Iranian government-backed threat actor “MuddyWater” targets critical infrastructure in the US

A recent report by Microsoft sheds light on the activities of an Iranian government-backed threat actor known as “Mint Sandstorm.” The group has been identified as being responsible for a series of attacks aimed at critical infrastructure in the US between late 2021 and mid-2022. In this article, we will provide an overview of the threats posed by Mint Sandstorm, the tactics employed by the group, the targets, and the potential consequences of its activities.

Background information on Mint Sandstorm

Mint Sandstorm is the new name assigned to the threat actor previously tracked by Microsoft under the name Phosphorus. According to the company, Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps (IRGC), rather than the Ministry of Intelligence and Security (MOIS). This distinction is important as it suggests that Mint Sandstorm is potentially even more dangerous than previous Iranian-backed threat actors.

Targeted entities

The targets of Mint Sandstorm include a diverse range of critical infrastructure organizations such as seaports, energy companies, transit systems, and a major US utility and gas company. The selection of these targets highlights the importance of these entities to the functioning of society and the potential consequences of a successful attack.

Tactics used by Mint Sandstorm

Mint Sandstorm employs highly-targeted phishing campaigns as a way of gaining initial access to its targets. Once a breach is achieved, the group makes use of two attack chains to further infiltrate the targeted environment. The first chain involves the deployment of a custom PowerShell script, which provides a backdoor for the group’s activities. The second chain uses Impacket to connect to an actor-controlled server and deploy a bespoke implant called Drokbk and Soldier. Finally, Microsoft has highlighted Mint Sandstorm’s use of a modular backdoor called CharmPower as a further indication of the group’s capabilities.

Regarding the capabilities of Mint Sandstorm

The capabilities demonstrated by Mint Sandstorm are particularly concerning due to their potential to conceal communication with command and control servers, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities. These capabilities mean that Mint Sandstorm has the potential to cause widespread and long-lasting damage.

Iran has accused the US and Israel of masterminding attacks on gas stations in the country as part of a broader campaign aimed at creating unrest in Iran. While there is no direct evidence pointing to the involvement of the US and Israel in these attacks, it is worth noting the political implications of Iran’s accusations.

The threat actor known as “The Mint Sandstorm” and its attacks on critical infrastructure in the US are concerning developments in the world of cybersecurity. The potential consequences of such attacks cannot be overstated, and preventive measures must be taken. As this article has shown, Mint Sandstorm employs advanced tactics and tools to gain access to targeted environments, making it an especially dangerous adversary. The importance of greater cybersecurity measures in critical infrastructure industries is evident, and the advancement of new technologies and safeguards must continue if we are to prevent a potential disaster.

Explore more

Can a Unified ERP System Future-Proof Levi Strauss?

Establishing a seamless digital environment for a brand that spans over a hundred nations is a monumental undertaking that requires more than just standard software updates. Currently, Levi Strauss & Co. is navigating a profound transformation of its digital infrastructure, aiming for a mid-2027 completion of a fully integrated global enterprise resource planning system. This strategic overhaul is not merely

Ethereum Faces $10 Billion Liquidation Risk Near $2,000

The current trajectory of Ethereum suggests a massive collision between aggressive retail speculation and sophisticated institutional sell-side pressure as the asset hovers near the $2,000 psychological threshold. This specific price point has historically served as a pivot for broader market sentiment, influencing the behavior of various decentralized finance protocols and secondary layer-two scaling solutions. Currently, the market exhibits a state

ClickLock Malware Coerces macOS Users to Surrender Passwords

Traditional macOS security architectures have long been celebrated for their robust sandboxing and gated execution, yet a new strain of malware is proving that the human element remains the most vulnerable entry point in any digital ecosystem. This threat, known as ClickLock, has emerged as a particularly aggressive evolution in the macOS threat landscape by prioritizing psychological pressure and social

Stalled Windows 11 Migration Poses Growing Security Risks

The global landscape of enterprise computing is currently grappling with a persistent digital divide as a significant segment of users continues to rely on Windows 10 despite the availability of more secure alternatives. The current ecosystem of digital infrastructure remains tethered to legacy architecture, with recent telemetry indicating that approximately one in six workstations worldwide continues to operate on Windows

How Is OpenAI Redefining AI With Precision Engineering?

The shift from experimental conversationalists to precise engineering tools has fundamentally altered the landscape of digital productivity and high-performance computing in 2026. This transition is marked by a move away from the early excitement surrounding generative models toward a rigorous framework centered on deep optimization and granular control. OpenAI has spearheaded this movement with the introduction of the GPT-5.6 Sol