Iranian APT Groups: MuddyWater and Charming Kitten Tactics, Techniques, and Procedures (TTPs) in 2025

Executive Summary: Iranian state-sponsored advanced persistent threat (APT) groups MuddyWater and Charming Kitten have evolved their Tactics, Techniques, and Procedures (TTPs) to exploit modern authentication infrastructures, bypass multi-factor authentication (MFA), and evade detection through sophisticated social engineering and fileless attack methodologies. Leveraging tools such as Evilginx, these groups demonstrate increased operational resilience and adaptability in targeting government, defense, and critical infrastructure sectors. This analysis examines their current operational patterns, highlights key attack vectors, and provides strategic recommendations for defense and mitigation.

Key Findings

• MuddyWater and Charming Kitten are actively using Evilginx-based adversary-in-the-middle (AiTM) attacks to bypass MFA via compromised Single Sign-On (SSO) portals.
• Both groups employ advanced social engineering, often impersonating legitimate IT support or HR personnel, to deliver malicious payloads.
• Evilginx attacks are resistant to standard security scanners due to their reliance on reverse proxy architecture and encrypted communication channels.
• Recent campaigns show alignment with geopolitical events, including coordinated attacks during international summits to maximize impact.
• Fileless and living-off-the-land techniques are increasingly used to evade endpoint detection and response (EDR) solutions.

Evolution of Attack Infrastructure: The Rise of Evilginx and AiTM

In 2025, Iranian APT groups have increasingly adopted Evilginx, an open-source man-in-the-middle (MitM) toolkit, to intercept credentials and session tokens during login processes. Unlike traditional phishing, which relies on credential harvesting, Evilginx enables threat actors to bypass MFA by capturing session cookies directly from legitimate authentication flows.

This technique is particularly effective against organizations using SSO solutions such as Microsoft Entra ID (formerly Azure AD), Okta, or Google Workspace. By hosting a cloned login page on a domain resembling the target organization’s SSO portal (e.g., login.corp-company.com), attackers trick users into entering their credentials and MFA codes, which are then relayed in real time to the legitimate service. The victim, believing authentication succeeded, proceeds normally—while the attacker gains persistent access.

Tactics, Techniques, and Procedures (TTPs) of MuddyWater and Charming Kitten

MuddyWater: Operational Agility and Rapid Tooling

MuddyWater, linked to Iran’s Ministry of Intelligence and Security (MOIS), has demonstrated a high degree of operational agility. Recent campaigns reveal:

• Spear-phishing lures: Emails impersonating HR departments or IT support, urging users to update credentials or confirm access to internal systems.
• Living-off-the-land binaries (LOLBins): Use of legitimate Windows utilities such as PowerShell, CertUtil, and mshta to download and execute payloads without writing to disk.
• Modular malware families: Deployment of custom PowerShell scripts (e.g., "PowGoop") and .NET-based loaders to maintain persistence and evade antivirus.
• Infrastructure agility: Rapid domain registration and use of bulletproof hosting providers in countries with limited law enforcement cooperation.

Charming Kitten: Precision Targeting and Geopolitical Alignment

Charming Kitten (also known as APT35 or Phosphorus), attributed to the Islamic Revolutionary Guard Corps (IRGC), has refined its targeting to align with Iran’s strategic interests. Observed behaviors include:

• Highly tailored phishing content: Messages referencing regional conflicts, sanctions, or diplomatic meetings to increase credibility.
• Exploitation of VPN and SSO misconfigurations: Targeting organizations with exposed admin portals or outdated authentication policies.
• Use of open-source intelligence (OSINT): Profiling targets via LinkedIn, corporate websites, and leaked datasets to craft personalized lures.
• Post-compromise persistence: Establishing backdoors via legitimate remote management tools (e.g., AnyDesk, TeamViewer) to blend with normal administrative traffic.

Evasion and Detection Challenges

The integration of Evilginx into MuddyWater and Charming Kitten operations presents unique detection challenges:

• Stealth communication: Evilginx uses HTTPS and mimics legitimate domains, making traffic appear normal in network logs.
• No malicious artifacts: Since the attack occurs in the browser or via proxied authentication, traditional endpoint scanning may miss indicators.
• User trust exploitation: Victims often do not realize an attack occurred until unauthorized access is detected via behavioral anomalies.

To counter this, organizations must adopt a defense-in-depth strategy that includes:

• Monitoring for unusual login locations or device fingerprints.
• Enforcing FIDO2/WebAuthn-based MFA, which resists session token interception.
• Deploying browser-level security extensions that detect phishing domains and certificate anomalies.

Geopolitical Context and Campaign Timing

Recent reporting indicates that Iranian APT operations are increasingly synchronized with international events. For example, campaigns targeting Ukrainian government entities coincided with NATO summits, suggesting a strategy to influence diplomatic outcomes or gather intelligence on allied responses. Similarly, MuddyWater has been observed targeting Middle Eastern governments and NGOs during periods of heightened regional tension.

This pattern underscores the need for threat intelligence teams to correlate operational timelines with geopolitical developments to anticipate and preempt attacks.

Recommendations for Defenders

To mitigate risks from MuddyWater, Charming Kitten, and similar APT groups using advanced AiTM techniques, organizations should implement the following controls:

Technical Controls

• Enforce phishing-resistant MFA: Replace SMS and app-based 2FA with FIDO2/WebAuthn or hardware tokens.
• Monitor for Evilginx indicators: Deploy DNS filtering to block known malicious domains and use browser extensions to detect cloned login pages.
• Implement continuous authentication: Use behavioral biometrics and session anomaly detection to identify hijacked sessions.
• Restrict lateral movement: Segment networks, enforce least-privilege access, and monitor for unusual RDP or VPN connections.
• Deploy deception technology: Use honey tokens in authentication logs to detect unauthorized access attempts.

Process and Governance

• Conduct regular phishing simulations: Train users to recognize sophisticated spear-phishing attempts, including SSO credential harvesting.
• Enhance incident response playbooks: Include AiTM and session hijacking scenarios with clear containment and recovery steps.
• Engage threat intelligence partners: Subscribe to feeds that track Iranian APT infrastructure and TTPs in real time.
• Review SSO and VPN policies: Ensure multi-factor authentication is enforced for all admin and remote access portals.

Conclusion

MuddyWater and Charming Kitten represent a persistent and evolving threat from Iran, leveraging modern authentication bypasses and fileless techniques to maintain operational effectiveness. The adoption of Evilginx-based AiTM attacks signifies a shift toward more sophisticated, harder-to-detect intrusion methods. Organizations must move beyond traditional perimeter defenses and adopt a zero-trust architecture grounded in phishing-resistant authentication, continuous monitoring, and rapid incident response.

In the face of geopolitically motivated cyber operations, proactive threat hunting and intelligence-driven defense are essential to detect and deter these adversaries before they achieve their objectives.

FAQ

What is Evilginx and why is it so effective against MFA?

Evilginx is an open-source man-in-the-middle framework that intercepts user credentials and session tokens during login. It is effective against MFA because it captures not just the password, but also the second factor (e.g., SMS code or TOTP token) in real time, relaying it to the legitimate service. The user remains unaware, as they see a successful login message.© 2026 Oracle-42 | 94,000+ intelligence data points | Privacy | Terms