Iran's 'MuddyWater' Levels Up With MuddyViper Backdoor TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityDPRK's 'Contagious Interview' Spawns Malicious Npm Package FactoryDPRK's 'Contagious Interview' Spawns Malicious Npm Package FactorybyElizabeth Montalbano, Contributing WriterDec 2, 20255 Min ReadApplication SecurityPrompt Injections Loom Large Over ChatGPT's Atlas BrowserPrompt Injections Loom Large Over ChatGPT's Atlas BrowserbyAlexander CulafiNov 26, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskCybersecurity OperationsThreat IntelligenceNewsIran's 'MuddyWater' Levels Up With MuddyViper BackdoorNew Fooder loader and memory-only tactics suggest MuddyWater has evolved from its usual noisy ops to more stealthy espionage operations.Jai Vijayan, Contributing WriterDecember 2, 20254 Min ReadSurceL Kurit afshen via ShutterstockThe Iran-aligned cyberespionage group MuddyWater used new tools and tactics to deploy previously undocumented custom malware against targets in Israel and Egypt during a campaign earlier this year.The operation represented a distinct shift for MuddyWater toward stealthier, more advanced tradecraft and included the use of memory-only loaders, custom backdoors, and techniques designed for defense evasion and persistence. In a report issued this week, researchers at ESET said the upgrades marked a significant evolution in MuddyWater's capabilities and a departure from the group's historically noisier operational style.A Stealthier, More Refined Adversary MuddyWater, aka Mango Sandstorm or TA450, has been active since at least 2017 and is suspected of being linked to Tehran's Ministry of Intelligence and National Security. It has long focused on stealing sensitive information from government agencies, military organizations, telecom providers, and critical infrastructure operators, primarily in Israel. The group has, however, notched victims in other regions as well, including North America and across the Middle East.MuddyWater has typically gained access to target environments via phishing emails carrying malicious attachments or links to fake software downloads and malware. Its toolkit has included both custom backdoors as well as modified versions of publicly available hacking tools. Although highly active, MuddyWater has earned a reputation over the years for noisy, error-prone operations that defenders can often spot.Related:Tomiris Unleashes 'Havoc' With New Tools, TacticsThe group's latest campaign that ESET tracked ran from late September 2024 through mid-March 2025 and focused mainly on Israeli organizations, though ESET spotted at least one confirmed victim in Egypt. According to the security vendor, MuddyWater relied on a new 64-bit loader, known as "Fooder," to decrypt and execute its payloads entirely in memory to evade traditional detection mechanisms. The threat actor used Fooder to deploy a previously unseen backdoor called "MuddyViper" that gave the threat actor extensive control over compromised systems. The backdoor enabled MuddyWater actors to execute arbitrary commands, steal credentials, exfiltrate data, establish reverse shells, and maintain persistence. ESET researchers found multiple versions of the Fooder loader disguised as the "Snake" video game and featuring a custom delay mechanism, similar to Snake's logic, slowing down the malware's execution in a ploy to evade automated sandbox and behavior-based detection tools.Related:CodeRED Emergency Alert Platform Shut Down Following CyberattackAs part of the operation, MuddyWater also deployed several custom credential stealers, including CE-Notes, LP-Notes, and Blub, to extract browser passwords, login credentials, and other sensitive data. The attackers used reverse tunnels to siphon the data off to attacker-controlled systems. ESET's analysis showed MuddyWater developers using Microsoft's Cryptography API Next Generation (CNG) for encryption and decryption, suggesting the threat actor has gained more sophisticated development capabilities.Working With Other Iran-Aligned Groups?Notably, during the campaign, MuddyWater's activity overlapped with that of Lyceum, another Iran-aligned actor and a subgroup of OilRig. In at least one instance, ESET observed MuddyWater acting as an initial access broker to drop tools in a victim environment that Lyceum later used. ESET took that as an indication of potential collaboration between the two groups. OilRig is an Iranian cyber-espionage group that has been active since at least 2014, primarily known for targeting government, energy, telecommunications, and financial sectors across the Middle East, Europe, and North America."This campaign indicates an evolution in the operational maturity of MuddyWater," ESET said in its report. "The deployment of previously undocumented components — such as the Fooder loader and MuddyViper backdoor — signals an effort to enhance stealth, persistence, and credential harvesting capabilities," the security vendor noted. The report highlighted MuddyWater's use of video game-inspired evasion techniques, reverse tunneling, and diversified toolset as reflecting a more sophisticated approach, "even though traces of the group's operational immaturity remain." These include relatively easily detectable PowerShell and Go-based backdoors and overly frequent communications between MuddyWater's malware and its command-and-control (C2) infrastructure.Related:Police Disrupt 'Cryptomixer,' Seize Millions in CryptoMuddyWater is just one of multiple state-sponsored hacking groups operating out of Iran that conduct espionage, sabotage, and influence operations aligned with Tehran's strategic interests. Major Iranian threat actors include APT33 (Elfin), which targets aviation and energy sectors; APT34 (OilRig), focused on financial services and government organizations; APT35 (Charming Kitten), which specializes in credential theft targeting journalists and political figures; and APT39, known for attacking telecommunications, aerospace and travel companies. Security researchers have observed these groups frequently sharing tools and infrastructure.About the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry ReportsThe Cloud is No Longer EnoughForrester Wave: for Network Analysis and Visibility Solutions, Q4 2025Gartner Magic Quadrant for Network Detection and Response, 20252025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactbyRobert Lemos, Contributing WriterNov 25, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersESG Open NDR: A Flexible and Powerful Platform for Detections and Data Across Hybrid EnvironmentsRansomware: The case for Open NDRSecure SAST. Innovate Fast: The future of SaaS and Cloud SecurityWhat Can an AI-Powered AppSec Engineer Do?How Squarespace and Semgrep Scaled Secure Development Across Thousands of ReposExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

