Contact US
Blog

Analysis of Iran-Linked APT MuddyWater Activity: Tracking Recent Campaigns and Attack Patterns

As geopolitical tensions in the Middle East continue to escalate, related activity has also increased in cyberspace. In particular, following recent military actions by the United States and Israel, movements linked to Iranian cyber operations have been observed, prompting warnings from multiple security organizations. Among the groups frequently mentioned in this context is MuddyWater, one of […]

03/17/2026

As geopolitical tensions in the Middle East continue to escalate, related activity has also increased in cyberspace. In particular, following recent military actions by the United States and Israel, movements linked to Iranian cyber operations have been observed, prompting warnings from multiple security organizations. Among the groups frequently mentioned in this context is MuddyWater, one of the most consistently reported Iran-linked APT groups.

In this environment, the activities of MuddyWater have once again drawn attention. Recent research indicates that MuddyWater activity has been detected within the networks of several organizations in the United States, with targets reportedly including banks, airports, non-profit organizations, and software companies associated with the defense and aviation industries.

This article reviews the newly reported MuddyWater campaign and analyzes activity traces and patterns observed over the past three months. Through this analysis, we examine the characteristics of MuddyWater’s recent operations and the security implications they present.

MuddyWater Overview

AI-generated image representing the MuddyWater group

MuddyWater is an APT group believed to be linked to Iran’s MOIS (Ministry of Intelligence and Security) and is also tracked under names such as Seedworm, TEMP.Zagros, and Static Kitten. The group first emerged in 2017 and has primarily targeted government organizations, the telecommunications sector, IT services, and the defense and aviation industries. While its early operations focused mainly on the Middle East, its activities later expanded to Europe and North America. Its primary targets include the following sectors.

One characteristic of Iran’s cyber strategy is the preference for repeatable and scalable techniques, such as credential theft and the abuse of cloud or authentication infrastructure, rather than relying on highly complex zero-day exploits. This approach allows attackers to maintain long-term, covert access within targeted networks.

Recent MuddyWater Campaign

Security research organizations have identified evidence that MuddyWater has been conducting a new attack campaign since early February 2026. This activity was observed following recent military operations involving the United States and Israel, and security experts have noted that these cyber activities may represent either a response to geopolitical tensions or part of a broader intelligence-gathering effort. According to researchers, MuddyWater-related activity began in early February 2026 and continued to be detected for several weeks thereafter. In some organizations, there are indications that attackers may have already gained access to internal systems or remained dormant within networks for extended periods.

The primary targets of this campaign include:

  • U.S. financial institutions (banks)
  • U.S. airport infrastructure
  • Non-profit organizations in the United States and Canada
  • Israeli branches of U.S. companies supplying software to the defense and aviation industries

The inclusion of software companies connected to the defense and aviation sectors suggests that this campaign may represent a targeted intelligence-gathering operation rather than indiscriminate attacks. Additionally, new malicious tools and attack techniques distinct from previous MuddyWater activity have been observed, drawing significant attention from the security community.

Researchers identified several notable behaviors during this campaign:

  • Use of a new backdoor named Dindoor
  • Attempts to exfiltrate data through cloud storage services
  • Distribution of malware using code-signing certificates
  • Deployment of Python-based backdoors

Some security experts view this campaign as an example of modern cyber operations conducted alongside real-world military tensions. In particular, the possibility that attackers had already established a presence inside targeted networks suggests that these activities may not represent simple intrusion attempts, but rather part of a long-prepared access strategy. Considering these factors, MuddyWater’s recent operations may be better understood as part of a long-term cyber campaign aimed at intelligence collection and network control, rather than a single isolated attack event.

MuddyWater Activity and Infrastructure Analysis

Criminal IP Analysis-Based Insights

Based on Criminal IP threat intelligence data, infrastructure associated with MuddyWater observed in the months leading up to March 2026 was analyzed. The indicators detected during this period provide visibility into multiple operational nodes linked to the group’s attack infrastructure environment.

MuddyWater analysis results identified using the Criminal IP Hacking Group feature
Countries affected by MuddyWater activity analyzed through the Criminal IP Hacking Group feature

Recent indicator analysis shows that infrastructure associated with MuddyWater is distributed across multiple regions, including:

  • United States
  • Netherlands
  • Israel
  • Other regions across Europe and Asia

Distributing infrastructure across multiple geographic locations such as North America and Europe is a common operational strategy observed among advanced threat groups. By placing servers in diverse hosting environments, attackers can disperse their infrastructure and route communications through the global internet backbone. This distributed architecture helps obscure the true origin of attack operations and complicates attribution, while also allowing malicious traffic to blend with legitimate internet traffic.

An analysis of MuddyWater-related activity artifacts observed over the past three months using Criminal IP threat intelligence indicates that the group tends to focus less on exploiting a single specific vulnerability and more on identifying exposed management interfaces and service access points within operational environments. This pattern suggests a strategy aimed at locating initial entry points within an organization’s external attack surface and expanding access into internal environments.

Several notable activity characteristics were observed:

  • Web-based operational interface activity: A significant portion of the identified artifacts were associated with web-based management interfaces and service access points. These include administrative authentication portals, operational management consoles, and service APIs. When such components are exposed to the internet, they can become valuable initial access points for attackers.
  • Network and device management interfaces: Some artifacts also indicated access attempts related to network equipment and operational infrastructure management systems. These systems are commonly used to manage network devices, IoT platforms, and embedded device environments. If exposed externally, they can serve as entry points for attackers attempting to explore internal network environments.
  • MuddyWater-related malware artifacts: Recent activity data also revealed executable malware artifacts believed to be associated with MuddyWater. These files may be used after initial access to perform remote command execution, deploy additional malware, or conduct internal reconnaissance.

