Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

Muddywater – Do You KNOW This Threat Actor?

This Iran-based threat actor specifically targets Middle Eastern government and defense entities.

Post by Rajarshi Mitra In Security on Oct 14, 2020

Today, we are going to be focusing on a threat actor named “Muddywater.” As per KNOW’s threat intel dashboard, Muddywater was one of the most trending threat actors in the last 60 days.


What is Muddywater?

Aliases: Static Kitten, COBALT ULSTER, Temp.Zagros, and Seedworm.

Muddywater is an Iran-based threat actor active since 2017. It primarily targets government and defense entities in the Middle East by distributing macro-based, spearphishing emails. Researchers noted that they are using wscipt or CMSTP to execute powershell payloads. This indirect execution is employed via sophisticated techniques such as the Applocker bypass.

Why is Muddywater trending?

Microsoft sent out a warning that Muddywater is currently exploiting the CVE-2020-1472 vulnerability, aka the Zerologon vulnerability. This particular vulnerability is located in the core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

Reactions from Twitter


Iranian threat actor Mercury/MuddyWater targeting the zerologin vulnerability on windows domain controllers.


The Iran-linked threat actor known as MuddyWater is actively targeting the Zerologon vulnerability in Windows Server, Microsoft warns

References from KNOW

  • Total references counted: 1,371
  • References in the last 60 days: 10
  • References in the last 7 days: 0

Context from KNOW


  • Risk rules triggered: 6 out of 48
  • Industries affected: Telecommunications, Energy & Natural Resources, Aerospace, and Defense Education.
  • Most recent reference: Hybrid Analysis result for ‘plink.exe’
  • Intrusion methods: Phishing, Obfuscation, Phishing Campaign, Pass the Hash, Infection chain, Spear Phishing, and Social Engineering.
  • Malware used: POWERSTATS and Koadic.
  • Related hashes: 69
  • Campaign: Blackwater

What is KNOW?

KNOW is Netenrich’s threat intel platform that provides you with the latest and hottest cybersecurity news. Read and receive relevant context surrounding the article, picked up by KNOW.

Want to know how else you can use our platform? Read this article to know how you can investigate the most trending malware. In the meantime, if you want to know how we are combining threat intel with attack surface intelligence, then read this.


About Author

Rajarshi is a creative and accomplished writer who made his mark in the blockchain space before stepping into cybersecurity. When he is not working, he is busy chilling with his wife and cat, catching up on the latest Netflix docu-series.....or watching Harry Potter for the 5781241516th time.