -46,6 +46,7 @@ tags:
         - Remcos
         - PlugX
         - NjRAT
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1566.001

@@ -110,6 +110,7 @@ tags:
         - Trickbot
         - Warzone RAT
         - APT37 Rustonotto and FadeStealer
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1566.001

@@ -48,6 +48,7 @@ tags:
     analytic_story:
         - Spearphishing Attachments
         - Snake Keylogger
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1566.001

@@ -59,6 +59,7 @@ tags:
         - DarkCrystal RAT
         - MoonPeak
         - Scattered Lapsus$ Hunters
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1529

@@ -43,6 +43,7 @@ tags:
         - MoonPeak
         - Scattered Lapsus$ Hunters
         - ZOVWiper
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1529

@@ -59,6 +59,7 @@ tags:
         - Unusual Processes
         - ShrinkLocker
         - 0bj3ctivity Stealer
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1055

@@ -1,7 +1,7 @@
 name: Windows Spearphishing Attachment Connect To None MS Office Domain
 id: 1cb40e15-cffa-45cc-abbd-e35884a49766
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -18,6 +18,7 @@ tags:
     analytic_story:
         - Spearphishing Attachments
         - AsyncRAT
+        - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:
         - T1566.001

@@ -0,0 +1,24 @@
+name: MuddyWater
+id: 6e912210-02ec-488a-aafb-06e7d531886a
+version: 1
+date: '2026-03-10'
+author: Teoderick Contreras, Splunk
+status: production
+description: |
+    MuddyWater is an Iranian-linked APT group (also tracked as MERCURY, Static Kitten) attributed to Iran's Ministry of Intelligence and Security. It has been active since at least 2017 and uses script-based malware (PowerShell, VBScript, JavaScript), malicious documents (PDF, Word, Excel), living-off-the-land binaries, and RATs such as SloughRAT. Campaigns employ obfuscation, anti-sandbox techniques, and have leveraged Log4j exploits against SysAid Server. Targets include government, military, and private sector organizations across the Middle East, Turkey, South Asia, and elsewhere. Detection focuses on document-based initial access, script execution patterns, and post-exploitation behavior consistent with Talos and industry reporting.
+narrative: |
+    MuddyWater operates as a conglomerate of sub-groups with regionally focused campaigns rather than a single monolithic actor. The group conducts espionage, intellectual property theft, and at times ransomware or destructive operations. Recent activity includes the BlackWater campaign with new anti-detection methods and canary tokens to track infections and evade sandboxes. Initial access has shifted from phishing documents to exploitation of vulnerable internet-facing services (e.g., SysAid). Analysts should correlate document lures, script-based payloads, and RAT indicators with geographic and sector targeting to distinguish MuddyWater from other Iranian or regional threat activity.
+references:
+    - https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/
+    - https://blog.talosintelligence.com/iranian-supergroup-muddywater
+    - https://blog.talosintelligence.com/recent-muddywater-associated-blackwater
+    - https://blog.talosintelligence.com/iranian-apt-muddywater-targets-turkey/
+    - https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
+tags:
+    category:
+        - Malware
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    usecase: Advanced Threat Detection