These findings suggest that MuddyWater’s recent campaigns appear to focus less on single-vulnerability exploitation and more on identifying exposed operational infrastructure and leveraging those access points to establish long-term footholds.

MuddyWater Attack Infrastructure Structure

AI-generated image illustrating MuddyWater’s attack infrastructure architecture

Criminal IP intelligence analysis indicates that MuddyWater infrastructure frequently relies on direct IP-based communication endpoints rather than domain-centric structures. Many indicators were identified in the form of IP:port combinations, suggesting that attackers operate servers exposing specific network services to the internet.

These servers may serve several operational roles, including:

  • Command and Control (C2) communication
  • Remote access for attackers
  • Malicious file delivery

Additionally, MuddyWater infrastructure shows patterns in which the same infrastructure nodes are repeatedly detected across different time periods. While some threat groups rapidly rotate infrastructure, MuddyWater tends to maintain stable infrastructure nodes for extended periods and reuse them across multiple stages of operations. This approach allows attackers to quickly launch new campaigns, reduce infrastructure setup costs, and maintain operational consistency. At the same time, such infrastructure reuse patterns provide valuable clues for security analysts attempting to correlate activity and identify infrastructure linked to the same threat group.

Analyzing which network services are actually running on this infrastructure reveals further characteristics of MuddyWater’s operational model.

Command-and-Control Services and Port Usage Patterns

Analysis of exposed services suggests that MuddyWater infrastructure tends to concentrate on a limited set of specific network services. The most frequently observed services include Remote Desktop Protocol (RDP), HTTPS-based communication, alternative web service ports, and custom application ports. The presence of RDP services indicates that attackers configure infrastructure servers to allow direct remote access, enabling them to operate these systems. Such servers can function as staging servers or intermediate operational nodes during attacks. Meanwhile, HTTPS-based communication is likely used for command-and-control traffic, malware delivery, and data exfiltration. By leveraging encrypted web traffic, attackers can blend malicious communications with legitimate traffic, making detection more difficult.

These service patterns are also consistent with MuddyWater’s previously documented attack methods, which frequently utilize PowerShell-based backdoors and encrypted web protocols.

Another characteristic observed within MuddyWater infrastructure is the repeated appearance of specific network ports. The following ports were most commonly identified:

  • 443 (HTTPS)
  • 3389 (Remote Desktop Protocol)
  • 8080 / 8085 (alternative web service ports)
  • 8443 (secure web services)
  • 3000 / 7070 / 1022 (custom application ports)

Frequent use of ports 443 and 3389 suggests that attackers are simultaneously leveraging encrypted communication channels and administrative remote access capabilities. Alternative web ports such as 8080 or 8443 may also be used to operate web-based C2 interfaces or to route malicious traffic through non-standard ports.

Security Implications

MuddyWater’s recent activities demonstrate how modern cyber operations are shifting from single-vulnerability exploitation toward long-term access and continuous intelligence collection. The activity patterns observed in this analysis also suggest a strategy focused on identifying exposed operational infrastructure and management interfaces on the internet in order to secure initial access points, rather than directly targeting specific vulnerabilities.

Even relatively simple techniques can lead to successful compromise if an organization’s external attack surface is not properly managed. Administrative authentication portals, operational management consoles, and network device management interfaces are frequently exposed to the internet for operational convenience. However, once exposed externally, attackers can attempt to access systems or use these services to explore internal network structures.

The presence of malware artifacts in some observed activities further suggests that attackers may be preparing for additional malicious operations within compromised environments rather than merely attempting access. This indicates that attackers may be pursuing gradual infiltration strategies aimed at maintaining long-term presence within targeted networks.

For this reason, organizations should not focus solely on individual vulnerability remediation. Instead, they should adopt security strategies from an Attack Surface Management (ASM) perspective, continuously managing externally exposed assets and services. Key security practices include:

  • Minimizing externally exposed administrative interfaces and management ports
  • Maintaining continuous monitoring and visibility of externally exposed assets
  • Implementing strong authentication and access controls for network equipment and operational systems
  • Strengthening threat intelligence–based detection for communications with suspicious external infrastructure

By implementing such management practices, organizations can detect and respond to threats at an early stage, specifically when groups such as MuddyWater attempt to gain initial access through the external attack surface.

In relate to this you can refer to Israel–Iran Digital Warfare: National Cyber Attack Surface Analysis Using Criminal IP

FAQ

Q1. What type of threat group is MuddyWater?

MuddyWater is an Advanced Persistent Threat (APT) group believed to be linked to Iran’s intelligence services, with activity first observed around 2017. The group is known for conducting intelligence-gathering operations targeting organizations of strategic value, including government agencies, telecommunications providers, energy companies, and defense sector organizations. MuddyWater typically relies on repeatable techniques such as spear phishing, credential theft, and abuse of cloud services rather than highly complex zero-day exploits.

Q2. How should organizations respond to APT attacks like these?

Responding to APT activity requires more than simply applying vulnerability patches. Organizations should also manage their external attack surface by regularly verifying whether administrative interfaces, network management systems, and operational consoles are exposed to the internet. In addition, implementing security policies such as multi-factor authentication (MFA), IP-based access restrictions, and log monitoring can help protect management systems from unauthorized access.

You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.

Source: Criminal IP(https://www.criminalip.io/ko), Infosecurity Magazine (https://www.infosecurity-magazine.com/news/iran-muddywater-hackers-us-firms/), The Hacker News (https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html), Security Affairs (https://securityaffairs.com/189060/apt/iran-linked-muddywater-deploys-dindoor-malware-against-u-s-organizations.html)

Related article: https://www.criminalip.io/knowledge-hub/blog/28864