MuddyWater: Inside Iran's Cyber War Machine

A comprehensive look at MuddyWater, the Iranian APT embedded in US banks and airports before the bombs even fell. From Operation Olalampo to exposed server infrastructure, AI-generated malware to Ethereum-based command channels, this is what a state-sponsored cyber operation looks like in 2026.

14 min read By Mr. 0

MuddyWater: Inside Iran's Cyber War Machine — Audio

Listen to the audio version of this investigation.

0:00 0:00

Abstract

MuddyWater is an advanced persistent threat group operating under Iran’s Ministry of Intelligence and Security. Active since at least 2017, the group has evolved from PowerShell scripts and phishing lures into a multi-campaign operation deploying AI-assisted Rust backdoors, Telegram-based command infrastructure, and novel evasion techniques including Ethereum smart contracts for command resolution.

In early 2026, two events brought MuddyWater into sharp focus. First, Group-IB disclosed Operation Olalampo, a campaign deploying four new malware families against targets across the Middle East and North Africa (Group-IB, 2026). Then, on March 5, Symantec’s Threat Hunter Team revealed that MuddyWater had already backdoored networks belonging to a US bank, a US airport, a US defence contractor with Israeli ties, and several non-profits in the US and Canada (Symantec, 2026). They were inside before the February 28 strikes on Iran even happened.

Separately, independent researchers gained access to a live MuddyWater server in the Netherlands, dumping operational tooling, victim logs, and reconnaissance data that reveals the group’s targeting priorities in extraordinary detail (Ctrl-Alt-Intel, 2026).

This report consolidates all available intelligence on MuddyWater’s 2026 operations, verified against primary sources.

Who They Are

MuddyWater carries the MITRE designation G0069. The group’s affiliation with Iran’s MOIS was jointly and publicly confirmed in February 2022 by the FBI, CISA, US Cyber Command, and the UK’s National Cyber Security Centre (CISA, 2022). This is firm attribution, not assessment or inference.

The MOIS is Iran’s primary civilian intelligence agency, distinct from the Islamic Revolutionary Guard Corps which sponsors other APT groups like APT33 and APT35. MuddyWater operates as a collection arm, conducting cyber espionage campaigns aligned with Iranian strategic interests and providing stolen data and network access to other threat actors within the Iranian intelligence ecosystem (CISA, 2022).

Aliases: Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, MUDDYCOAST

Mission priorities:

  • Government and diplomatic espionage across the Middle East, Europe, Asia, North America
  • Telecommunications compromise for communications monitoring
  • Defence and military intelligence, particularly NATO-aligned and Gulf Cooperation Council nations
  • Energy sector access, a strategic priority given Iran’s position in global energy politics
  • Access brokering to other Iranian threat actors, effectively functioning as access-as-a-service for the MOIS

The US Pre-Positioning Campaign (March 2026 Disclosure)

On March 5, 2026, Symantec’s Threat Hunter Team disclosed that MuddyWater had been embedded in US critical sector networks since early February, with activity intensifying after the US and Israeli strikes on Iran on February 28 (Symantec, 2026).

Confirmed targets

Target Backdoor Code-signing certificate
US bank Dindoor Amy Cherne
US airport Fakeset Amy Cherne, Donald Gay
US non-profit Fakeset Amy Cherne
Canadian non-profit Dindoor Amy Cherne
US software company (Israeli arm), defence/aerospace supplier Dindoor, Rclone exfiltration Amy Cherne

The software company compromise included attempted data exfiltration using Rclone to a Wasabi cloud storage bucket (Symantec, 2026). Whether the exfiltration succeeded is unknown.

New malware: Dindoor and Fakeset

Dindoor uses the Deno JavaScript/TypeScript runtime for command execution, signed with a certificate registered to “Amy Cherne.” Previously unknown, first observed in this campaign (Symantec, 2026).

Fakeset is Python-based, staged from Backblaze B2 cloud storage, and dual-signed with certificates for “Amy Cherne” and “Donald Gay.” The Donald Gay certificate was previously used to sign Stagecomp and Darkcomp, both confirmed MuddyWater malware families documented by Google, Microsoft, and Kaspersky (Symantec, 2026). This certificate overlap is the primary attribution link.

Additional tools observed in the campaign include PDQ Deploy for remote access, AnyDesk, ScreenConnect, ReGeorg web shells, and browser credential stealers (Symantec, 2026).

What this means

Symantec analyst Brigid O Gorman’s assessment deserves quoting directly: “Already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks” (The Register, 2026).

