Static Kitten is the name assigned by the cybersecurity firm CrowdStrike to a state-sponsored threat actor widely assessed to operate on behalf of Iranian intelligence services. The same cluster of activity is tracked by other vendors under aliases including MuddyWater (Trend Micro, Kaspersky), Mercury (Microsoft), Seedworm (Symantec/Broadcom), and TA450 (Proofpoint). In January 2022, U.S. Cyber Command publicly attributed MuddyWater to Iran's Ministry of Intelligence and Security (MOIS).
The group has been active since at least 2017 and is primarily associated with cyber-espionage rather than destructive or financially motivated operations, though some campaigns have overlapped with data-leak and influence activity. Its typical targets include government ministries, telecommunications providers, oil and gas firms, defense contractors, and NGOs across the Middle East — particularly in Iraq, Saudi Arabia, the UAE, Jordan, Turkey, and Israel — as well as entities in Europe, North America, and South Asia.
Static Kitten's tradecraft is characterized by:
- Spear-phishing lures, often weaponized Microsoft Office documents with malicious macros or remote template injection.
- Use of legitimate remote-management tools such as ScreenConnect (ConnectWise Control) and RemoteUtilities to maintain access while evading detection — a "living-off-the-land" approach flagged by CISA.
- Custom PowerShell-based implants historically dubbed POWERSTATS / Powermud, along with newer loaders and backdoors.
- Frequent use of compromised or attacker-controlled cloud and file-sharing infrastructure for staging.
In February 2022, CISA, the FBI, U.S. Cyber Command's Cyber National Mission Force, and the UK's NCSC jointly published an advisory (AA22-055A) detailing MuddyWater tools and tactics and explicitly linking the group to MOIS. The advisory remains a primary open-source reference for defenders.
For policy researchers, Static Kitten is a useful case study in how mid-tier state cyber actors blend commercial software, social engineering, and modest custom malware to sustain long-running regional espionage campaigns.
Example
In February 2022, CISA and the UK's NCSC issued joint advisory AA22-055A attributing Static Kitten (MuddyWater) operations to Iran's Ministry of Intelligence and Security.
Frequently asked questions
Yes. Static Kitten is CrowdStrike's name for the same actor that Trend Micro and Kaspersky call MuddyWater, Microsoft calls Mercury, and Symantec calls Seedworm.
Keep learning