The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Muddy Water Uses SloughRAT in Recent Campaigns

Mar 17, 2022 1:21:56 PM / by PolySwarm Tech Team



Iranian threat actor group Muddy Water has been very active in the last few months. In February, CISA issued an
alert warning that the group was conducting a campaign targeting global government and commercial networks. Earlier this month, Cisco’s Talos Intelligence published a blog post on Muddy Water activity targeting Turkey and other countries.

Who is Muddy Water?

Muddy Water, also known as Static Kitten, is an Iranian threat actor group active since at least 2017. The group has historically targeted entities in the Middle East but has been known to target other regions as well. Muddy Water primarily conducts espionage campaigns but has also been known to engage in intellectual property theft and ransomware attacks. US Cyber Command has linked the group’s activities to Iran’s Ministry of Intelligence and Security (MOIS). Cisco assessed Muddy Water is a conglomerate of multiple teams operating independently. Muddy Water TTPs include social engineering, spearphishing, maldocs, LoLBins, Small Sieve, PowGoop, Mori backdoor, Covicli backdoor, Canopy/SloughRAT, Empire, Powerstats/Powermud backdoor, and others. Cisco calls them “extremely motivated and persistent.”

What is SloughRAT?

Cisco said a Muddy Water campaign in January targeted Turkish entities using maldocs and executable-based infection chains. In a more recently observed campaign, Cisco saw Muddy Water targeting Turkey and countries in the Arabian peninsula with maldocs delivering a Windows script file-based RAT, dubbed SloughRAT. SloughRAT is referred to as Canopy in the above referenced CISA alert.

According to Cisco, SloughRAT script uses multilayer obfuscation to hide its true extensions and needs a function name as an argument to properly execute. SloughRAT gathers system information and registers the system with the C2, which is hardcoded into the implant. SloughRAT’s capabilities include information gathering and receiving commands from the C2. In some attacks, Muddy Water used SloughRAT to deploy Lingolo, an open-source reverse tunneling tool. Cisco also discovered two more script based implants used in these campaigns: one written in JavaScript and one written in Visual Basic.


PolySwarm has multiple samples of malware associated with recent Muddy Water activity. Below is a selection of IOCs of those samples.










You can use the following CLI command to search for all Muddy Water samples in our portal:

$ polyswarm link list -f MuddyWater

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Espionage, Iran, Muddy Water, Static Kitten, SloughRAT, Canopy

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts