Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
UDPGangster is a stealthy UDP-based backdoor malware used in MuddyWater’s latest espionage campaigns discovered in 2025, distributed through convincing phishing emails and malicious Microsoft Word documents that trick users into enabling macros. The MuddyWater UDPGangster backdoor, also known as MuddyWater (Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, ATK 51, T-APT-14, ITG17, Mango Sandstorm, Boggy Serpens, Yellow Nix, G0069), targets Turkey, Israel, and Azerbaijan through sophisticated phishing campaigns. Once activated, the UDPGangster backdoor quietly deploys itself on Windows systems, evades virtual machine analysis through extensive anti-analysis checks, and gathers system details while hiding behind distraction images and layered obfuscation techniques. The MuddyWater UDPGangster malware establishes persistence on compromised Windows systems, communicates with its command-and-control server over UDP port 1269, and supports remote commands for file theft, remote execution, and additional payload delivery. Linked MuddyWater campaigns targeting Turkey, Israel, and Azerbaijan share command-and-control infrastructure, decoy documents, and malware code patterns, painting a clear picture of a coordinated Iranian espionage operation. Overall, the MuddyWater UDPGangster campaign blends social engineering tactics, advanced anti-analysis techniques, and custom UDP-based backdoor tooling to infiltrate regional targets in Turkey, Israel, and Azerbaijan with precision and stealth.
UDPGangster is a UDP-based backdoor malware tied to the Iran-aligned MuddyWater threat group and its various aliases including Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, ATK 51, T-APT-14, ITG17, Mango Sandstorm, Boggy Serpens, Yellow Nix, and G0069. This UDPGangster backdoor gives MuddyWater attackers quiet but powerful control over compromised Windows machines, letting them run remote commands, steal files, and deploy additional malicious payloads, all while blending into network traffic through UDP communication channels that often slip past conventional network security defenses. Recently, multiple coordinated campaigns distributing UDPGangster through malicious Microsoft Word documents laced with VBA macros were uncovered by security researchers. These MuddyWater espionage operations have primarily targeted users in Turkey, Israel, and Azerbaijan for intelligence collection.
The phishing email at the center of this MuddyWater UDPGangster activity imitates an official communication from the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs. Written in formal Turkish language and carefully crafted to resemble legitimate government correspondence, the phishing email invites recipients to an online seminar. Attached to the phishing message are two files, seminar.doc and seminar.zip, both specifically designed to lure victims into enabling malicious macro content. The ZIP archive contains the same malicious document as the standalone Word file, and once opened, it prompts users to “Enable Content,” a classic social engineering tactic used to trigger hidden malicious VBA code embedded in the Microsoft Word document.
Once macros are enabled by the victim, the VBA script embedded in the malicious Word document acts as a dropper for the UDPGangster backdoor. Through the Document_Open() event, the VBA dropper decodes Base64-encoded content stored in a concealed form field and writes the resulting UDPGangster payload output to C:\Users\Public\ui.txt. The MuddyWater malware dropper then uses the Windows CreateProcessA API to run this file, activating the UDPGangster backdoor payload on the compromised Windows system. The VBA script also includes a subroutine called SmartToggle(), which flips between two overlay images to distract the user with harmless-looking content while malicious UDPGangster operations execute in the background. Interestingly, despite the phishing email’s Turkish government theme, the displayed decoy image referenced internet outages in Israel, an odd mismatch that hints at broader MuddyWater targeting beyond the immediate Turkish phishing audience.
Once deployed on Windows systems, UDPGangster establishes persistence by copying itself to the %AppData%\RoamingLow directory as SystemProc.exe and adding its path to a Windows registry key, ensuring the backdoor runs at system startup. The UDPGangster backdoor creates a mutex to avoid multiple instances running simultaneously and then launches a comprehensive series of anti-analysis checks. These anti-virtualization routines inspect CPU cores, RAM size, MAC address prefixes, workgroup configuration, disk and baseboard hardware identifiers, Windows registry signatures, and even filenames, each specifically designed to detect virtualization or sandbox environments commonly used by security researchers. If the compromised Windows system passes these extensive anti-analysis checks, the UDPGangster malware collects host details such as computer name, Windows OS version, username, and domain/workgroup information. This system reconnaissance data is encoded using an ROR transformation and sent to its command-and-control server over UDP port 1269.
