According to a report from Security Affairs, Iran-linked threat actor MuddyWater has been observed conducting a sophisticated campaign against Israeli organizations, deploying a new backdoor named MuddyViper. This operation, which also impacted one Egyptian entity, showcases the group's evolving tactics and advanced evasion techniques.The campaign, active between September 30, 2024, and March 18, 2025, targeted sectors including engineering, local government, manufacturing, technology, transportation, utilities and universities. MuddyWater utilized a custom loader, internally named Fooder, disguised as a Snake game, to deploy the MuddyViper backdoor. This backdoor is capable of stealing system information, credentials and browser data, while also enabling file execution and exfiltration. The attackers also employed CE-Notes and LP-Notes stealers and go-socks5 reverse tunnels. Notably, this operation maintained a low profile, avoiding interactive sessions and leveraging advanced techniques like the CNG Windows cryptographic API, a trait observed in other Iran-aligned groups.This campaign highlights MuddyWater's increasing sophistication and refined approach, moving beyond their historically predictable playbook. The use of new custom tools like Fooder and MuddyViper, combined with techniques such as reverse tunneling, makes their operations more effective and challenging to defend against. The continued reliance on PowerShell and Go backdoors, alongside potential overlaps with other groups like OilRig, suggests a persistent and adaptable threat actor that requires ongoing monitoring and robust cybersecurity defenses from targeted organizations.Source: Security Affairs
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




