Israeli organizations across academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as targets of a new wave of attacks by Iranian nation-state actors who distributed a previously undocumented backdoor called MuddyViper.
ESET believes this activity is the work of a hacking group known as MuddyWater (also known as Mango Sandstorm or TA450), and the cluster is assessed to be linked to Iran’s Ministry of Intelligence and Security (MOIS). The attack also targeted an Egyptian-based technology company.
The hacker group first came to light in November 2017, when Palo Alto Networks’ 42nd Unit detailed targeted attacks against the Middle East using a custom backdoor called POWERSTATS between February and October of that year. It is also known for carrying out devastating attacks against Israeli organizations using a variant of Thanos ransomware called PowGoop as part of a campaign called Operation Quicksand.
According to data from Israel’s National Cyber Directorate (INCD), the Muddy Water attacks targeted the country’s local governments, civil aviation, tourism, healthcare, telecommunications, information technology, and small and medium-sized enterprises (SMEs).
Typical attack chains include techniques such as spear phishing or exploiting known vulnerabilities in the VPN infrastructure to infiltrate the network and deploy legitimate remote management tools. This is the approach that MuddyWater has favored for many years. However, since at least May 2024, phishing campaigns have delivered a backdoor known as BugSleep (also known as MuddyRot).
Other notable tools the company has include Blackout, a remote administration tool (RAT). AnchorRat, a RAT that provides file upload and command execution functionality. CannonRat, a RAT that can receive commands and send information. Neshta, a known file-infecting virus. Sad C2 is a command and control (C2) framework that provides a loader called TreasureBox to deploy BlackPearl RAT for remote control, and a binary known as Pheonix to download payloads from C2 servers.
This cyber espionage group has a track record of attacking a wide range of industries, particularly governments and critical infrastructure, using a combination of custom malware and publicly available tools. The latest attack sequence, like previous campaigns, begins with a phishing email containing a PDF attachment that links to a legitimate remote desktop tool such as Atera, Level, PDQ, or SimpleHelp.
This campaign is characterized by the use of a loader named Fooder designed to decrypt and execute the C/C++-based MuddyViper backdoor. Alternatively, the C/C++ loader is also known to deploy the go-socks5 reverse tunneling proxy and an open-source utility called HackBrowserData that collects browser data from several browsers except Safari on Apple macOS.
“MuddyViper allows attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data,” the Slovak cybersecurity firm said in a report shared with The Hacker News.
This backdoor supports a total of 20 commands, facilitating covert access and control over infected systems. Many Fooder variants disguise the classic Snake game and incorporate delayed execution to avoid detection. MuddyWater’s use of Fooder was first noted by Group-IB in September 2025.
The following tools are also used in the attack:
A backdoor that impersonates VAXOne, Veeam, AnyDesk, Xerox, and OneDrive updater services CE-Notes, a browser data stealer that attempts to bypass Google Chrome’s app binding encryption by stealing encryption keys stored in the Local State file of Chromium-based browsers (similarities to the open-source ChromElevator project) A C/C++ browser data stealer that collects user login data from Blub, Google Chrome, and Microsoft EdgeMozilla Firefox, and Opera LP-Notes. A credential stealer written in C/C++ that displays fake Windows security dialogs to trick users into entering their system username and password.
“This campaign marks an evolution in the maturity of Muddy Water’s operas/songs,” ESET said. “The deployment of previously undocumented components, such as the Fooder loader and MuddyViper backdoor, demonstrates efforts to enhance stealth, persistence, and credential harvesting capabilities.”
charming kitten leaking
The disclosure comes weeks after the Israel National Digital Agency (INDA) identified an Iranian threat actor known as APT42 as responsible for attacks targeting individuals and organizations of interest in an espionage-focused campaign called SpearSpecter. APT42 is believed to overlap with another hacking group tracked as APT35 (also known as Charming Kitten and Fresh Feline).
The incident also follows a major leak of internal documents exposing the cyber activities of a group of hackers who have penetrated systems designed to identify and kill individuals deemed a threat to Iran, according to British-Iranian activist Nariman Gharib. It is associated with the Islamic Revolutionary Guards Corps (IRGC), specifically its counterintelligence wing known as Unit 1500.
“The story appears to be a horror script written in PowerShell and Farsi,” FalconFeeds said, adding that the leak revealed “a complete map of Iran’s IRGC Unit 1500 Cyber Division.”
The data dumps were posted to GitHub in September and October 2025 by an anonymous group named KittenBusters, but their motives remain unclear. Notably, the agency has identified Abbas Rallovi, also known as Abbas Hosseini, as the leader of the operation and claims that the hacking force is controlled through a network of front companies.
Perhaps one of the other most important revelations was the release of the entire source code related to BellaCiao. BellaCiao was reported by Bitdefender in April 2023 as being used in attacks targeting companies in the United States, Europe, the Middle East, and India. Gharib said the backdoor was the work of a team operating from Tehran’s Shuhada base.
“The leaked materials reveal a structured command architecture, rather than a decentralized hacking collective and an organization with clear hierarchies, performance oversight, and bureaucratic discipline,” Domain Tools said.
“The APT35 leak exposes a bureaucratized cyberintelligence apparatus that is an organized arm of the Iranian state with defined hierarchies, workflows, and performance metrics. The documents reveal an autonomous ecosystem in which personnel log daily activities, quantify phishing success rates, and track reconnaissance hours, while technical staff test and weaponize exploits against current vulnerabilities.”
Source link
