The Iran linked threat actor MuddyWater has launched a new, refined campaign targeting multiple Israeli sectors and one confirmed Egyptian organization. ESET researchers uncovered the operation, which utilizes a new custom backdoor called MuddyViper to steal sensitive data and maintain persistence.
New Backdoor and Targeted Sectors
The campaign targeted various sectors between September 2024 and March 2025, including engineering, local government, manufacturing, technology, transportation, utilities, and
universities. MuddyWater, known by several aliases including SeedWorm and Mango Sandstorm, deployed custom tools to bypass defenses.
The core of the attack involves the Fooder loader, which is disguised as a Snake game. This loader is used to run the MuddyViper backdoor, a C/C++ tool capable of:
- Stealing system information and credentials.
- Exfiltrating browser data.
- Allowing arbitrary file execution.
Attackers also deployed CE-Notes and LP-Notes credential stealers, and go-socks5 reverse tunnels in this operation.
Advanced Evasion Techniques
Unlike previous noisy campaigns, this operation was low profile and avoided interactive sessions. It employed advanced techniques unique to Iran aligned groups, including the use of the CNG Windows cryptographic API for data encryption and decryption. Both MuddyViper and its loaders utilize this API.
Furthermore, a key tactic for credential theft involves opening a fake Windows Security dialog box to trick users into entering their login details. This method, along with the game inspired evasion and reverse tunneling, demonstrates MuddyWater’s growing sophistication.
Historically, MuddyWater has often acted as an initial access broker, using spear phishing emails with links to Remote Monitoring and Management (RMM) software. The group continues to rely on PowerShell and Go backdoors, typically targeting telecommunications, government, and energy sectors.
ESET researchers conclude that MuddyWater remains a leading actor in Iranian nexus activity. The group is evolving by consistently enhancing its campaigns with more advanced tactics, techniques, and procedures, making them increasingly challenging to defend against. The US Cyber Command officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS) in January 2022.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
