ESET Identified New MuddyWater Activity Targeting Israeli Sectors with MuddyViper Backdoor

Dark Web News Analysis

A new cyberespionage campaign by the Iranian state-sponsored group MuddyWater (aka Mango Sandstorm, Static Kitten, TA450) has been identified by ESET Research. Active between September 2024 and March 2025, this campaign specifically targets Israeli entities across academia, engineering, local government, and utilities, alongside a technology firm in Egypt.

Brinztech Analysis: This campaign marks a significant evolution in the operational maturity of MuddyWater, a group affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

• The New Arsenal: The group has deployed a previously undocumented C/C++ backdoor named MuddyViper.
• The Delivery Mechanism: MuddyViper is delivered via a new loader called Fooder. Notably, Fooder utilizes reflective loading to execute the malware directly in memory (avoiding disk detection) and incorporates a custom delay function based on the logic of the classic Snake video game to evade automated sandboxes.
• Initial Access: The group continues to rely on spear-phishing emails containing PDF attachments. These PDFs contain links hosted on legitimate file-sharing platforms (OneHub, Egnyte, Mega) that download installers for legitimate Remote Monitoring and Management (RMM) tools like Atera, Level, PDQ, and SimpleHelp.

Key Cybersecurity Insights

This campaign demonstrates a shift from simple scripting to complex, compiled malware designed for stealth:

• Custom Tooling Surge: Alongside MuddyViper, the group deployed a suite of new C/C++ credential stealers:
  • CE-Notes: Steals encryption keys from Chrome-based browsers.
  • Blub: Harvests login data from Chrome, Edge, Firefox, and Opera.
  • LP-Notes: A social engineering tool that displays a fake Windows Security dialog to trick users into entering their system credentials.
  • VAXOne: A backdoor that impersonates legitimate binaries like Veeam, AnyDesk, or Xerox.
• Unique Cryptography: MuddyWater developers have adopted the CNG (Cryptography Next Generation) API for data encryption in their tools. Researchers note this is a unique fingerprint for Iran-aligned groups, rarely seen in the broader threat landscape.
• Targeting Critical Sectors: The wide net cast over Israeli infrastructure—from local authorities to utilities—suggests a strategic intelligence-gathering objective to support kinetic or psychological operations, consistent with the broader Iran-Israel cyber conflict.

Mitigation Strategies

In response to this evolved threat, organizations in the Middle East (and global partners) must take immediate action:

• Strict RMM Governance: The primary vector remains the abuse of legitimate RMM tools. Security teams must block or alert on the installation of unapproved remote management software (Atera, SimpleHelp, Level) immediately.
• Endpoint Detection & Response (EDR): Configure EDR to detect reflective DLL loading and anomalous memory execution. The “Fooder” loader runs in memory; file-based scanning may miss it.
• User Awareness (Fake Dialogs): Train employees to recognize fake system prompts. The LP-Notes malware relies on users voluntarily typing their passwords into a fake pop-up.
• Email Filtering: Block access to free file-sharing sites (OneHub, Egnyte) often used to host the initial payload, or strictly inspect traffic from these domains.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com