Iran-Linked MuddyWater Is Targeting UAE Critical Infrastructure with Rust-Based Malware in 2026
MuddyWater, Iran's MOIS-linked APT group, is running an active 2026 campaign targeting UAE government agencies and energy sector operators with Rust-based malware. Here is what defenders need to act on now.

Cybersecurity analyst monitoring critical infrastructure networks in a UAE operations centre as MuddyWater threat activity escalates in 2026
A sustained Iranian state-sponsored campaign is actively targeting UAE government agencies and critical infrastructure operators in 2026, and the threat group behind it has materially upgraded its toolkit to defeat the detection approaches that exposed its earlier operations.
MuddyWater, assessed by US and UK intelligence agencies to operate as a subordinate element of Iran's Ministry of Intelligence and Security (MOIS), is tracked under multiple identifiers including Seedworm, Static Kitten, Mango Sandstorm, and TA450. Researchers from ESET, Rapid7, and Halcyon have documented active MuddyWater operations in the first half of 2026, with confirmed targeting of UAE government entities and energy sector organisations.
This is not the group's first confirmed operation against regional targets. In Q1 2026, MuddyWater conducted a broad espionage campaign that included a Middle East airport among nine targeted organisations across four continents, using DLL side-loading via signed security product binaries to evade detection. The group has also previously been documented using Microsoft Teams as a delivery mechanism in a false flag attack targeting an Oman Ministry and a UAE port. The current 2026 campaign represents a further escalation in both targeting scope and technical sophistication.
The most operationally significant development is the group's adoption of Rust-based malware implants. A tool researchers have named RustyWater replaces the PowerShell-dependent tooling that made earlier MuddyWater activity detectable by conventional endpoint security. Rust-compiled payloads evade signature-based detection more effectively and complicate forensic analysis of infections already established on victim networks.
Alongside RustyWater, the group continues to deploy its MuddyViper, Phoenix, and Dindoor backdoors, and has been observed abusing legitimate remote management platforms including Atera Agent and SimpleHelp to blend command-and-control traffic with routine administrative activity. Exposed operational infrastructure on a Netherlands-based server provided researchers with direct confirmation of active UAE government and energy sector targeting as of early 2026.
Why UAE Critical Infrastructure Is the Primary Target
The UAE's strategic profile makes it one of the highest-priority targets in the MOIS cyber mission set. Its role as a regional financial centre, its hosting of US military assets, its diplomatic normalisation with Israel under the Abraham Accords, and its concentration of energy infrastructure create overlapping Iranian intelligence requirements. The broader pattern of Iranian-linked groups targeting UAE and Saudi aviation infrastructure reinforces that MuddyWater operates within a coordinated ecosystem rather than in isolation.
The current campaign's focus on energy sector operators and government-adjacent technology providers is consistent with a prepositioning objective. MuddyWater operations historically combine credential harvesting and data exfiltration with the establishment of persistent access that could support disruptive operations if strategic priorities shift. The group's documented targeting of internet-connected surveillance cameras with unpatched vulnerabilities adds a dimension consistent with pre-conflict battlefield preparation rather than conventional espionage.
MITRE ATT&CK tracks MuddyWater as G0069, and a 2021 campaign specifically attributed to the group by CISA targeted UAE and Kuwaiti government agencies directly.
What UAE Defenders Must Do Now
Organisations relying on signature-based endpoint detection as their primary layer against MuddyWater are operating with a confirmed detection gap. The group's current tooling is built specifically to defeat those controls. The detection approaches most likely to surface an active intrusion are behavioural analytics, anomaly-based monitoring of legitimate administrative tool usage, and threat-intelligence-led hunting against known MuddyWater indicators of compromise.
For UAE critical infrastructure operators, the advisory posture should be elevated immediately. MuddyWater's interest in operational technology environments creates a threat profile that extends beyond conventional IT security into OT network integrity. Organisations that have not recently validated OT network segmentation, audited third-party remote access pathways, or refreshed threat hunting programmes should treat those gaps as urgent priorities.
The credential harvesting techniques used by MuddyWater also make robust identity security essential. As detailed in our analysis of identity security across GCC enterprises, controlling access and detecting credential misuse is one of the defining challenges for regional security teams in 2026. Pairing that with defences against MFA manipulation, as covered in our MFA prompt bombing analysis, provides the most effective layered response to this category of attack.
Security teams operating in AI-assisted detection environments should validate that behavioural baselines explicitly account for the legitimate administrative tools MuddyWater is abusing as cover.
Key Indicators to Brief Your Security Team On
- Initial access: Spearphishing with PDF attachments linking to files hosted on OneHub, Mega, and similar cloud storage platforms.
- Tooling: RustyWater implant, MuddyViper backdoor, Phoenix backdoor, Dindoor backdoor.
- Command and control: Abuse of Atera Agent, SimpleHelp, and similar legitimate remote management tools.
- Evasion techniques: DLL side-loading, PowerShell obfuscation, Rust-compiled payloads.
- Objective profile: Long-term persistence, credential harvesting, MFA manipulation, data exfiltration, OT reconnaissance.
- Intelligence sources: MITRE ATT&CK G0069, ESET Research December 2025, Rapid7 March 2026, Halcyon 2026 Iranian APT update, Hunt.io March 2026, Rescana UAE Cyber Threat Landscape May 2026.
The current campaign phase appears to be intelligence collection and prepositioning. Whether organisations across the UAE and wider Gulf region are ready when that phase ends is a security operations question that can be answered today.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.