In February 2022, U.S. and British intelligence agencies took the unusual step of jointly naming an Iranian hacking group called MuddyWater as a direct arm of Tehran’s government and publishing a machine-readable package of digital fingerprints so any network defender could hunt for the group’s presence. In the years since, MuddyWater has not slowed down. It has retooled repeatedly, cycling through custom command-and-control frameworks and, according to multiple threat intelligence firms tracking the group through early 2025, layering destructive or disruptive techniques on top of its core espionage mission. That pattern of blending ransomware-style disruption with quiet data theft has made MuddyWater one of the harder adversaries for American organizations to detect and classify correctly.
The 2022 advisory that changed the baseline
On February 24, 2022, the UK National Cyber Security Centre and the U.S. Cybersecurity and Infrastructure Security Agency published a joint advisory formally attributing MuddyWater’s campaigns to Iranian government sponsorship. That language carried weight. Moving the group out of the “suspected” column and into a formal government finding gave targeted organizations legal and diplomatic footing they previously lacked when deciding how to respond to an intrusion.
“This advisory is designed to provide the cybersecurity community with the tools to identify and defend against this threat,” a CISA spokesperson said at the time of the release, underscoring the agency’s intent to move beyond passive warnings.
The advisory’s most practical contribution was a malware analysis package focused on an implant called Small Sieve, released in STIX 2.1 format. STIX (Structured Threat Information Expression) is a standardized language for sharing threat intelligence that security platforms can ingest automatically. Instead of forcing analysts to manually extract indicators from a PDF, the agencies handed defenders a file they could drop into tools like MISP or commercial threat intelligence platforms and begin scanning historical and live traffic for matches within hours.
The full bundle, hosted on the NCSC advisory page, included the narrative report, indicators of compromise, and the STIX data package as direct downloads. For a network administrator at a water utility, a hospital IT team, or a defense contractor’s security operations center, the message was blunt: load these indicators, search your logs, and find out whether MuddyWater has already touched your environment.
How the group has evolved since then
MuddyWater did not sit still after its infrastructure was exposed. Researchers at Deep Instinct documented the group deploying a new command-and-control framework called PhonyC2 through 2023, built to replace tools burned by the joint advisory. By late 2023 and into 2024, Group-IB and other firms tracked a further iteration dubbed MuddyC2Go, a Golang-based framework that gave operators more flexibility and made detection harder for signature-based tools still keyed to the 2022 indicators.
“They retool faster than most state groups we track,” one senior analyst at a major threat intelligence firm noted in a May 2025 briefing, speaking on condition of anonymity because the research had not yet been published. “Every time a framework gets burned, a replacement shows up within months.”
Throughout this evolution, the group’s targeting has remained consistent: telecommunications, government, oil and gas, and defense sectors across the Middle East, South Asia, and North America. What has shifted is the operational playbook. Multiple private-sector analyses describe MuddyWater deploying disruptive payloads alongside its espionage implants. The effect is strategic ambiguity. When a victim sees ransomware on its screens, the instinct is to treat the event as a criminal shakedown. Meanwhile, a quieter implant on a different network segment may be siphoning sensitive data back to Tehran.
That blended approach is not unique to MuddyWater. Russian and Chinese state-linked groups have used similar tactics. But MuddyWater’s persistence and its documented willingness to retool quickly make it a particularly difficult adversary for organizations that assume a ransomware incident is “just” a criminal problem.
What the evidence does and does not prove
The 2022 advisory established that MuddyWater is conducting espionage with Iranian government backing. It cataloged the group’s tools and infrastructure in granular detail. What it did not include was a step-by-step reconstruction of a single intrusion where a ransom note appeared on one set of machines while Small Sieve quietly beaconed from another segment. The inference that ransomware serves as cover for espionage is drawn from the group’s documented habit of deploying multiple tool families in parallel, not from a published case study walking through both activities side by side.
Attribution also has limits. The advisory identifies MuddyWater as government-sponsored but does not name a specific military unit or intelligence directorate. Private firms, including Mandiant and ClearSky, have linked the group to Iran’s Ministry of Intelligence and Security (MOIS), but the joint advisory stops short of that specificity. Readers should treat the government-sponsored label as the confirmed floor of attribution, not a complete organizational chart.
Neither CISA nor the NCSC named specific U.S. victim organizations or described confirmed data sets that MuddyWater successfully stole. Agencies routinely withhold victim details to protect ongoing investigations and avoid revealing which footholds have been discovered. That practice is standard, but it leaves outside observers unable to gauge whether the advisory reflects a handful of intrusions or a broad campaign touching dozens of organizations.
Practical steps for defenders through mid-2026
The 2022 STIX indicators remain a useful starting point, but they are not sufficient on their own. MuddyWater has rotated infrastructure and tools multiple times since then. Defenders should supplement the original package with updated indicator feeds from CISA’s ongoing advisories and from commercial threat intelligence providers tracking the group’s newer frameworks like PhonyC2 and MuddyC2Go.
Start by ingesting all available indicators into security information and event management (SIEM) systems and endpoint detection platforms. Run retroactive searches across at least six months of logs, focusing on outbound connections to listed domains, execution of files matching provided hashes, and lateral movement activity clustered around the same timeframe. Even in environments without advanced tooling, administrators can use basic command-line queries and firewall logs to check for known command-and-control infrastructure.
Because MuddyWater is fundamentally an espionage actor, organizations should also audit their monitoring for data exfiltration: unusually large transfers to external IP addresses, encrypted tunnels running over nonstandard ports, and repeated access to sensitive file shares by accounts that normally do not touch that data. The group’s use of blended operations means defenders should not assume that the absence of visible ransomware equates to safety.
Leadership teams should revisit incident response plans with a specific scenario in mind: a state-linked intrusion that masquerades as a criminal ransom event. Legal, communications, and executive stakeholders need to understand that paying a ransom in such a case may not resolve the underlying espionage problem and could trigger sanctions exposure under U.S. Treasury Department guidelines. The Office of Foreign Assets Control (OFAC) has repeatedly warned that ransomware payments to sanctioned entities or jurisdictions can carry civil penalties regardless of whether the payer knew the attacker’s identity. Having those conversations before an alert fires saves critical hours.
How MuddyWater’s dual-use playbook is reshaping U.S. network defense priorities
The willingness of U.S. and UK agencies to formally attribute MuddyWater and publish actionable indicators set a precedent that has since been repeated for other state-linked groups. Publishing a full indicator package effectively turns every network defender into a sensor in the broader intelligence effort. It also raises costs for the adversary, forcing infrastructure and tool rotation every time defenders begin blocking known signatures.
But the advisory also underscores how much remains opaque. Without public victim lists, damage assessments, or detailed case reconstructions, outside observers must piece together the campaign’s scope from fragments spread across government alerts and private-sector research. The picture is richer now than it was in 2022, but it is still incomplete.
For organizations that want to contribute to closing that gap, the NCSC’s incident reporting channel and CISA’s own reporting portal offer ways to share suspected MuddyWater activity back to government analysts. That feedback loop, where government publishes indicators, defenders hunt and report, and agencies refine their understanding, is the mechanism that will determine how quickly the full scope of this campaign comes into focus. For any organization operating critical infrastructure or handling sensitive data as of June 2026, the only reliable way to know whether MuddyWater has been inside your network is to load the indicators, search your logs, and treat any match as grounds for immediate investigation.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