This was pre-positioning. The access was established before the kinetic conflict began, which transforms these compromises from intelligence collection into potential retaliatory capability.

Operation Olalampo (January to February 2026)

First observed January 26, 2026, publicly disclosed by Group-IB on February 23. The campaign targeted organisations across the Middle East and North Africa with four new malware families deployed through parallel attack chains, all initiated via spear-phishing with malicious Microsoft Office macros (Group-IB, 2026).

Attack chains

Chain 1, CHAR: A malicious Excel document drops CHAR, a Rust-based backdoor communicating through a Telegram bot named “Olalampo” (username: stager_51_bot). CHAR supports directory navigation, command execution via cmd.exe or PowerShell, credential theft, SOCKS5 proxy deployment, and secondary payload delivery. Source code analysis reveals emoji-laden debug strings, a hallmark of AI-assisted code generation (Group-IB, 2026; Google, 2025).

Chain 2, GhostFetch into GhostBackDoor: A first-stage downloader that performs extensive environment checks before executing, including mouse movement validation, screen resolution checks, debugger detection, virtual machine artifact scanning, and antivirus detection. Only after passing all checks does GhostFetch fetch and execute GhostBackDoor directly in memory. GhostBackDoor never touches disk (Group-IB, 2026).

Chain 3, HTTP_VIP into AnyDesk: Lures themed as flight tickets and business reports from Middle Eastern energy and marine services companies deploy HTTP_VIP, which conducts system reconnaissance, authenticates with a C2 server at codefusiontech[.]org, and installs AnyDesk for persistent remote access. A living-off-the-land approach that blends with normal IT operations (Group-IB, 2026).

Pre-campaign activity

On January 5, 2026, phishing emails were sent through a compromised Turkmenistan state telecom sender, predating the main Olalampo campaign by three weeks (Genians, 2026). Public-facing server exploitation has also been confirmed as a secondary initial access vector alongside phishing.

The Exposed Server (Ctrl-Alt-Intel)

Independent threat intelligence collective Ctrl-Alt-Intel gained access to a MuddyWater VPS hosted in the Netherlands and published a detailed dump of operational artifacts, C2 tooling, scripts, and victim logs (Ctrl-Alt-Intel, 2026). The C2 binaries are publicly available on their GitHub repository.

Important caveat: much of this section relies on a single source. The infrastructure overlaps with ESET’s December 2025 findings and Group-IB’s Olalampo research, lending credibility, but specific victim names and some tooling details cannot be independently corroborated at this time.

Reconnaissance tooling

The server contained Shodan CLI configured to scan for Ivanti User Portal devices, Nuclei templates targeting CVE-2026-1281 (a CVSS 9.8 code injection vulnerability in Ivanti EPMM, independently confirmed by Rapid7 and Tenable), Subfinder and ffuf for subdomain enumeration, and a custom recursive subdomain discovery script chaining Sudomy, Subfinder, and OneForAll through dnsx validation (Ctrl-Alt-Intel, 2026).

Reconnaissance targets

Organisations found in the server’s reconnaissance data include Clearview AI (US facial recognition company), the Jewish Agency (global NGO), Terrogence (Israeli private intelligence firm), Nefesh B’Nefesh (Israeli immigration services), EgyptAir, and Zivorex (UAE gold/silver platform) (Ctrl-Alt-Intel, 2026). The targeting profile aligns with known MOIS collection priorities.

Password spraying

Custom tools (owa.py and patator for SMTP brute-force) were configured to spray credentials against Jordanian Government Webmail (webmail.gov.jo), Israeli medical clinics, and Israeli hosting providers (Ctrl-Alt-Intel, 2026).

CVEs actively scanned or exploited

CVE Product Type
CVE-2026-1731 BeyondTrust RCE
CVE-2026-1281 Ivanti EPMM Code injection
CVE-2025-68613 n8n Authenticated RCE
CVE-2024-55591 Fortinet FortiOS Auth bypass
CVE-2024-23113 Fortinet FortiOS RCE
CVE-2022-42475 Fortinet FortiOS RCE

The server also contained a modified watchTowr proof-of-concept for CVE-2024-55591 with hardcoded FortiOS CLI payloads for creating a super_admin account (“FortiSetup”), manipulating VPN groups, and establishing persistence via encrypted password hashes. The C2 IP embedded in the script, 194.11.246.101, was independently confirmed as MuddyWater infrastructure by ESET in December 2025 (ESET, 2025; Ctrl-Alt-Intel, 2026).

