MuddyWater: Snakes by the riverbank
Essential information
- Published
- 03/01/2026 11:05
- Modified
- 05/01/2026 11:09
- Tags
- 2026-01-03 blub ce-notes credential-theft critical-infrastructure cyberespionage defense evasion fooder fooder loader go-socks5 iran lp-notes muddyviper muddyviper backdoor reverse tunneling
- Related entities
- 9 observables, 1 intrusion sets (apt), 7 techniques (mitre), 6 malware, 11 others
Description
MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Fooder masquerades as a Snake game and uses game-inspired techniques to hinder analysis. MuddyViper enables system information collection, file manipulation, and credential theft. The group also employs browser-data stealers and reverse tunneling tools. This campaign demonstrates MuddyWater's evolution towards more sophisticated and refined approaches, though traces of operational immaturity remain. The group continues to pose a significant threat, particularly to government, military, telecommunications, and critical infrastructure sectors in the Middle East.