A new report from NCC Group highlights a sophisticated shift in the tactics of the Iran-linked threat actor known as MuddyWater (aka TA450, Mercury, or Seedworm). This state-sponsored group, historically focused on cyber-espionage across the Middle East and Central Asia, is now actively masquerading as encryption-based cyber incident gangs—essentially pretending to be ransomware operators.
For defenders, this represents a critical detection challenge. By adopting the persona of a financially motivated ransomware group, MuddyWater attempts to blend into the noise of common criminality, obscuring their true objective: intelligence gathering and long-term persistence. They are deploying commercially available malicious software—commodity malware typically associated with common crime—to complicate attribution and evade signature-based defenses. Security teams must adjust their detection logic to identify the "disconnect" between ransomware-style intimidation and the actual technical behaviors of espionage.
Technical Analysis
Threat Actor: MuddyWater (APT34)
Geographic Focus: Historically Middle East, Turkey, Pakistan, but masquerading tactics can be deployed globally against high-value targets.
Attack Vector: Spear-phishing campaigns delivering malicious payloads, often leveraging macro-enabled documents or scripts to download and execute payloads.
Tools and Techniques:
- Commodity Malware: The group is deploying commercially available malicious software. This creates a dual problem: it lowers the barrier to entry for the attacker and raises the difficulty for defenders, as these tools may be signed or widely distributed, triggering fewer alarms.
- Deception: By posing as a ransomware gang, the actor may leave fake ransom notes or threaten encryption to distract incident responders. However, their primary actions are often data theft and surveillance rather than destructive file encryption.
- Living off the Land (LotL): MuddyWater continues to rely heavily on PowerShell for execution and obfuscation, using the native Windows environment to bypass application whitelisting.
Exploitation Status: Confirmed active exploitation. There is no zero-day CVE involved in this specific shift; rather, it is an evolution in Tactical, Technical, and Procedures (TTPs) utilizing existing infrastructure and commodity tools.
Detection & Response
Detecting this campaign requires focusing on the intent rather than just the tool. Defenders should look for "ransomware" indicators (like note creation) that occur without the accompanying destructive file system activity (mass encryption). Furthermore, the use of commodity malware often generates distinct process trees and network connections that deviate from standard administrative behavior.
SIGMA Rules
---
title: Potential Fake Ransomware Activity - Note Creation Without Encryption
id: a1b2c3d4-5678-90ab-cdef-123456789abc
status: experimental
description: Detects the creation of common ransom note filenames without an accompanying encryption process (e.g., cipher.exe, bitlocker, vssadmin). MuddyWater may use this decoy tactic.
references:
- https://www.infosecurity-magazine.com/news/iranlinked-muddywater-poses-as/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.deception
- attack.initial_access
logsource:
category: file_creation
product: windows
detection:
selection_note:
TargetFilename|contains:
- '\\README'
- '\\RECOVER'
- '\\HOW_TO_DECRYPT'
- '\\_DECRYPT'
filter_legit_admin:
Image|contains:
- '\\Windows\\System32\'
condition: selection_note and not filter_legit_admin
falsepositives:
- Legitimate documentation files (rare in system roots)
level: high
---
title: Suspicious PowerShell Encoded Command Execution
id: b2c3d4e5-6789-01bc-def2-34567890bcde
status: experimental
description: Detects PowerShell execution with encoded commands, a common TTP for MuddyWater to deploy commodity malware loaders.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:\ Image|endswith:
- '\\powershell.exe'
CommandLine|contains:
- ' -e '
- ' -Enc '
- 'EncodedCommand'
filter_legit:
ParentImage|contains:
- '\\Windows\\System32\'
condition: selection and not filter_legit
falsepositives:
- System management scripts
level: medium
---
title: Commodity Malware C2 Beaconing
id: c3d4e5f6-7890-12cd-ef34-56789090cdef
status: experimental
description: Detects suspicious process execution patterns often associated with commercial RATs/C2 frameworks used by MuddyWater.
