MuddyWater Cyberespionage Campaign Leveraging Snake Game-Inspired Malware
Iranian state-aligned threat group MuddyWater has launched a new cyberespionage campaign targeting organizations in Israel and Egypt, with a focus on technology, engineering, manufacturing, local government, and educational sectors. Researchers from ESET and other security firms have identified that MuddyWater is using a novel loader, dubbed Fooder, which masquerades as the classic Snake video game to deliver a new backdoor called MuddyViper. This loader introduces execution delays, inspired by the Snake game's mechanics, to evade antivirus detection. The campaign also employs spearphishing emails with PDF attachments that link to remote monitoring and management software installers, hosted on free file-sharing services, to gain initial access.
The MuddyViper backdoor enables attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additional tools, such as credential stealers and another backdoor named VAX One, have also been deployed. MuddyWater's evolving tactics, including the use of reflective loading for in-memory execution and the impersonation of legitimate software, demonstrate increased sophistication and a continued focus on defense evasion and persistence. Security researchers note the possibility that MuddyWater may be acting as an initial access broker for other Iranian threat actors, given observed overlaps in operations.
Timeline
Dec 2, 2025
ESET discloses MuddyWater's evolved campaign and new malware
On 2025-12-02, ESET publicly reported that MuddyWater had evolved its tradecraft in the 2024-2025 campaign, highlighting the Snake-themed Fooder loader, the new MuddyViper backdoor, and expanded credential theft capabilities. ESET assessed the activity as showing increased sophistication and possible overlap or collaboration with other Iran-aligned actors such as Lyceum and OilRig.
Mar 18, 2025
Observed MuddyWater campaign activity ends
ESET-tracked activity associated with this wave of MuddyWater intrusions ran through 2025-03-18. By that point, the campaign had affected 17 Israeli organizations and one Egyptian technology company according to later reporting.
Sep 30, 2024
MuddyWater deploys new MuddyViper backdoor and credential theft tooling
After gaining access, the attackers deployed a previously undocumented in-memory backdoor dubbed MuddyViper, along with credential stealers including CE-Notes and LP-Notes, and in some reporting VAX One. The malware supported persistence, credential harvesting, command execution, and data exfiltration while using techniques such as reverse SOCKS5 tunneling and the Windows CNG cryptographic API for stealth.
Sep 30, 2024
MuddyWater uses Snake-themed Fooder loader and phishing for initial access
During the campaign, MuddyWater used spear-phishing emails with PDF lures that led victims to remote monitoring and management tool installers hosted on free file-sharing services; one report also mentions exploitation of VPN vulnerabilities. The group delivered a custom loader called Fooder, disguised as the Snake video game and using delayed execution to evade automated defenses.
Sep 30, 2024
MuddyWater begins campaign targeting Israeli and Egyptian organizations
The Iran-aligned MuddyWater group launched a cyberespionage campaign primarily against organizations in Israel, with at least one victim in Egypt, spanning sectors such as government, telecom, energy, technology, manufacturing, transportation, utilities, and academia. Multiple reports place the start of the activity on 2024-09-30.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
3 more from sources like dark reading, the hacker news and help net security
Related Stories
MuddyWater Deploys Phoenix v4 Backdoor via Phishing and VPN Infrastructure
The Iranian state-sponsored threat group MuddyWater has conducted a widespread cyber espionage campaign targeting over 100 government and international organizations, primarily in the Middle East and North Africa. The attackers leveraged compromised email accounts accessed through NordVPN exit nodes to distribute phishing emails containing malicious Word documents. These documents, when opened and macros enabled, deployed the FakeUpdate malware loader, which subsequently decrypted and installed the Phoenix v4 backdoor on victim systems. The campaign focused on diplomatic entities such as embassies, consulates, and ministries of foreign affairs, with the attackers adapting their techniques to bypass modern security controls, including the use of macro-based payloads despite Microsoft's default macro restrictions. Researchers observed that after an initial phase using a command-and-control server, MuddyWater shifted tactics, likely employing additional tools and malware to further their espionage objectives. The Phoenix v4 backdoor, central to this operation, enabled persistent access and data exfiltration from compromised networks. The campaign highlights MuddyWater's continued evolution in attack methods and its focus on high-value government targets through sophisticated phishing and malware deployment strategies.
1 months ago
MuddyWater Phishing Campaign Targets Middle East and North Africa Government Networks
Iranian state-sponsored threat actor MuddyWater has conducted a large-scale cyberespionage campaign breaching over 100 government entities and international organizations across the Middle East and North Africa. The attackers leveraged a compromised enterprise mailbox, accessed via NordVPN, to send convincing phishing emails from legitimate addresses to embassies, ministries, and telecom providers. These emails contained weaponized Microsoft Word attachments that, when opened and macros enabled, deployed the updated "Phoenix" backdoor, granting persistent remote access, credential theft, and file exfiltration capabilities. The campaign also utilized off-the-shelf remote management tools such as PDQ and Action1 to blend in with legitimate administrative traffic and pilfered browser passwords from Chrome, Edge, Opera, and Brave. Researchers at Group-IB highlighted that MuddyWater, also known as Seedworm, APT34, OilRig, and TA450, has demonstrated evolving tradecraft and operational maturity in this operation, mixing official government and personal email addresses to increase the likelihood of successful compromise. The campaign's scale and targeting suggest either a significant increase in capability or a broader intelligence collection mandate from Iranian authorities. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has a history of targeting government, energy, telecom, and defense sectors, focusing on long-term espionage rather than destructive attacks. Analysts warn that further activity is likely amid ongoing regional tensions.
1 months ago
MuddyWater Deploys UDPGangster Backdoor via Spear-Phishing Campaigns
The Iranian state-linked threat actor MuddyWater has launched a cyber espionage campaign targeting organizations in Turkey, Israel, and Azerbaijan using a new backdoor named UDPGangster. This malware leverages the User Datagram Protocol (UDP) for command-and-control (C2) communications, enabling attackers to remotely control compromised systems, execute commands, exfiltrate files, and deploy additional payloads while evading traditional network defenses. The attack chain begins with spear-phishing emails impersonating government entities, such as the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, and includes malicious Microsoft Word documents that prompt users to enable macros, triggering the execution of the UDPGangster payload. The VBA macro embedded in the malicious documents decodes Base64-encoded data and writes it to a file, which is then executed to launch the backdoor. UDPGangster establishes persistence through Windows Registry modifications and incorporates anti-analysis techniques to resist detection and analysis. The campaign demonstrates MuddyWater's continued evolution in using covert communication channels and sophisticated social engineering tactics to infiltrate targeted organizations in the Middle East region.
1 months ago