MuddyWater, an Iran-aligned cyberespionage group also known as Mango Sandstorm, has launched a new, highly targeted campaign against critical infrastructure in Israel and Egypt.
Active from September 2024 through March 2025, the group zeroed in on diverse sectors including engineering, utilities, local government, and technology.
This operation marks a distinct evolution in their operational maturity, shifting from their historically noisy attacks to a refined methodology that combines custom-built malware with advanced evasion tactics to maintain long-term access without alerting defenders.
The initial infection vector relies on the group’s predictable yet effective playbook of spearphishing.
Victims receive emails containing links to legitimate-looking installers for Remote Monitoring and Management (RMM) software like Atera, Syncro, and PDQ, hosted on free file-sharing services to avoid suspicion.
Once these tools compromise the perimeter, the operators pivot to deploying a sophisticated toolset designed to steal credentials and exfiltrate sensitive browser data while deliberately avoiding interactive hands-on-keyboard sessions that often trigger alarms.
Welivesecurity security analysts noted or identified that the group has deployed previously undocumented tools, specifically the “Fooder” loader and “MuddyViper” backdoor.
These components utilize the Windows CNG cryptographic API, a sophisticated feature rarely seen in Iran-nexus groups.
.webp "MuddyWater Attacks Critical Infrastructure With Custom Malware and Improved Tactics 3")
The malware masquerades as innocuous applications to hide its true intent, utilizing complex loading chains to execute payloads.
The Fooder Loader and MuddyViper Mechanics
The most technically intriguing aspect of this campaign is the Fooder loader, a custom C++ executable identified by internal PDB paths such as C:\Users\win\Desktop\Fooder\Debug\Launcher.pdb.
It reflectively loads the MuddyViper backdoor directly into memory. Uniquely, Fooder masquerades as the classic “Snake” video game, integrating the game’s core logic into its evasion routines.
It utilizes a custom delay function alongside Sleep API calls to mimic game loops, effectively stalling execution to bypass automated sandbox analysis.
.webp "MuddyWater Attacks Critical Infrastructure With Custom Malware and Improved Tactics 4")
Once executed, Fooder decrypts its payload using a hardcoded AES key. MuddyViper then operates entirely in memory, generating verbose status logs like [+] Persist: ——————– Hi,I am Live to signal its activation.
It establishes persistence via registry keys or scheduled tasks and communicates with C&C servers using encrypted traffic.
%20(Source%20-%20Welivesecurity).webp "MuddyWater Attacks Critical Infrastructure With Custom Malware and Improved Tactics 5")
The backdoor also employs social engineering by displaying fake login prompts to harvest user credentials.
This blend of whimsical obfuscation and potent spyware capabilities highlights a dangerous upgrade in MuddyWater’s arsenal.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
