Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
MuddyWater threat actor campaign has emerged with sophisticated cyber espionage capabilities targeting critical infrastructure in Israel and Egypt. The Iran-aligned cyberespionage group, also known as Seedworm and Mango Sandstorm, has evolved from historically noisy operations to a more refined and stealthy approach. MuddyWater malware deployment now includes custom tools like the Fooder loader and MuddyViper backdoor, marking a significant advancement in the threat group’s operational security and technical capabilities.
MuddyWater cyberespionage operations have resurfaced with previously undocumented custom malware tools that significantly elevate their tradecraft capabilities. The MuddyWater threat campaign centers on Fooder, a deceptive malware loader that masquerades as a simple Snake game while covertly executing MuddyViper, a sophisticated C/C++ backdoor. This MuddyWater attack enables threat actors to harvest system information, execute remote commands, manipulate files, and steal sensitive credentials across targeted networks. The MuddyWater APT group has operated since 2017, traditionally targeting government sectors, telecommunications infrastructure, energy facilities, and critical infrastructure across the Middle East and North America.
The latest MuddyWater campaign spanning September 2024 to March 2025 heavily relied on spearphishing tactics directing victims to file-sharing platforms including OneHub, Egnyte, and Mega to download trojanized RMM installers. Once MuddyWater malware gains network access, the Iran-nexus threat group deployed predictable PowerShell and Go-based backdoors alongside deceptive implants like the VAX-One backdoor that masquerades as legitimate software applications. Despite improved operational security measures, MuddyWater continues to reuse recognizable coding patterns and command-and-control infrastructure, enabling cybersecurity researchers to maintain attribution confidence.
Security researchers uncovered compelling code overlaps linking new MuddyWater malware components including LP-Notes, CE-Notes, MuddyViper backdoor, and various go-socks5 reverse tunnels to previously documented MuddyWater cyberespionage activity. These MuddyWater tools share encryption methodologies, UI spoofing techniques, and design characteristics unique to Iranian-aligned threat groups. The Fooder malware loader stands out as the most innovative component, utilizing reflective code loading, AES-based payload decryption, and game-like delay mechanics to mask malicious execution patterns. The MuddyViper backdoor payload reveals detailed compromise capabilities, offering MuddyWater operators 20 distinct commands to manipulate victim systems, establish persistence mechanisms, harvest browser credentials, deploy reverse shells, and impersonate Windows security prompts to steal user passwords.
This MuddyWater attack campaign reflects clear maturation in the threat group’s cyber espionage capabilities and operational methodology. While remnants of traditionally noisy MuddyWater operations remain visible, the introduction of purpose-built malware loaders, cleverly disguised user interfaces, and improved credential theft mechanisms highlights a threat actor working to refine its espionage toolkit systematically. MuddyWater continues to expand its operational role within Iran-nexus cyber operations targeting technology sectors, engineering firms, government agencies, manufacturing facilities, transportation infrastructure, utilities, and university systems. Ongoing threat monitoring will be crucial as the MuddyWater APT group’s evolving toolset suggests further enhancements and broader targeting scope in future operations.
Strengthen Email Awareness and Verification: Since MuddyWater cyberespionage campaigns rely heavily on spearphishing links and fake RMM installers, organizations must ensure security teams know how to identify suspicious emails, especially those requesting software downloads. Quick verification with IT personnel before opening attachments or links can stop the MuddyWater attack chain at initial access stages.
Prioritize Endpoint Monitoring for Unusual Loaders and Scripts: MuddyWater malware tools like Fooder and MuddyViper execute in memory and mimic normal applications. Organizations should enable EDR products and monitor for anomalous process launches, reflective code loading, PowerShell scripts, or unknown executables masquerading as legitimate software to detect MuddyWater intrusions.
Harden Browser Credential Storage: Because MuddyWater threat actors actively target browser passwords, organizations should encourage users to migrate sensitive credentials to dedicated password managers and disable corporate password storage in web browsers. Enforcing multi-factor authentication reduces the operational impact of stolen credentials from MuddyWater campaigns.
Regularly Review Persistence Mechanisms: MuddyViper backdoor establishes scheduled tasks or Startup entries to maintain persistent access. Organizations should periodically scan for unusual scheduled tasks, Startup folder additions, or unsigned binaries running at system boot to identify MuddyWater malware persistence.
Enhance Endpoint Protection: Organizations should deploy next-generation antivirus and endpoint detection and response solutions to identify and block MuddyWater malware. Leveraging behavioral analysis and machine learning-based detection capabilities helps spot suspicious MuddyWater threat actor activity patterns.
SHA1 Hashes: 76632910CF67697BF5D7285FAE38BFCF438EC082, 1723D5EA7185D2E339FA9529D245DAA5D5C9A932, 69B097D8A3205605506E6C1CC3C13B71091CB519, B7A8F09CB5FF8A33653988FFBA585118ACF24C13, B8997526E4781A6A1479690E30072F38E091899D, 8E21DE54638A79D8489C59D958B23FE22E90944A, CD47420F5CE408D95C98306D78B977CDA0400C8F, C1299E8C9A8567A9C292157F3ED65B818AA78900, 29CDA06701F9A9C0A6791775C3EB70F5B52BBEFF, 8F3ED626E7B929450E36E97BA5539C8371DF0EF8, and numerous additional file hashes associated with MuddyWater malware campaigns.
Domains: api[.]tikavodot[.]co[.]il, magicallyday[.]com, processplanet[.]org
IPv4 Addresses: 3[.]95[.]7[.]142, 35[.]175[.]224[.]64, 51[.]16[.]209[.]105, 62[.]106[.]66[.]112, 157[.]20[.]182[.]45, 161[.]35[.]172[.]55, 167[.]99[.]224[.]13, 194[.]11[.]246[.]78, 194[.]11[.]246[.]101, 206[.]71[.]149[.]51, 212[.]232[.]22[.]136
Filenames: OsUpdater.exe, Blub.exe, stealer.exe, MuddyViper-related DLLs, vmsvc.exe, Dsync-es.exe, steam.exe, WinWin.exe, Launcher.exe, ESETGO.exe, and various randomly-named executables associated with MuddyWater operations.
MuddyWater threat campaign demonstrates tactics spanning the complete attack lifecycle including Reconnaissance (TA0043), Resource Development (TA0042), Initial Access via Spearphishing Link (T1566.002), Execution through PowerShell and Command Shell (T1059.001, T1059.003), Persistence via Registry Run Keys and Scheduled Tasks (T1547.001, T1053), Defense Evasion using Reflective Code Loading and Obfuscation (T1620, T1027), Credential Access from Web Browsers (T1555.003), Discovery of System Information (T1082), Collection and Data Staging (T1074.001), Exfiltration Over C2 Channel (T1041), and Command and Control through Application Layer Protocols (T1071.001). Additional techniques include Access Token Manipulation (T1134), Virtualization/Sandbox Evasion (T1497), Masquerading (T1036), and use of Remote Access Tools (T1219).
https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
Get through updates and upcoming events, and more directly in your inbox