Snakes by the riverbank
Essential information
- Published
- 02/12/2025 14:44
- Modified
- 21/12/2025 18:22
- Tags
- 2025-12-02 backdoor blub ce-notes critical-infrastructure custom malware cyberespionage defense evasion egypt fooder go-socks5 iran israel lp-notes muddyviper spearphishing
- Related entities
- 9 observables, 1 intrusion sets (apt), 6 malware, 9 others
Description
ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.