references:
- https://www.infosecurity-magazine.com/news/iranlinked-muddywater-poses-as/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:\ Initiated: 'true'
Image|contains:
- '\\AppData\'
- '\\Temp\'
filter_browsers:
Image|contains:
- '\\Chrome\'
- '\\Firefox\'
- '\\Edge\'
- '\\Opera\'
condition: selection and not filter_browsers
falsepositives:
- Legitimate software updates from temp directories
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for potential fake ransomware or commodity malware artifacts
// Looks for file creation events indicative of ransom notes, checks for lack of encryption processes
let EncryptionTools = dynamic([\"cipher.exe\", \"bitsadmin.exe\", \"vssadmin.exe\", \"wbadmin.exe\", \"bcdedit.exe\"]);
let NoteExtensions = dynamic([\".txt\", \".hta\", \".html\"]);
let NoteNames = dynamic([\"README\", \"RECOVER\", \"DECRYPT\", \"RESTORE\", \"FILES\"]);
DeviceFileEvents
| where FileName in~ NoteNames or FileName has_any (NoteNames)
| where FolderPath !contains \"Program Files\" and FolderPath !contains \"Program Files (x86)\"
| join kind=leftanti (
DeviceProcessEvents
| where FileName in~ EncryptionTools
) on DeviceId
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, SHA256
| extend AlertDetail = \"Ransom note file created without associated encryption process activity\"
Velociraptor VQL
-- Hunt for commodity malware persistence and masquerading artifacts
-- Looks for unsigned binaries in user profile startup locations
SELECT
FullPath,
Size,
Modetime,
Mode,
Mtime AS ModifiedTime
FROM glob(globs=\"/*/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/*\")
WHERE NOT Name =~ \"desktop.ini\"
AND NOT FullPath =~ \"Program Files\"
-- Join with process list to see if these suspicious startups are active
JOIN SELECT Pid, Name, Exe FROM pslist() ON Exe = FullPath
Remediation Script (PowerShell)
<#
.SYNOPSIS
Audits and removes common persistence mechanisms used by commodity malware.
Note: Use in investigation mode first before enabling removal.
#>
Param(
[switch]$InvestigateOnly,
[switch]$RemoveFiles
)
$PersistencePaths = @(
\"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\",
\"$env:LOCALAPPDATA\\Temp\",
\"$env:USERPROFILE\\Downloads\"
)
Write-Host \"[+] Scanning for suspicious persistence mechanisms in user profiles...\" -ForegroundColor Cyan
foreach ($Path in $PersistencePaths) {
if (Test-Path $Path) {
# Get executables or scripts in startup/temp
$Items = Get-ChildItem -Path $Path -File | Where-Object {
$_.Extension -match '\\.(exe|bat|cmd|vbs|js|ps1)' -and `
$_.Name -ne 'desktop.ini'
}
foreach ($Item in $Items) {
# Check for valid digital signature (Commodity malware is often unsigned or suspiciously signed)
$Signature = Get-AuthenticodeSignature -FilePath $Item.FullName
if ($Signature.Status -ne 'Valid') {
Write-Host \"[!] Suspicious unsigned item found: $($Item.FullName)\" -ForegroundColor Yellow
if ($RemoveFiles -and -not $InvestigateOnly) {
try {
Remove-Item -Path $Item.FullName -Force
Write-Host \" [x] Removed item.\" -ForegroundColor Red
} catch {
Write-Host \" [-] Failed to remove: $_\" -ForegroundColor Gray
}
}
}
}
}
}
# Check for Scheduled Tasks registered by user (Common for RAT persistence)
Write-Host \"[+] Checking user-defined scheduled tasks...\" -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Principal.UserId -and $_.Principal.UserId -ne \"SYSTEM\" } |
Select-Object TaskName, TaskPath, State, Actions | Format-Table -AutoSize
if ($InvestigateOnly) {
Write-Host \"[+] Investigation only mode complete. No changes were made.\" -ForegroundColor Green
}
Remediation
Since this threat involves active cyber-espionage rather than just data encryption, standard ransomware recovery playbooks are insufficient. Prioritize the following:
- Assume Credential Compromise: MuddyWater's primary goal is theft. Assume all credentials cached on affected endpoints have been exfiltrated. Force a password reset for all accounts used on the impacted machines, prioritizing privileged and service accounts.
- Isolate and Image: Do not simply reboot infected endpoints. Isolate them from the network and acquire a full memory/disk image for forensic analysis to identify the specific commodity malware used and its C2 infrastructure.
- Block C2 Infrastructure: Work with your threat intelligence provider or ISP to block identified Command and Control (C2) IP addresses and domains associated with this campaign.
- Application Whitelisting: Commodity malware often relies on dropping executables in user-writable directories (AppData, Temp). Enforce strict application whitelisting (e.g., AppLocker) to prevent unsigned executables from running in these paths.
- Audit PowerShell Logging: Ensure Module Logging, Script Block Logging, and Transcription are enabled enterprise-wide. MuddyWater's reliance on PowerShell makes this visibility mandatory for future detection.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.