Iran state-sponsored threat group MuddyWater, also known as Mercury, Cobalt Ulster, TEMP.Zagros, Yellow Nix, Static Kitten, Earth Vetala, Boggy Serpens, and ITG17, has been collaborating with DEV-1084 in launching attacks against on-premises and cloud infrastructures in a fashion similar to a ransomware campaign, although the attacks were intended to be disruptive and destructive, according to The Hacker News. "Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage," said Microsoft. Highly privileged credentials have been used by DEV-1084 to facilitate on-premise device encryption and widespread cloud resource deletion, while full email inbox access has enabled "thousands of search activities" that helped enable impersonation attacks. "DEV-1084 [...] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran's link to and strategic motivation for the attack," Microsoft added.