MuddyWater Is an Iranian Government Hacking Unit. Their Playbook Is Already Being Used Against You.

#You've probably never heard of MuddyWater. That's the problem.

MuddyWater is an Advanced Persistent Threat group operated by Iran's Ministry of Intelligence and Security (MOIS). They've been active since at least 2017 and have been formally attributed to MOIS by a joint advisory from CISA, the FBI, and U.S. Cyber Command in 2022. They go by half a dozen other names depending on which security firm is tracking them: Mango Sandstorm (Microsoft), Static Kitten (CrowdStrike), Seedworm (Symantec), MERCURY, TA450.

Their primary targets are government, defense, telecom, and financial services organizations in the Middle East. But their secondary targeting includes North America, Europe, and Asia. And more importantly, the techniques they pioneered are now standard operating procedure for criminal ransomware groups hitting businesses your size.

This is why threat actor profiles matter for small businesses. You're not going to be targeted by an Iranian intelligence unit. But the tools and methods that intelligence units develop and refine get adopted by cybercriminals within months. Understanding how MuddyWater operates tells you what the next wave of attacks against your business will look like.

#Their playbook is simple and it works.

MuddyWater's core approach hasn't changed much in nine years, because it keeps working. Two techniques define nearly everything they do.

#1. Spear-phishing from compromised accounts.

MuddyWater doesn't send phishing emails from random Gmail accounts or freshly registered domains. They compromise a real organization's email system first, then send phishing emails from legitimate accounts within that organization.

Think about that. You get an email from a vendor you actually work with, from an email address you recognize, referencing a project you're actually involved in. The email contains a link or attachment. You click it because everything checks out.

This is the evolution of phishing that most security awareness training hasn't caught up with. Training people to check the sender's domain doesn't help when the sender's domain is legitimate. The account is real. The domain is real. The compromise happened upstream.

#2. Living off the Land with remote management tools.

This is MuddyWater's signature move, and it's the one you need to understand.

Instead of deploying custom malware that antivirus might catch, MuddyWater installs legitimate remote management software on the target's machines. Tools like ScreenConnect, Atera, SimpleHelp, RemoteUtilities, and Syncro. These are the same tools that IT companies and managed service providers use every day to administer client systems.

Once installed, these tools give the attacker full remote access to the compromised machine. And here's the problem: your antivirus won't flag it. Your EDR might not flag it. Because it's a legitimate, signed application doing exactly what it was designed to do. The attacker doesn't need to build and maintain their own command-and-control infrastructure. They're using the vendor's infrastructure, which is professionally maintained, encrypted, and trusted by security tools.

This technique is called Living off the Land (LotL), and it's not unique to MuddyWater. But they've refined it to an art form. Multiple documented campaigns in 2023 and 2024 distributed RMM tool installers via spear-phishing across government, defense, and private sector targets in multiple countries.

#Why this matters to your business right now.

Criminal ransomware groups watched MuddyWater's playbook and took notes. The same Living off the Land techniques are now showing up in attacks against small and mid-sized businesses across every industry.

Here's what that looks like in practice:

• An attacker phishes an employee's credentials
• They install a legitimate RMM tool like AnyDesk, ScreenConnect, or Atera
• Your antivirus doesn't flag it because it's a legitimate application
• The attacker now has persistent, encrypted remote access to that machine
• They move laterally through your network using built-in Windows tools (PowerShell, WMI, RDP)
• Your logs show normal administrative activity
• Five days later, your files are encrypted and there's a ransom note on every screen

Every step uses legitimate software. No custom malware. No suspicious executables. Just tools that are supposed to be there, used by someone who isn't supposed to be there.

#What to do.

These defenses directly counter MuddyWater's playbook and the criminal groups copying it.

1. Maintain an allowlist of approved remote access tools. This is the single highest-value defense against LotL attacks. Decide which RMM tools your organization uses (if any) and block everything else. If you use ConnectWise ScreenConnect for IT support, then Atera, AnyDesk, SimpleHelp, and every other RMM tool should be blocked at the endpoint and at the network level. If an unauthorized RMM tool appears on any machine, treat it as a confirmed compromise indicator. Not suspicious. Confirmed.

2. Enforce email authentication (DMARC, DKIM, SPF). These protocols make it harder for attackers to spoof your domain and easier to detect spoofed emails from others. Set your DMARC policy to quarantine or reject, not none. Most small businesses have DMARC set to none, which means it monitors but doesn't actually block anything. That's like installing a security camera that doesn't record.

3. Sandbox attachments and rewrite URLs. Microsoft Defender for Office 365 (included in Business Premium) can detonate attachments in a sandbox before delivering them and rewrite URLs to check them at click time. If you're on Google Workspace, configure the advanced phishing and malware settings. These aren't optional add-ons anymore. They're baseline email security.

4. Monitor for unexpected outbound connections. RMM tools phone home to their vendor's cloud infrastructure. If you don't use Atera, there should be zero connections to Atera's servers from your network. Monitor egress traffic for connections to RMM vendor domains you don't use. Also watch for Telegram API traffic from servers or non-admin workstations, which MuddyWater has used as a command-and-control channel.

5. Apply application allowlisting in user contexts. Users should not be able to install software without authorization. Windows AppLocker or Windows Defender Application Control (WDAC) can prevent executables from running in user-writable directories like Downloads, Desktop, and AppData. This blocks the most common delivery mechanism: a phishing email delivers an installer, the user downloads and runs it. If the policy prevents execution from that directory, the chain breaks.

6. Train on context, not content. Your phishing training needs to evolve past "look for typos." 82% of phishing emails are now AI-generated with perfect grammar and industry-specific language. Train your people to question unexpected requests regardless of how legitimate the email looks. An email from a known vendor asking you to install software or click a link should trigger a phone call to verify, not a click to comply.

#Know the threat. Build the defense.

MuddyWater isn't coming for your 50-person company. But the criminal groups using their exact techniques are. Phishing from compromised accounts and abusing legitimate remote management tools aren't nation-state secrets anymore. They're commodity attack techniques available to anyone willing to pay for access on criminal forums.

The defenses aren't complicated. Allowlist your RMM tools. Lock down email authentication. Block unauthorized software installation. Monitor your outbound traffic. Train your people on the threats that actually exist in 2026, not the ones from five years ago.

The threat landscape isn't abstract. It's specific actors using specific techniques against specific weaknesses. When you understand who attacks and how they do it, you stop guessing and start defending.

#Further reading

• CISA/FBI/CNMF Advisory AA22-055A - the formal MuddyWater attribution to MOIS
• MITRE ATT&CK: MuddyWater (G0069) - full TTP mapping
• CISA: Living off the Land Guidance - detecting and mitigating LotL techniques
• Microsoft WDAC - application control for Windows
• DMARC.org - email authentication implementation guide