Further investigation connected this MuddyWater phishing activity to additional malicious documents used in parallel campaigns against Israel and Azerbaijan, which shared command-and-control infrastructure, mutex values, and PDB debugging paths with the Turkish lure. One of the associated IP addresses also appeared in previous MuddyWater attacks involving the Phoenix Backdoor, reinforcing the operational link to the Iran-aligned MuddyWater threat group. More recently, security researchers observed the MuddyWater actor targeting Israel and Egypt to deliver another custom backdoor known as MuddyViper, demonstrating the group’s continued evolution and expansion of custom malware tooling for espionage operations.
Be Suspicious of Unexpected Documents: If an email you weren’t expecting asks you to open a file, especially a Microsoft Word document, and “Enable Content” to view macros, treat it as a red flag for potential MuddyWater phishing. Most legitimate organizations don’t require macros to open simple documents. Verify the sender through alternative communication channels before opening attachments.
Turn Off Macros Unless Absolutely Needed: Macros are one of the most common entry points for malware like UDPGangster backdoor. Keep Microsoft Office macros disabled by default in your organization, and only enable them for trusted, verified files from known sources after proper security validation.
Use Strong Email Filtering: Invest in email security tools that can spot spoofed government addresses, malicious attachments with embedded macros, and phishing wording patterns commonly used by MuddyWater. Stopping these phishing emails before they reach user inboxes makes a huge difference in preventing UDPGangster infections.
Monitor Unusual Network Traffic: Since UDPGangster communicates over UDP to its command-and-control server on port 1269, keep an eye on unusual outbound UDP traffic to suspicious IP addresses. Security alerts on strange destination IPs or non-standard UDP ports can catch hidden UDPGangster backdoors early before significant data exfiltration occurs.
Enhance Endpoint Protection: Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions configured to identify and block MuddyWater malware including UDPGangster backdoor. Leverage behavioral analysis and machine learning-based detection to spot suspicious VBA macro execution, anti-virtualization checks, and UDP-based command-and-control activity characteristic of UDPGangster.
IPv4 Addresses: 157[.]20[.]182[.]75, 64[.]7[.]198[.]12
URL: hxxps[:]//reminders[.]trahum[.]org/Scheduled_Internet_Outages[.]doc
SHA256 Hashes: d177cf65a17bffcd152c5397600950fc0f81f00990ab8a43d352f9a7238428a1, 3d3fbd586f61043ff04ab0369b913a161c0159425fb269d52b7d8d8a14838ece, 232e979493da5329012022d3121300a4b00f813d5b0ecc98fdc3278d8f4e5a48, e84a5878ea14aa7e2c39d04ea7259d7a4ed7f666c67453a93b28358ccce57bc5, fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430, and numerous additional file hashes associated with UDPGangster backdoor samples, malicious Word document droppers, and related MuddyWater espionage campaign malware.
MuddyWater’s UDPGangster backdoor campaign demonstrates tactics spanning Initial Access (TA0001) via Phishing and Spearphishing Attachment (T1566, T1566.001), Execution (TA0002) through Command and Scripting Interpreter including Windows Command Shell (T1059, T1059.003), User Execution of Malicious File (T1204, T1204.002), Persistence (TA0003) via Boot or Logon Autostart Execution using Registry Run Keys/Startup Folder (T1547, T1547.001), Defense Evasion (TA0005) including Virtualization/Sandbox Evasion (T1497), Obfuscated Files or Information (T1027), and Masquerading (T1036), Discovery (TA0007) including System Information Discovery (T1082), System Owner/User Discovery (T1033), and File and Directory Discovery (T1083), Exfiltration (TA0010) via Exfiltration Over C2 Channel (T1041) and Data from Local System (T1005), and Command and Control (TA0011) through Non-Application Layer Protocol using UDP (T1095) and Ingress Tool Transfer (T1105).
Get through updates and upcoming events, and more directly in your inbox