C2 infrastructure

KeyC2: Python-based, UDP protocol on port 1269, custom binary format supporting remote command execution, file transfer, and C2 migration (Ctrl-Alt-Intel, 2026). MuddyWater’s use of custom UDP C2 is corroborated by independent research on their UDPGangster backdoor (FortiGuard Labs, 2025).

Tsundere Botnet: Uses Ethereum smart contracts for C2 address resolution, a novel technique that makes the command channel extremely resilient to takedown (Ctrl-Alt-Intel, 2026). The Tsundere Botnet itself was independently documented by Kaspersky in November 2025 (Kaspersky, 2025), though Kaspersky attributed Tsundere to a Russian-speaking operator. The MuddyWater connection is currently single-source and may indicate tool sharing or underground market acquisition rather than direct development.

Parallel Campaigns

MuddyWater is now confirmed running at least three parallel campaigns with distinct toolsets, a significant escalation in operational tempo.

MuddyViper (September 2024 to March 2025, disclosed December 2025)

ESET disclosed a campaign deploying a new backdoor called MuddyViper via a loader named Fooder, which disguises itself as the classic Snake game and uses game delay mechanics and frequent Sleep API calls to defeat sandbox analysis. Targets included critical infrastructure in Israel and Egypt across technology, engineering, manufacturing, local government, and education sectors. Initial access was via spearphishing with links to Remote Monitoring and Management software installers. ESET also identified operational overlap between MuddyWater and Lyceum, an OilRig/APT34 subgroup, during a joint sub-campaign in early 2025 (ESET, 2025).

RustyWater (January 2026)

A Rust-based RAT targeting Israel and the broader Middle East, delivered via icon spoofing and malicious Word documents (CloudSEK; Seqrite Labs, 2026). This confirms the Rust tooling trend alongside CHAR from Operation Olalampo.

The Rust pivot

The shift is now visible across multiple campaigns. CHAR, RustyWater, the earlier BlackBeard/Archer RAT, all compiled Rust binaries replacing the PowerShell and VBS scripts that defined MuddyWater’s earlier operations. Combined with AI-assisted development and legitimate platform abuse (Telegram, AnyDesk, GitHub, Google Drive), detection is getting harder with each iteration.

The Camera-to-Kinetic Pipeline

One of the more disturbing developments sits at the intersection of cyber and physical warfare.

In June 2025, Amazon Web Services threat intelligence documented how MuddyWater provisioned campaign infrastructure on June 13, used it to access a compromised server streaming live CCTV footage from Jerusalem on June 17, and on June 23 Iran launched missile attacks against the city. Israeli authorities reported that Iranian forces had exploited compromised cameras for real-time targeting intelligence (Amazon Web Services, 2025).

In the current conflict, Check Point Research documented a sharp spike in exploitation attempts against Hikvision and Dahua IP cameras starting February 28, 2026, the same day as the US and Israeli strikes. The targets span Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. CVEs being exploited include CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2025-34067 (a CVSS 10.0 RCE in Hikvision’s HikCentral), and CVE-2021-33044 (Check Point Research, 2026). The campaign was attributed to multiple Iran-nexus actors using commercial VPN exit nodes.

Every compromised IP camera is a potential forward observer. That is cyber-physical convergence in real time.

The Broader Iranian Cyber Posture

Following the February 28 strikes, the broader Iranian cyber ecosystem activated.

SentinelOne assessed with high confidence that Iranian state-aligned cyber activity was likely to intensify in the near term, highlighting MuddyWater alongside APT34, APT39, and APT42, and recommending organisations activate detection rules specifically for MuddyWater DLL sideloading as a priority (SentinelOne, 2026).

The Canadian Centre for Cyber Security issued a dedicated threat bulletin on Iranian cyber retaliation (Canadian Centre for Cyber Security, 2026). Palo Alto’s Unit42 published a threat brief on the escalation (Unit42, 2026).

Active wiper capability

Iran maintains an arsenal of over 15 confirmed wiper malware families including ZeroCleare, Dustman, Meteor, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, and PartialWasher, deployed against Israeli energy, financial, government, and utilities sectors (SentinelOne, 2026; IBM X-Force, 2019).

Hacktivist coalition

The #OpIsrael campaign has drawn a coalition of pro-Russian groups including NoName057(16) and pro-Iranian personas including Handala Hack (assessed as the MOIS-affiliated Void Manticore), Fatemiyoun Electronic Team, and Cyber Islamic Resistance / 313 Team. These groups are coordinating DDoS attacks against Israeli and Gulf state infrastructure (Cybersecurity Dive, 2026; SecurityWeek, 2026).

