Turbid Currents MuddyWater Attribution

Introduction

This report provides a detailed overview of phishing campaigns associated with the Iranian APT group MuddyWater (also known as Static Kitten or Mercury). These campaigns, active between February 2025 and October 2025, demonstrate the group’s persistence, technical consistency, and evolving tactics, techniques, and procedures (TTPs). The operations targeted Israel, Hungary, the United Arab Emirates (UAE), Azerbaijan, Turkmenistan, and diplomatic missions worldwide, reflecting MuddyWater’s broad geopolitical interests and regional intelligence priorities.

In our previous publication, the campaign was tentatively attributed to an Iranian-linked cluster sharing overlapping tactics, techniques, and procedures with several known groups. However, subsequent discoveries prompted a re-evaluation of the entire infrastructure, tooling, and operational workflow. This report presents a comprehensive re-analysis of ten interconnected attacks, including the recent intrusion against several entities, with the objective of achieving a conclusive and evidence-based attribution.

Through a detailed examination of command-and-control infrastructure, malware families, and email delivery mechanisms, we identified a unified operational fingerprint that matches MuddyWater (also known as Seedworm or Mercury). The consistent use of identical C2 response patterns, VBS loaders, and encoded staging logic across multiple regions, including the Middle East, Europe, and South Asia, indicates a single orchestrating entity.

This report, therefore, not only revisits earlier assumptions but establishes a definitive link between previously isolated incidents and MuddyWater’s long-standing espionage apparatus. By dissecting the actor’s infrastructure reuse, malware development lifecycle, and cross-operation TTPs, we present a clear and technically substantiated attribution narrative.

Overall, the nine attacks described in this report demonstrate that MuddyWater consistently employs the same infrastructure patterns, reuses malware tools,  and replicates phishing templates across its operations. Together, these findings expose a well-coordinated campaign that underscores the group’s persistence and strategic focus on defense, government, education, and diplomatic sectors.

For the complete report, see here.

Attacks Attribution

There are a total of nine attacks investigated for attribution across these campaigns was established through multiple technical pivots:

‍

‍

The following table summarizes each attack and its general description:

For the complete report, see here.

Conclusion

The campaign exposes MuddyWater’s ongoing operations against Israel and regional governments, targeting defence, government, and educational institutions. These findings highlight MuddyWater’s continued activity and its use of multi-vector phishing chains.
All attacks documented in this report are linked to MuddyWater based on the supporting technical evidence shared and detailed in this report.
Dream recommends the following actions to prevent a similar attack success:

• Patch Management: Prioritize patching Microsoft Office to reduce macro-enabled exploitation and Windows Script Host components.
• Email Security Controls: Strengthen mail filters to block or quarantine attachments containing macros, particularly those with .DOC ,and .VBS file extensions.
• Configuration Hardening: Disable or restrict Microsoft Office macros by default.

Enforce firewall rules to block outbound connections to known MuddyWater C2 domains (see IoC table below).

Indicators of Compromise (IoCs)

The CTI analysis includes the following IoCs:

For the complete report, see here.