Technical Release: Inside MuddyWater’s Evolving Cyber Arsenal Against Israeli and Egyptian Targets

Listen to this Post

Featured Image

Introduction

A new round of cyber operations attributed to the Iran-aligned APT group MuddyWater has surfaced with unsettling precision and stealth. The recent investigation by ESET researchers reveals an operation that breaks from the group’s historically noisy playbook and moves into a far more refined, evasive, and persistent threat model. With disguises crafted from simple games, loaders built for silent deployment, and backdoors engineered for deep credential theft, this campaign demonstrates how MuddyWater is reshaping its toolkit for modern espionage. What follows is a detailed exploration of this campaign, its tools, its targets, and the broader implications for regional cyber stability.

Campaign Overview and Key Findings

MuddyWater launched a new campaign targeting Israeli organizations and one confirmed Egyptian entity, deploying custom-built malware designed for stealth, persistence, and credential theft. The threat actors used a tool named Fooder, disguised as a classic Snake game, to deploy the MuddyViper backdoor. MuddyViper collects system information, extracts browser data, steals credentials, runs files, and exfiltrates data. Alongside this, attackers used CE-Notes, LP-Notes, and Blub stealers, as well as multiple go-socks5 reverse tunnels to maintain covert remote access.

In contrast to their past high-noise intrusions, this operation stayed low-profile and avoided interactive sessions. ESET detected advanced techniques, including the use of the CNG cryptographic API in Windows, which allowed MuddyWater to encrypt and decrypt data efficiently. The group primarily targeted Israeli organizations across engineering, government, manufacturing, technology, transportation, utilities, and academia between September 30, 2024, and March 18, 2025. One Egyptian target was also confirmed.

In February 2025, MuddyWater hit a utilities organization, revealing operational overlap with OilRig’s subgroup. This aligns with MuddyWater’s recurring role as an initial access broker, distributing spearphishing emails containing malicious links to remote management tools such as Syncro and PDQ. Tools like a Mimikatz loader and the VAX-One backdoor were used in several stages of the intrusion.

ESET identified strong similarities between the new malware and older MuddyWater variants. LP-Notes mirrored CE-Notes, and a redesigned Mimikatz loader shared key internal functions with previous samples. Newly observed go-socks5 reverse tunnels appeared in multiple cases, occasionally integrated directly into the Fooder loader. These tunnels enabled discreet remote traffic routing while bypassing traditional detection systems.

MuddyViper, CE-Notes, LP-Notes, and the Mimikatz loader variants all used the CNG API for data encryption, a technique rarely seen outside Iranian-aligned groups. Several tools used fake Windows Security pop-ups to trick victims into entering credentials, enabling direct credential theft.

Fooder itself is a 64-bit C/C++ loader with reflective loading capabilities and minimal obfuscation. It contains verbose console logging and an intact PDB path, suggesting hurried development or internal confidence that the loader would not easily be detected. Though only one Fooder sample was captured, researchers believe it is executed through a simple C-based launcher application.

This entire campaign demonstrates MuddyWater’s increasing sophistication. Their use of game-inspired disguises, reverse tunnels, modular loaders, and evolving backdoors reflect a targeted push toward stealthier and more resilient operations. These attacks continue a trajectory dating back to 2017, when the first MuddyWater campaign targeted entities across the Middle East and beyond. Over the years, the group’s footprint expanded into Europe, North America, and Asia, particularly in the telecommunications, energy, and government sectors.

In 2022, US Cyber Command officially linked MuddyWater to Iran’s Ministry of Intelligence and Security, solidifying attribution. Joint advisories from UK and US authorities later confirmed the group’s ongoing operations across telecommunications, defense, local government, and energy industries worldwide.

What Undercode Say:

Rising Stealth in Region-Focused Cyber Operations

Evaluating this campaign through a technical lens reveals a critical shift. MuddyWater is no longer relying solely on its familiar, script-heavy playbooks. It now adopts loaders with cleaner structures, backdoors with broader functions, and network tunnels that blend deep into a compromised environment. This indicates a deliberate evolution, driven by pressure from global counterintelligence efforts and the rising need for more enduring access.

The Strategic Implications of Tool Overlap

The overlaps between Fooder, MuddyViper, CE-Notes, LP-Notes, and older MuddyWater tools show the group’s preference for iterative engineering. They are layering new techniques over old foundations, improving reliability while reducing development overhead. This hybrid development model allows the group to deploy new campaigns quickly while retaining backward compatibility with their ecosystem of tools.

Credential Theft as the Campaign’s Core Objective

The consistent use of fake Windows Security dialogs exposes the group’s fixation on credential capture. This is not merely opportunistic theft; it signals preparation for lateral movement, privilege escalation, and long-term espionage. Credentials remain the currency of deep network penetration, and MuddyWater aims to collect them at scale.

Iran-Aligned Cryptography Practices

The heavy reliance on the CNG Windows cryptographic API is noteworthy. It demonstrates a regional coding culture within Iranian-aligned APT groups. The API’s structured approach to encryption aligns with their emphasis on persistence and confidentiality. It may also reflect shared development resources across subgroups like OilRig and Lyceum.

Reverse Tunnels as a Stealth Weapon

The go-socks5 tunnels represent one of the most dangerous elements of this campaign. By forwarding traffic through covert tunnels, MuddyWater bypasses intrusion detection systems, avoids triggering behavioral analytics, and ensures uninterrupted command and control access. Embedding these tunnels within Fooder adds another layer of stealth.

Sector Targeting and Long-Term Strategy

The choice of victims reflects

MuddyWater’s Role as an Access Broker

Their recurring role as an initial access broker must not be overlooked. This suggests that MuddyWater’s operations may serve broader intelligence frameworks. Once access is established, other Iranian-aligned groups may step in to deploy ransomware, conduct espionage, or influence critical infrastructure systems.

A Predictable Yet Effective Playbook

Even with growing sophistication, MuddyWater still leans heavily on PowerShell and Go-based backdoors. This predictability, as ESET notes, makes detection possible when organizations deploy robust behavioral monitoring and endpoint visibility tools. Yet the group’s efficiency and timing keep them relevant and dangerous.

A Future of Hybrid Threat Models

This campaign shows where MuddyWater is heading: a fusion of lightweight loaders, deceptive disguises, multi-layered tunnels, and modular backdoors, all constructed to survive modern defense systems. Their evolution will continue shaping the threat landscape, especially in regions already under geopolitical strain.

🔍 Fact Checker Results

✅ MuddyWater is officially linked to Iran’s Ministry of Intelligence and Security.

❌ Fooder is not a game; it only disguises itself as Snake to evade detection.

✅ The campaign primarily targeted Israeli organizations and one Egyptian entity.

📊 Prediction

MuddyWater is on track to expand its toolkit with more modular Go-based backdoors and improved reverse tunnels.
Expect deeper collaboration with OilRig and Lyceum as Iranian cyber units tighten shared infrastructure.
Future campaigns will likely deploy AI-assisted phishing lures and more advanced cryptographic techniques to bypass defensive analytics.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon