Iranian APT MuddyWater Exposed

THE THREAT

Security Researchers have identified publicly exposed open directories linked to the Iranian APT MuddyWater. The exposed information was reviewed by eSentire's Threat Response Unit (TRU) and revealed the group's attack tradecraft including the tools, exploits, scan results, Command-and-Control (C2) details, and targeting information. eSentire's TRU assesses with high confidence that these open directories are associated with MuddyWater APT.

Given the ongoing geopolitical conflict, it is highly likely that MuddyWater will continue targeting organizations holding tactical and strategic value to the Iranian regime. eSentire is sharing identified Tactics, Techniques and Procedures (TTPs) associated with MuddyWater to bolster organizations awareness and response capabilities, during a period of increased risk of targeting by Iranian threat actors.

What we're doing about it

• The eSentire Threat Response Unit (TRU) conducted threat hunts to identify potential indicators of compromise (IOCs) linked to infrastructure and tools used by the Iranian APT group MuddyWater
• eSentire MDR for Network has detections in place to identify Command-and-Control (C2) communication and exfiltration activity associated with MuddyWater APT
• eSentire MDR for Endpoint can detect backdoor activity associated with MuddyWater APT
• The eSentire TRU has developed MDR for Network detections for CVE-2025-54068, CVE-2025-34291, CVE-2022-42475 and identified toolset
  • The list of known targeted vulnerabilities and tools used by MuddyWater is provided in the Additional Information section
• eSentire MDR for Endpoint and Network has detections in place to identify activity related to AnyDesk Remote Monitoring and Management (RMM) tool
• eSentire Managed Vulnerability Service (MVS) will add relevant plugins for CVE-2025-9316 and CVE-2025-34291 as they become available
  • Plugins to identify devices vulnerable to the other listed flaws are in place

What you should do about it

• Ensure all assets, including edge devices, are kept up to date to reduce risk of exploitation
  • Review the list of known targeted vulnerabilities provided in the Additional Information section and prioritize their patching
• Implement strict password and conditional access policies by enforcing Multi-Factor Authentication (MFA) on all possible user and system accounts to avoid risk of brute force and password spray attacks
• Monitor and optionally block connections from AS152485/ Hosterdaddy Private Limited
• Ensure that the assets are exposed to the Internet only if required, use VPNs for secure networking, and limit their access to trusted internal networks ·
• Regularly monitor user login activity for anomalous logins to detect unauthorized access
• Restrict the installation of applications to authorized software only on assets to prevent the deployment of unauthorized tools such as rogue RMM software

Additional information

MuddyWater (also known as Mango Sandstorm, Seedworm, and Static Kitten) is an Iranian state-sponsored APT that has been active since at least 2017 and is known for conducting cyber espionage campaigns targeting organizations worldwide. The exposed data provides deeper insight into MuddyWater's recently employed Tactics, Techniques, and Procedures (TTPs). Among the identified targets were Israeli healthcare and immigration organizations, Jordanian government webmail services, an Egyptian national airline, UAE-based enterprises, an Iranian domestic marketplace, and a U.S.-based technology company.

The exposed information revealed that the group was employing platforms such as Shodan and Nuclei for target scanning, as well as open-source tools like Subfinder and Fluff for enumeration. Security researchers also identified exposed Shodan API keys associated with MuddyWater operators. The group conducted scanning and exploitation attempts across multiple vulnerabilities (listed in the table below) to obtain initial access, in addition to performing password spraying attacks against targeted accounts. Exfiltration of sensitive data was observed through public platforms such as Wasabi S3 and Amazon EC2, as well as through custom file servers. The group was identified leveraging AnyDesk Remote Monitoring and RMM tool for persistent remote access.

The exposed infrastructure revealed the use of NameCheap and Hosterdaddy IP addresses in operations, along with tunneling and webshell-based SOCKS pivoting open-source tools. For Command-and-Control (C2), the group utilized both open-source and custom frameworks. Custom C2 binaries for KeyC2, an AI-assisted Python-based UDP C2, and others were identified. Researchers also identified a PowerShell loader used to deploy the Tsundere bot, which retrieves the C2 server details and enables further attacker-controlled actions. Tsundere botnet is offered as Malware-as-a-Service (MaaS) and is linked to a Russian threat actor.

eSentire's TRU has reviewed the exposed open directories and conducted organization-wide threat hunts across customer environments. The team has also added the identified malicious infrastructure to the Global Block List and has developed detections for the tools and vulnerabilities leveraged by the group.

References:
[1] https://ctrlaltintel.com/threat%20research/MuddyWater/
[2] https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters
[3] https://attack.mitre.org/groups/G0069/
[4] https://www.huntress.com/blog/muddywater-attack-chain
[5] https://www.kaspersky.com/about/press-releases/cute-but-deadly-kaspersky-reveals-the-tsundere-botnet-that-plays-hot-and-cold-with-windows-user