MuddyWater Assaults Critical Infrastructure Through Custom Malware and Updated Techniques

A newly surfaced cyberespionage campaign orchestrated by the Iranian-linked MuddyWater group has targeted vital organizations in Israel, with evidence of activity against at least one Egyptian technology firm.

ESET researchers report that the group, also known as Mango Sandstorm or TA450, is refining its toolkit, deploying bespoke malware assets and advanced evasion strategies to achieve persistence and data theft.

Central to this campaign is a fresh loader dubbed “Fooder,” which reflectively injects a new backdoor named MuddyViper into memory.

Notably, several versions of Fooder masquerade as the classic Snake video game, integrating its delay mechanics and frequent Sleep API calls.

This game-inspired logic intentionally slows down the malware’s execution, stymying automated analysis tools and defense systems.

Once active, MuddyViper backdoor executes a slate of malicious tasks: harvesting Windows credentials and browser data, exfiltrating files, running arbitrary commands, and cataloguing security processes installed on the host.

Fooder also serves as a delivery vehicle for credential-stealing tools (CE-Notes and LP-Notes) and browser-data stealers, as well as Go-based reverse-tunneling components (go-socks5) used for stealthy command-and-control communication.

Advanced Evasion and Collaboration with Lyceum

MuddyWater now wields the CNG cryptographic API, Microsoft’s next-generation crypto framework across multiple components, marking a technical leap among Iran-linked APTs.

All stolen data and communications are AES-CBC encrypted, raising the bar for defenders seeking to intercept or analyze traffic.

Initial access methodologies remain rooted in spearphishing, often using malicious PDFs that link to installers for remote monitoring tools such as Syncro and PDQ.

In a notable twist, ESET found evidence of operational overlap between MuddyWater and Lyceum, an OilRig subgroup, suggesting a collaborative nexus.

After the initial compromise, MuddyWater harvested credentials that Lyceum used to assume control of targeted Israeli organizations.

The campaign ran from September 2024 through March 2025, targeting a broad spectrum of Israeli verticals: engineering, government, manufacturing, technology, utilities, transportation, and academia.

Attackers increasingly avoided noisy, hands-on intrusions, instead relying on script-based payloads and stealthy updates to maintain footholds and evade detection.

ESET’s discovery signals an unprecedented maturation in MuddyWater’s tradecraft, blending custom game-themed evasion, credential theft, and encrypted reverse tunneling.

This escalation makes Iranian nexus threats more challenging to detect and block, posing an ongoing risk to critical infrastructure sectors.

Security teams are urged to inspect suspicious files, strengthen behavioral defenses, and monitor for novel malware associated with these evolving campaigns.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post MuddyWater Assaults Critical Infrastructure Through Custom Malware and Updated Techniques appeared first on Cyber Security News.