Mapping the Infrastructure and Malware Ecosystem of MuddyWater www.group-ib.com/blog/mudd…

Since early 2025, Group-IB analysts have observed that MuddyWater, known as an Iranian state-sponsored Advanced Persistent Threat (APT) group, remains active across the Middle East and Europe, with a notable surge in activity within the European region.

Our latest analysis of the group’s activities has revealed new intelligence regarding recent shifts in their operational characteristics and arsenal.

The group has significantly reduced its widespread Remote Monitoring and Management based intrusions (RMM), reverting to a more targeted operational approach. Although RMM software continues to be employed, the group has increasingly relied on custom-developed backdoors such as Phoenix and StealthCache in addition to PowerShell-based backdoors.