MuddyWater, a cyberespionage group aligned with Iran, has demonstrably evolved its operational capabilities, marking a significant shift from its historically noisy and error-prone tactics, according to a recent report by ESET. This evolution, spearheaded by contributors like Jai Vijayan, indicates a refined approach focused on stealth, persistence, and enhanced data harvesting. The group’s activities, primarily targeting Israel and Egypt during the period from late September 2024 to mid-March 2025, utilized new tools like the Fooder loader and MuddyViper backdoor, representing a departure from previous operational methods.

The core of this transformation lies in the deployment of the Fooder loader, a 64-bit system designed to decrypt and execute payloads entirely in memory. This technique bypasses traditional detection mechanisms reliant on memory scanning. Coupled with this was the MuddyViper backdoor, granting extensive control over compromised systems, allowing for command execution, credential theft, data exfiltration, and persistent access. ESET researchers noted the effectiveness of this strategy in evading detection, illustrating a sophistication previously absent in MuddyWater’s operations.

Further strengthening this transformation was the utilization of custom credential stealers – CE-Notes, LP-Notes, and Blub – designed to extract browser passwords and login credentials. The attackers leveraged reverse tunnels to securely siphon this data to command-and-control (C2) servers. Notably, MuddyWater’s development efforts incorporated Microsoft’s Cryptography API Next Generation (CNG) for encryption and decryption, signaling a deeper level of technological prowess. The use of the Fooder loader, disguised as the classic video game "Snake" with a deliberate delay to confound automated detection systems, exemplifies this evolution – a tactic designed specifically to evade sandbox environments and behavior-based detection tools.

The activities of MuddyWater weren’t isolated; the ESET report identified overlapping operations with Lyceum, another Iran-aligned group, revealing potential collaboration. Lyceum, a subgroup of OilRig, utilized MuddyWater's initial access techniques, highlighting a network of aligned actors supporting Tehran’s intelligence goals. OilRig, active since 2014, is primarily known for targeting government, energy, telecommunications, and financial sectors across the Middle East, Europe, and North America. This coordination underscores the interconnected nature of Iran’s cyber espionage efforts.

ESET’s analysis revealed several persistent shortcomings alongside these advancements. The group still relied on relatively easily detectable PowerShell and Go-based backdoors, and maintained excessively frequent communications with its C2 infrastructure. Despite these limitations, the shift towards stealthier techniques – including the Fooder loader and MuddyViper – represents a vital upgrade in MuddyWater’s tradecraft. This evolution suggests that Iran’s cyber espionage capabilities are constantly adapting and refining, presenting a continuing challenge to cybersecurity professionals. Other Iranian cyber-espionage groups, such as APT33 (Elfin), APT34 (OilRig), APT35 (Charming Kitten), and APT39, frequently share tools and infrastructure, further complicating the threat landscape. The progression observed in MuddyWater’s operations underscores the importance of continuous monitoring and adaptation in the face of evolving cyber threats.