ESET researchers say an Iran aligned threat group is refining its playbook again, and the latest activity shows how much its tactics have shifted. MuddyWater is a long running cyberespionage group, and new findings points to a campaign that hits a range of organizations in Israel, with one confirmed victim in Egypt.
A wider set of targets and tools
Researchers say the victims in Israel were in the technology, engineering, manufacturing, local government and educational sectors. The group is also known as Mango Sandstorm and TA450, and ESET attributes it to the Ministry of Intelligence and National Security of Iran. The new investigation centers on a collection of custom tools that MuddyWater operators used to improve defense evasion and maintain persistence.
One of the main findings is a new backdoor that researchers calls MuddyViper. According to the researchers, it enables attackers to collect system information, execute files and shell commands, transfer files and exfiltrate Windows login credentials and browser data. The operators also deployed other credential stealers.
Among the new components is a loader named Fooder that masquerades as the classic Snake game. Fooder delivers MuddyViper through reflective loading, which lets the malware run in memory.
Overview of Fooder loading MuddyViper or other supported payloads. (Source: ESET)
Phishing for access with familiar tools
Initial access in this campaign came through spearphishing emails. ESET says these often included PDF attachments that linked to installers for remote monitoring and management software. The files were hosted on free file sharing services such as OneHub, Egnyte or Mega. The links downloaded tools including Atera, Level, PDQ and SimpleHelp.
The group also used another backdoor called VAX One. It was named after the legitimate products that the malware impersonates, which are Veeam, AnyDesk, Xerox and the OneDrive updater service.
Researchers note that MuddyWater often uses this type of access pattern. Because of that, some parts of the activity remain easier to detect and block.
New delay tricks and cryptography choices
The researchers highlight some shifts in technique. Fooder uses a custom delay function that draws on the logic of the Snake game along with Sleep API calls. The goal is to slow execution so that automated analysis tools do not detect the malicious behavior. Researchers says this behavior is one reason the campaign stands out.
MuddyWater developers also used CNG, which is the next generation Windows cryptographic API. ESET researchers say this is unusual for Iran aligned groups and also rare across the broader threat landscape.
Another shift shows up in how the operators behaved after they gained access. Researchers says they avoided hands on keyboard sessions, which tend to produce noisy command logs with errors. The researchers say the campaign shows technical evolution with more precision, more targeted delivery and a more advanced toolset.
Stacking credential stealers after compromise
The post compromise phase included several tools built to gather credentials. ESET lists CE Notes, which targets Chromium based browsers, LP Notes, which stages and verifies stolen credentials, and Blub, which pulls login data from Chrome, Edge, Firefox and Opera.
The use of multiple stealers lines up with past MuddyWater operations that tend to rely on modular components. ESET’s review places this activity within that long history.
Tracing MuddyWater’s past operations
The group has been under public scrutiny since 2017 when Unit 42 profiled it. Researchers note that the long term pattern is steady, with phishing documents, attempts to push users to enable macros and a focus on Middle Eastern targets.
ESET points to Operation Quicksand in 2020 as a turning point. That campaign targeted Israeli government and telecommunications organizations with multistage operations. The group also ran a campaign in Türkiye that used social engineering tailored to local groups.
In 2023 ESET saw MuddyWater target a victim in Saudi Arabia. The group also ran a campaign in early 2025 that overlapped with Lyceum, which is an OilRig subgroup. Researchers say this suggests MuddyWater may act as an initial access broker for other Iran aligned groups.