UDPGangster Campaigns Target Multiple Countries
Essential information
- Published
- 10/12/2025 09:44
- Modified
- 21/12/2025 18:55
- Tags
- 2025-12-10 anti-analysis backdoor espionage phishing phoenix backdoor udpgangster vba macros
- Related entities
- 15 observables, 1 intrusion sets (apt), 17 techniques (mitre), 2 malware, 3 others
Description
UDPGangster, a UDP-based backdoor associated with the MuddyWater threat group, has been observed targeting users in Turkey, Israel, and Azerbaijan. The malware is delivered through malicious Microsoft Word documents with embedded VBA macros, employing sophisticated anti-analysis techniques to evade detection. The campaigns use phishing emails impersonating government entities and include decoy images to distract victims. UDPGangster installs persistence, collects system information, and communicates with its command and control server using UDP. The malware supports various commands for remote execution, file extraction, and payload deployment. Analysis reveals connections to previous MuddyWater operations and shared infrastructure with other known malware.