After Iran’s internet dropped to approximately 4% of normal capacity during the strikes, Handala Hack resumed operations by routing through Starlink IP ranges, specifically the 188.92.255.x block (Check Point Research, 2026; Iran International, 2026).

Countermeasures

Three actions that would neutralise the majority of MuddyWater’s known attack surface, in order of impact per dollar spent:

  1. Block internet-sourced Office macros via Group Policy. This kills all three Olalampo attack chains at the initial access point. Zero cost. Immediate effect. Microsoft made this the default in 2022, but many organisations have re-enabled macros for legacy workflow compatibility (Group-IB, 2026).

  2. Deploy EDR with behavioural detection for Office-to-shell execution chains. Signature-based antivirus alone will miss CHAR (compiled Rust) and GhostBackDoor (in-memory). Behavioural rules should flag Office processes spawning cmd.exe or PowerShell, processes checking for VM artifacts, and unexpected Telegram API connections from non-browser processes (Group-IB, 2026).

  3. Monitor for unauthorised remote access tools. HTTP_VIP deploys AnyDesk as its persistence mechanism. The US pre-positioning campaign used PDQ Deploy, AnyDesk, and ScreenConnect. Application whitelisting should restrict remote access tool installation to IT-approved channels only (Symantec, 2026; Group-IB, 2026).

Additional measures for organisations in the target profile:

  • Monitor Telegram Bot API traffic (api.telegram.org) from non-browser processes
  • DNS sinkholing for known C2 domains
  • Credential monitoring for the “Amy Cherne” and “Donald Gay” code-signing certificates
  • Ivanti EPMM patching for CVE-2026-1281 (CVSS 9.8, confirmed exploited in the wild)
  • Fortinet FortiOS patching and audit for rogue admin accounts

Indicators of Compromise

Code-signing certificates

  • “Amy Cherne” (signs Dindoor, Fakeset)
  • “Donald Gay” (signs Fakeset, Stagecomp, Darkcomp)

Infrastructure

  • 194.11.246.101 (MOIS C2, confirmed by ESET December 2025)
  • 162.0.230.185 (C2 from exposed VPS)
  • 209.74.87.67 (C2, “We’ll Be Back Soon” splash page)
  • netvigil.org (C2 domain)
  • codefusiontech[.]org (HTTP_VIP C2)
  • uppdatefile.com, serialmenot.com, moonzonet.com (Symantec, 2026)

Detection signatures (Symantec/Carbon Black)

  • Trojan.Dindoor, Trojan.Fakeset, Trojan.Darkcomp, Trojan.Stagecomp
  • Trojan.Malmsi, Trojan.Malscript, Trojan.Gen.MBT

Timeline

Date Event Source
~2017 MuddyWater first identified targeting Middle Eastern government organisations MITRE ATT&CK
February 2022 Joint FBI/CISA/CNMF/NCSC-UK advisory formally attributes MuddyWater to MOIS CISA, 2022
September 2024 to March 2025 MuddyViper campaign targets Israeli and Egyptian critical infrastructure ESET, 2025
October 2025 Phoenix backdoor deployed via spear-phishing Symantec, 2026
November 2025 Kaspersky documents Tsundere Botnet using Ethereum smart contracts for C2 Kaspersky, 2025
December 2, 2025 ESET publishes “Snakes by the Riverbank” on MuddyViper ESET, 2025
January 5, 2026 Pre-Olalampo phishing via compromised Turkmenistan state telecom Genians, 2026
January 26, 2026 Operation Olalampo begins Group-IB, 2026
Early February 2026 MuddyWater begins pre-positioning in US critical infrastructure Symantec, 2026
February 23, 2026 Group-IB publicly discloses Operation Olalampo Group-IB, 2026
February 28, 2026 US and Israeli strikes on Iran, Iranian cyber operations intensify Multiple sources
February 28, 2026 SentinelOne threat assessment: high confidence Iranian cyber retaliation expected SentinelOne, 2026
March 5, 2026 Symantec discloses US bank, airport, defence contractor compromises Symantec, 2026
March 2026 Ctrl-Alt-Intel publishes MuddyWater VPS dump Ctrl-Alt-Intel, 2026
June 17, 2025 MuddyWater accesses compromised Jerusalem CCTV server Amazon Web Services, 2025
June 23, 2025 Iran launches missiles at Jerusalem, cameras reportedly used for targeting Amazon Web Services, 2025

Assessment

MuddyWater in 2026 is a different animal from the PowerShell-heavy operation described in the 2022 CISA advisory. The group is running at least three parallel campaigns with distinct toolsets, deploying AI-assisted malware in compiled languages, using legitimate platforms for command and control, and pre-positioning inside critical infrastructure networks ahead of kinetic operations.

