CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MuddyWater Expands Campaign with MuddyViper Backdoor Targeting Israeli Entities

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

Timeline

  1. 08.12.2025 08:46 1 articles · 23h ago

    MuddyWater Deploys UDPGangster Backdoor in Targeted Campaign

    The MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

    Show sources
    Open in new tab
  2. 02.12.2025 15:37 2 articles · 6d ago

    MuddyWater Targets Israeli Entities with MuddyViper Backdoor

    The MuddyWater threat actor has targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The backdoor supports 20 commands that facilitate covert access and control of infected systems. The campaign uses go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers. The campaign uses VAXOne, a backdoor that impersonates Veeam, AnyDesk, Xerox, and the OneDrive updater service. The campaign uses CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers. The campaign uses Blub, a C/C++ browser-data stealer that gathers user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. The campaign uses LP-Notes, a credential stealer written in C/C++ that tricks users into entering their system username and password by displaying a fake Windows Security dialog.

    Show sources
    Open in new tab
  3. 22.10.2025 18:00 5 articles · 1mo ago

    MuddyWater Phishing Campaign Using Compromised Mailboxes

    The campaign started on August 19, 2025. The threat actor is also known as Static Kitten, Mercury, and Seedworm. The emails contained malicious Word documents with macro code that decoded and wrote the FakeUpdate malware loader to disk. The FakeUpdate malware loader decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload. The Phoenix backdoor establishes persistence by modifying the Windows Registry entry. The Phoenix backdoor version 4 includes an additional COM-based persistence mechanism and several functional differences. The Phoenix backdoor gathers information about the system to profile the victim. The Phoenix backdoor connects to its command-and-control (C2) via WinHTTP and starts to beacon and poll for commands. The supported commands in Phoenix v4 include Sleep, Upload file, Download file, Start shell, and Update sleep interval time. The custom infostealer attempts to exfiltrate the database from Chrome, Opera, Brave, and Edge browsers, extract credentials, and snatch the master key to decrypt them. The C2 infrastructure included the PDQ utility for software deployment and management, and the Action1 RMM tool. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab

Iranian APT Phishing Campaign Targets US Think Tanks

Between June and August 2025, an Iranian advanced persistent threat (APT) group, tentatively named UNK_SmudgedSerpent, conducted targeted phishing attacks against prominent US think tanks and policy experts. The campaign impersonated influential figures in US foreign policy, including Suzanne Maloney and Patrick Clawson, to steal credentials and deploy remote monitoring and management (RMM) software. The group's tactics, techniques, and procedures (TTPs) overlapped with multiple known Iranian APTs, suggesting possible reorganization or collaboration within Iranian cyber operations. The phishing attempts involved impersonating key figures in US policy discussions on Iran, using tailored emails to lure targets into clicking malicious links. The group used a combination of techniques reminiscent of multiple Iranian APTs, including TA453 (Charming Kitten) and TA455 (Smoke Sandstorm), and deployed RMM software, a tactic previously associated with TA450 (MuddyWater). The campaign targeted over 20 subject matter experts at a U.S.-based think tank and used decoy documents and zip files containing RMM installers. The attackers also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute, and used spoofed login pages to harvest Microsoft account credentials. The group's activity was observed to have paused, but concerns persist due to the tactical overlap with known Iranian APTs. The group's tactics and infrastructure suggest possible personnel movement or shared infrastructure procurement between Iranian contracting outfits.

Open in new tab

RMM Software Exploited in Logistics and Freight Network Intrusions

Cybercriminals have been targeting trucking and logistics companies since at least January 2025, using remote monitoring and management (RMM) software to infiltrate networks and steal cargo freight. The primary targets are food and beverage products, which are often sold online or shipped overseas. The attackers collaborate with organized crime groups and use various methods to gain access, including compromised email accounts, spear-phishing emails, and fraudulent freight listings. They leverage legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve to maintain persistence and evade detection. Once inside, they conduct reconnaissance, harvest credentials, and manipulate dispatch systems to steal cargo. The use of RMM software allows them to operate undetected, as these tools are commonly used in enterprise environments and are often not flagged as malicious. The attackers have conducted nearly two dozen campaigns targeting North American freight companies in September and October 2025, with volumes ranging from less than 10 to over 1000 messages per campaign. The attackers have been active since at least June 2025, with evidence suggesting campaigns began as early as January 2025. Similar activity has been observed in Brazil, Mexico, India, Germany, Chile, and South Africa. The National Insurance Crime Bureau (NICB) estimates cargo theft losses in the U.S. to $35 billion annually. The attackers use compromised accounts on load boards to post fraudulent freight listings and hijack email threads to lead victims to malicious URLs. They send direct phishing emails to asset-based carriers, freight brokerage firms, and integrated supply-chain providers, targeting a wide range of carriers from small businesses to large transport firms. The attackers aim to compromise any carrier that responds to fake load postings and identify and bid on profitable loads to steal. They use various methods to steal cargo, including direct collaboration with truckers and double brokering, which disrupts the supply chain, leading to increased costs, delays, and insurance claims, and erodes trust within the supply chain.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab

Nation-State Actors Compromise Ribbon Communications Network

Ribbon Communications, a provider of backbone technology for communication networks, detected unauthorized access to its IT network in early September 2025. The intrusion, potentially initiated as early as December 2024, is attributed to a nation-state actor. The breach affected several customer files saved on two laptops outside the main network. Ribbon has notified impacted customers and does not expect material financial impact. The attack profile suggests Chinese involvement, consistent with known cyberespionage campaigns targeting telecommunications companies. Ribbon Communications has over 3,100 employees in 68 global offices and is working with third-party cybersecurity experts and federal law enforcement to investigate the breach. The company expects to incur additional costs in the fourth quarter of 2025 related to the breach investigation and network strengthening efforts. Ribbon's solutions are used by major telecommunications providers and critical infrastructure organizations, including the US Department of Defense and the City of Los Angeles. The company is based in Plano, Texas and specializes in communications software and IP optical networking technology for service providers and critical infrastructure organizations. The company was formed in 2017 following the merger of Sonus Networks and Genband. The attack on Ribbon follows several notable breaches of US firms, as well as telecom companies in other countries, in recent years. The most notable of these attacks were committed by Salt Typhoon, a Chinese nation-state threat group focused on cyberespionage.

Open in new tab