MuddyWater, which Microsoft tracks as Mango Sandstorm and ProofPoint identifies as TA450, operates under Iran’s Ministry of Intelligence and Security, according to the US cybersecurity agency CISA. The group has been active since at least 2017, targeting government agencies, telecommunications providers, and critical infrastructure across the Middle East, Asia, and Europe, according to security firms.
The research comes amid continued activity by MuddyWater throughout 2024 and into early 2025. ESET researchers published findings in December 2024 showing the group deployed the MuddyViper backdoor against Israeli organizations between September 2024 and March 2025. Security firms have also documented MuddyWater deploying BugSleep implants and using legitimate remote monitoring and management tools in recent campaigns.
Spear-phishing delivery
The attack chain begins with spear-phishing emails containing malicious ZIP archives, according to the blog post. The archives include a legitimate PDF document and a disguised executable file bearing a PDF icon. When victims execute the file, it displays the decoy PDF while executing the malware, the researchers wrote.
