An Iranian cyberattack group known as Seedworm — thought to be linked to Iran’s government — has started using new tools, including a custom download utility and commodity ransomware, as part of their attacks on a wide range of targets including companies and government agencies in the broader Middle East region. Seedworm Group, aka MuddyWater, is deploying commodity ransomware as part of espionage attacks on companies and government agencies in the Middle East region. Group continues to be highly active in 2020, while tentative links to recently discovered PowGoop tool suggest possible retooling. Attacks were uncovered against targets in Iraq, Turkey, Kuwait, the United Arab Emirates, and Georgia. In addition to some government entities, organizations in the telecoms and computer services sector were also targeted. Seedworm was also observed setting up tunnels to its own infrastructure using Secure Sockets Funneling and Chisel. These tools allow the attackers to configure local and remote port forwarding as well as copying files to compromised machines. On the same machine where Seedworm was active, a tool known as PowGoop was deployed. This same tool was also deployed against several of the organizations attacked by Seedworm in recent months.