Windows Systems Under Attack as MuddyWater Hackers Use UDPGangster Backdoor to Bypass Defenses

Cybersecurity researchers at FortiGuard Labs have uncovered new phishing campaigns by the MuddyWater threat group delivering a UDP-based backdoor known as UDPGangster.

The attacks have primarily targeted users in Turkey, Israel, and Azerbaijan, using malicious Microsoft Word documents containing Visual Basic for Applications (VBA) macros.

Once victims enable macros, the code executes a Base64-decoded payload that launches the UDPGangster malware on their systems.

The phishing emails impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, inviting recipients to a fake online seminar titled “Presidential Elections and Results.” 

The attached documents, named seminar.doc or seminarer.zip, prompt users to “Enable Content” to activate embedded macros.

Upon activation, the script writes decoded data into C:UsersPublicui.txt.txt and executes it using the Windows API CreateProcessA, triggering malware installation.

Researchers also discovered that the document uses a SmartToggle() subroutine to switch between two images, a clever distraction that displays a harmless decoy.

At the same time, the macro runs malicious code in the background. Interestingly, the decoy image references an Israeli outage schedule, suggesting potential cross-targeting within the region.

UDP-Based Backdoor and Stealth Evasion

Once executed, UDPGangster installs itself persistently as SystemProc.exe in the %AppData%RoamingLow directory and adds a startup registry entry under:

HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell.

It also creates a mutex named xhxhxhxhxhxpp to prevent multiple instances.

The malware communicates with its command-and-control (C2) server via UDP port 1269, sending encoded system data to 157.20.182[.]75. Supported commands allow attackers to execute shell commands, exfiltrate files, deploy new payloads, or update the C2 address.

To avoid detection, UDPGangster includes extensive anti-analysis features. It detects debugging tools, checks memory and disk capacity, identifies virtual environments by examining MAC address prefixes, and scans the Windows Registry for virtualization artifacts like “VMware,” “VBox,” and “QEMU.”

It also inspects running processes for sandbox or monitoring DLLs such as sbiedll.dll and dbghelp.dll. These measures significantly reduce the risk of discovery in sandboxed or analysis environments.

FortiGuard linked related samples across multiple phishing campaigns that shared common PDB paths and infrastructure, reinforcing attribution to MuddyWater, a group known for espionage operations aligned with Iranian state interests.

Fortinet products detect the threat as VBA/Agent.NFYP!tr and W64/Agent.ALD!tr, with built-in antivirus, sandboxing, and macro-disarm services, providing protection.

As MuddyWater continues refining its evasion and social engineering techniques, organizations in the targeted regions are urged to block macro-enabled files by default, apply up-to-date email filtering, and monitor for suspicious UDP traffic on port 1269.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Windows Systems Under Attack as MuddyWater Hackers Use UDPGangster Backdoor to Bypass Defenses appeared first on Cyber Security News.