New campaign deploys MuddyViper backdoor using advanced loaders, credential stealers, and RMM abuse
ESET Research has uncovered a major new MuddyWater cyberespionage operation targeting critical infrastructure and strategic sectors in Israel, with one confirmed victim in Egypt. The Iran-aligned group—also known as Mango Sandstorm or TA450—has intensified its focus on government, engineering, manufacturing, education, and technology entities across the region.
The newly identified campaign showcases a significant technical evolution. At its core is MuddyViper, a previously undocumented backdoor capable of collecting system data, executing files and shell commands, transferring files, and exfiltrating Windows credentials and browser information. To deploy it stealthily, attackers use Fooder, a custom loader that masquerades as the classic Snake game, leveraging reflective loading to execute malware directly in memory and evade detection.
“Threat actors like MuddyWater are rapidly evolving—blending familiar tradecraft with new stealth techniques. This campaign shows just how far state-aligned groups will go to infiltrate critical infrastructure.” — Girish Varma, Senior Security Research Spokesperson, ESET Middle East
Initial access continues to be achieved through spearphishing emails containing PDF attachments that redirect victims to remote monitoring and management (RMM) installers hosted on platforms such as OneHub, Egnyte, and Mega. The attackers abused legitimate RMM tools including Atera, Level, PDQ, and SimpleHelp, enabling remote persistence and control.
ESET researchers also identified the VAX One backdoor, disguised as well-known software like Veeam, AnyDesk, Xerox utilities, and OneDrive updater services. Complementing MuddyViper is a suite of credential stealers—CE-Notes, LP-Notes, and Blub—targeting major browsers including Chrome, Edge, Firefox, and Opera.
A notable advancement in this campaign is MuddyWater’s adoption of CNG, the next-generation Windows cryptographic API, a technique rarely seen among Iran-aligned actors. The operators also avoided interactive, hands-on-keyboard activity to reduce noise—indicating improved discipline and precision.
MuddyWater’s history includes major operations such as Operation Quicksand (2020) and campaigns spanning Israel, Türkiye, and Saudi Arabia. Recent overlaps with Lyceum suggest the group may also be acting as an initial access broker for other Iran-aligned threat clusters.
ESET’s full technical analysis is available in its latest blogpost, MuddyWater: Snakes by the riverbank, on WeLiveSecurity.com.
