The MuddyWater group [1] [4], also known as Mango Sandstorm and Static Kitten [5], is an Iranian nation-state actor that has recently targeted two Israeli entities in a spear-phishing campaign.


This campaign utilizes a multi-stage infection process through a new file-sharing service called Storyblok [3]. Notably, the group has incorporated a legitimate remote administration tool called Advanced Monitoring Agent by N-able [5], which is a new addition to their tactics and techniques. This suggests an ongoing evolution in their operations. MuddyWater is known for engaging in cyber espionage activities and is linked to Iran’s Ministry of Intelligence and Security [3].

Once a system is infected, MuddyWater operators employ the remote administration tool for reconnaissance purposes [3]. Additionally, they have introduced a new command-and-control framework called MuddyC2Go [2] [3]. This development highlights their ability to adapt and enhance their capabilities in response to defensive measures [3]. Consequently, monitoring and countering their activities pose a challenge for security experts [3].


The activities of the MuddyWater group have significant implications. Their recent targeting of Israeli entities underscores the need for heightened security measures. As they continue to evolve and adapt their tactics, it becomes increasingly important for experts to monitor and counter their actions effectively. Mitigating the impact of their cyber espionage activities remains a priority for security professionals.