MuddyWater Exposed: Inside an Iranian APT operation
March 5, 2026, 3:50 p.m.
Description
Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfiltration techniques. Targets included organizations in Israel, Jordan, Egypt, UAE, Portugal, and the US. Notable findings include the use of Ethereum smart contracts for C2 communication, multiple custom C2 frameworks, and exploitation of various CVEs. The group showed a pattern of rapid adoption of public exploits and development of custom tools, while also exhibiting operational security failures that enabled this research.
Tags
Date
- Created: March 5, 2026, 3:18 p.m.
- Published: March 5, 2026, 3:18 p.m.
- Modified: March 5, 2026, 3:50 p.m.
Indicators
- bedb882c6e2cf896e14ecf12c90aaa6638f780017d1b8687a40b4a81956e230f
- c8589ca999526f247db4d3902ade8a85619f8f82338c6230d1b935f413ddcb3d
- 7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6
- 209.74.87.100
- 157.20.182.49
- 209.74.87.67
- 194.11.246.101
- 185.236.25.119
- 84.110.105.214
- 193.17.183.126
- 162.0.230.185
- http://157.20.182.49:10443/success
- www.xt24.com
- http://194.11.246.101:1338
Attack Patterns
- KeyC2
- ArenaC2
- Tsundere Botnet
- PersianC2
- MuddyWater
Additional Informations
- Finance
- Health
- Transport
- Government and administrations
- Defense
- Technologies
- United Arab Emirates
- Egypt
- Israel
- Jordan
- United States of America
- Portugal