The Ctrl-Alt-Intel server dump, despite being single-source for some claims, reveals operational patterns consistent with a well-resourced intelligence service: systematic vulnerability scanning, custom tooling for subdomain enumeration and credential spraying, and a target list that maps precisely to MOIS strategic priorities.

The camera-to-kinetic pipeline documented by Amazon Web Services may be the most significant development. A six-day window between CCTV server access and missile strikes in Jerusalem suggests that compromised cameras are being integrated into targeting workflows. The post-February 28 spike in camera exploitation attempts across seven countries indicates this capability is being scaled.

The war is already in the networks. It has been for months.

References

Amazon Web Services (2025) ‘New Amazon threat intelligence findings: nation-state actors bridging cyber and kinetic warfare’, AWS Security Blog. Available at: https://aws.amazon.com/blogs/security/new-amazon-threat-intelligence-findings-nation-state-actors-bridging-cyber-and-kinetic-warfare/

Canadian Centre for Cyber Security (2026) ‘Cyber threat bulletin: Iranian cyber threat response to US/Israel strikes, February 2026’. Available at: https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-iranian-cyber-threat-response-usisrael-strikes-february-2026

Check Point Research (2026) ‘Interplay between Iranian targeting of IP cameras and physical warfare in the Middle East’. Available at: https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/

CISA (2022) ‘Iranian government-sponsored actors conduct cyber operations against global government and commercial networks’, Advisory AA22-055A. Available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a

CloudSEK and Seqrite Labs (2026) ‘MuddyWater launches RustyWater RAT via phishing’.

Ctrl-Alt-Intel (2026) ‘MuddyWater exposed: inside an Iranian APT operation’. Available at: https://ctrlaltintel.com/threat%20research/MuddyWater/

Cybersecurity Dive (2026) ‘Pro-Russia actors team with Iran-linked hackers’. Available at: https://www.cybersecuritydive.com/news/pro-russia-actors-support-iran-nexus-hackers/813647/

ESET (2025) ‘MuddyWater: snakes by the riverbank’, WeLiveSecurity, 2 December. Available at: https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/

FortiGuard Labs (2025) ‘UDPGangster campaigns target multiple countries’. Available at: https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries

Genians (2026) ‘Chronology of MuddyWater APT attacks’.

Google Threat Intelligence (2025) ‘AI-assisted malware development by Iranian threat actors’.

Group-IB (2026) ‘MuddyWater: Operation Olalampo’, 23 February. Available at: https://www.group-ib.com/blog/muddywater-operation-olalampo/

IBM X-Force (2019) ‘New destructive wiper ZeroCleare targets energy sector in the Middle East’.

Iran International (2026) ‘Handala Hack routing operations via Starlink’. Available at: https://www.iranintl.com/en/202601205735

Kaspersky (2025) ‘Tsundere Node.js botnet uses Ethereum blockchain’, Securelist, November. Available at: https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/

MITRE ATT&CK, ‘MuddyWater Group Profile (G0069)’. Available at: https://attack.mitre.org/groups/G0069/

Rapid7 (2026) ‘Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild: CVE-2026-1281’. Available at: https://www.rapid7.com/blog/post/etr-critical-ivanti-endpoint-manager-mobile-epmm-zero-day-exploited-in-the-wild-eitw-cve-2026-1281-1340/

SecurityWeek (2026) ‘Iranian APT hacked US airport, bank, software company’. Available at: https://www.securityweek.com/iranian-apt-hacks-us-airport-bank-software-company/

SentinelOne (2026) ‘Intelligence brief: Iranian cyber activity outlook’, 28 February. Available at: https://www.sentinelone.com/blog/sentinelone-intelligence-brief-iranian-cyber-activity-outlook/

Symantec (2026) ‘Seedworm: Iranian APT targeting US critical sectors’, Broadcom Security. Available at: https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us

The Register (2026) ‘Iran intelligence backdoored US bank, airport networks’, 5 March. Available at: https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

Unit42 (2026) ‘Threat brief: March 2026 escalation’, Palo Alto Networks. Available at: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/

Report compiled from open-source intelligence. All claims verified against primary sources where available. Single-source claims are flagged as such.

Last updated: March 6, 2026

FTRCRP Threat Intelligence