Iranian Hackers Deploy MuddyViper Backdoor in Targeted Attacks on Israeli Sectors
Between September 30, 2024, and March 18, 2025, Iranian state-sponsored cyber actors launched a series of sophisticated attacks targeting various Israeli sectors, including academia, engineering, local government, manufacturing, technology, transportation, and utilities. These operations introduced a previously undocumented backdoor, dubbed MuddyViper, into the cyber threat landscape.
Cybersecurity firm ESET has attributed these activities to the hacking group known as MuddyWater, also referred to as Mango Sandstorm, Static Kitten, or TA450. This group is believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Notably, the campaign also targeted a technology company based in Egypt, indicating a broader regional focus.
Background on MuddyWater
First identified in November 2017 by Palo Alto Networks’ Unit 42, MuddyWater has a history of targeting Middle Eastern entities. Their initial campaigns utilized a custom backdoor named POWERSTATS. Over the years, the group has evolved its tactics, including destructive attacks on Israeli organizations using a Thanos ransomware variant called PowGoop, as part of a campaign known as Operation Quicksand.
According to data from the Israel National Cyber Directorate (INCD), MuddyWater’s operations have impacted various sectors, including local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and small and medium-sized enterprises (SMEs).
Attack Methodology
MuddyWater’s attack chains typically involve spear-phishing campaigns and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks. Once access is gained, they deploy legitimate remote management tools—a longstanding tactic of the group. Since May 2024, their phishing campaigns have been delivering a backdoor known as BugSleep, also referred to as MuddyRot.
The group’s arsenal includes various tools such as Blackout, a remote administration tool (RAT); AnchorRat, which offers file upload and command execution features; CannonRat, capable of receiving commands and transmitting information; Neshta, a known file infector virus; and Sad C2, a command-and-control framework that delivers a loader called TreasureBox, which deploys the BlackPearl RAT for remote control, along with a binary known as Phoenix to download payloads from the C2 server.
Introduction of MuddyViper
In their latest campaign, MuddyWater introduced MuddyViper, a C/C++-based backdoor designed to provide covert access and control over infected systems. The attack sequence begins with phishing emails containing PDF attachments that link to legitimate remote desktop tools like Atera, Level, PDQ, and SimpleHelp.
A key component of this campaign is a loader named Fooder, designed to decrypt and execute the MuddyViper backdoor. Alternatively, the C/C++ loader has been found to deploy go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers, excluding Safari on Apple macOS.
MuddyViper enables attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The backdoor supports 20 commands that facilitate these covert operations. Some variants of Fooder impersonate the classic Snake game and incorporate delayed execution to evade detection.
Implications and Recommendations
The deployment of MuddyViper underscores the evolving tactics of Iranian state-sponsored actors and their persistent focus on Israeli sectors. Organizations are advised to implement robust cybersecurity measures, including employee training on recognizing phishing attempts, regular system updates to patch vulnerabilities, and the deployment of advanced threat detection systems.
Staying informed about emerging threats and adapting security protocols accordingly is crucial in mitigating the risks posed by sophisticated cyber adversaries like MuddyWater.
