Threat actor · all actors
MuddyWaterG0069 state
🇮🇷 IR · MOIS
aka MuddyWater, Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, MuddyKrill, COBALT ULSTER, G0069, ATK51, Boggy Serpens
Last updated: 2026-07-03
About this actor
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](https://attack.mitre.org/groups/G0069) has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, [MuddyWater](https://attack.mitre.org/groups/G0069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFeeds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: NaumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_MuddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar2026)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-22813 | 3.5 | 6.1 | 0.0091 | 2026-01-12 | see CVE |
CVE-2017-01995 | 0.0 | 0.0 | 0.0000 | see CVE |
T1003T1003.001T1003.004T1003.005T1016T1027T1027.003T1027.004T1027.010T1033T1036T1036.005T1041T1047T1049T1053T1053.005T1057T1059T1059.001T1059.003T1059.005T1059.006T1059.007T1071T1071.001T1074T1074.001T1082T1083T1087T1087.002T1090T1090.002T1102T1102.002T1104T1105T1113T1132T1132.001T1137T1137.001T1140T1190T1203T1204T1204.001T1204.002T1204.004T1210T1218T1218.003T1218.005T1218.011T1219T1219.002T1518T1518.001T1534T1547T1547.001T1548T1548.002T1552T1552.001T1555T1555.003T1559T1559.001T1559.002T1560T1560.001T1566T1566.001T1566.002T1567T1567.002T1571T1573T1573.001T1574T1574.001T1583T1583.001T1583.006T1588T1588.001T1588.002T1590T1590.004T1684T1684.001T1685
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 62 / 94 | 66% |
CM-6 | 56 / 94 | 60% |
CM-2 | 54 / 94 | 57% |
SI-3 | 54 / 94 | 57% |
CA-7 | 42 / 94 | 45% |
CM-7 | 41 / 94 | 44% |
AC-4 | 36 / 94 | 38% |
SC-7 | 34 / 94 | 36% |
AC-6 | 33 / 94 | 35% |
AC-3 | 31 / 94 | 33% |
AC-2 | 29 / 94 | 31% |
RA-5 | 26 / 94 | 28% |
SI-7 | 26 / 94 | 28% |
SI-2 | 24 / 94 | 26% |
SI-10 | 21 / 94 | 22% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- Gamaredon Group 1 shared CVEs
- Kimsuky 1 shared CVEs
- Volt Typhoon 1 shared CVEs
Similar actors
Similar TTPs
- BRONZE BUTLER 0.39
- Earth Lusca 0.39
- Gamaredon Group 0.36
- Mustang Panda 0.36
- Patchwork 0.35
Overlapping CVEs
- Gamaredon Group 0.50
- Mustang Panda 0.33
- Kimsuky 0.25
- Volt Typhoon 0.20
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
- HomeLand Justice 1.00
- Outer Space 1.00
- Juicy Mix 1.00
- Cleaver 1.00
- OilRig 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00