MuddyViper Backdoor
A recent wave of espionage activity has zeroed in on a broad range of Israeli organizations across academia, engineering, local government, manufacturing, technology, transportation, and utilities. The operation, attributed to Iranian state-aligned actors, introduced a previously unknown backdoor dubbed MuddyViper, signaling a new escalation in the group's tactics. One Egypt-based technology firm was also caught in the crosshairs, with the campaign running from late September 2024 through mid‑March 2025.
Table of Contents
A Familiar Adversary With Expanding Capabilities
The attacks have been linked to MuddyWater, also known as Mango Sandstorm, Static Kitten, or TA450, a group assessed to operate under Iran's Ministry of Intelligence and Security. Active since at least 2017, MuddyWater has a long record of espionage and destructive actions, including earlier POWERSTATS campaigns and the use of PowGoop ransomware during Operation Quicksand.
According to published findings, the group continues to strike Israeli targets spanning local authorities, air transport, tourism, health services, telecom networks, IT providers, and SMEs.
Their Evolving Playbook: From Social Engineering to Exploiting VPN Weaknesses
The threat actor typically relies on spear-phishing emails and the abuse of known VPN vulnerabilities to gain entry. Historically, these intrusions involved deployment of legitimate remote administration tools — a hallmark of MuddyWater's operations. Since May 2024, however, their phishing emails have begun delivering a stealthy backdoor known as BugSleep (also called MuddyRot), showing a shift toward more customized tooling.
The group’s wider arsenal is extensive and includes Blackout, AnchorRat, CannonRat, Neshta, and the Sad C2 framework, which helps propagate loaders such as TreasureBox and the BlackPearl RAT.
Phishing Remains the First Step
The latest attack wave still begins with malicious emails that contain PDF attachments. These PDFs point victims toward downloads for widely used remote tools such as Atera, Level, PDQ, and SimpleHelp. Once a foothold is gained, the attackers move to deploy more specialized components.
Introducing Fooder and MuddyViper
This campaign prominently features a loader named Fooder, built to decrypt and execute the C/C++‑based MuddyViper backdoor. Variants of Fooder have also been seen distributing go-socks5 tunneling utilities and the open-source HackBrowserData tool to harvest browser data from numerous platforms (with the exception of Safari).
MuddyViper itself grants extensive control, enabling operators to gather system details, run files and commands, move data in and out, and steal Windows credentials and browser information. It supports 20 built‑in commands for maintaining concealed access. Some Fooder variants disguise themselves as the classic Snake game and rely on delayed execution to sidestep detection, a technique first noted in September 2025.
Additional Tools Observed in the Operation
Researchers also documented the deployment of several supporting utilities designed for persistence, credential theft, and data collection:
VAXOne – A backdoor masquerading as Veeam, AnyDesk, Xerox, or the OneDrive updater.
CE-Notes – A browser-data theft tool designed to bypass Chrome’s app-bound encryption by stealing the Local State encryption key.
Blub – A C/C++ stealer that collects login data from Chrome, Edge, Firefox, and Opera.
LP-Notes – A C/C++ credential-harvesting tool that displays a fraudulent Windows Security prompt to trick users into entering their login details.
Collaboration With Lyceum: An Operational Overlap Emerges
The investigation revealed that MuddyWater's activity intersected with the operations of Lyceum (also known as Hexane, Spirlin, or Siamesekitten), a subgroup of OilRig (APT34) active in regional cyber espionage since at least 2018.
During incidents identified in early 2025, MuddyWater likely acted as an initial access broker inside an Israeli manufacturing organization by deploying remote desktop tools and a customized Mimikatz loader. The stolen credentials were then likely leveraged by Lyceum to expand access and assume operational control.
A Sign of Increasing Operational Maturity
The introduction of new components, particularly the Fooder loader and MuddyViper backdoor, highlights a notable progression in MuddyWater’s technical and operational sophistication. The group is clearly investing in stealthier persistence mechanisms, more efficient credential theft, and deeper reconnaissance capabilities.
The campaign underscores a continued and expanding threat from Iranian-aligned cyber operators. Their blend of custom malware, stealthy loaders, legitimate remote administration tools, and cross-group collaboration suggests that organizations in the region must remain on heightened alert and reinforce defenses against increasingly complex intrusion strategies.
