Pierluigi Paganini
December 02, 2025
ESET researchers uncovered a new MuddyWater campaign targeting Israeli organizations and one confirmed Egyptian target. The Iran-linked APT group MuddyWater (aka SeedWorm, TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten) deployed custom tools to evade defenses and maintain persistence. They used a Fooder loader, disguised as a Snake game, to run the MuddyViper backdoor that steals system info, credentials, browser data, and allows file execution and exfiltration.
Attackers also used CE‑Notes and LP‑Notes stealers and go‑socks5 reverse tunnels in this campaign. Unlike previous noisy campaigns, this operation stayed low-profile, avoided interactive sessions, and employed advanced techniques, including the CNG Windows cryptographic API. ESET provides detailed technical analyses of all tools and methods used, highlighting the group’s refined approach.
During this campaign, MuddyWater mainly targeted Israeli organizations and one in Egypt between September 30, 2024, and March 18, 2025, across sectors including engineering, local government, manufacturing, technology, transportation, utilities, and universities. The group also hit a utilities victim in February 2025, revealing operational overlap with OilRig’s subgroup. MuddyWater often acted as an initial access broker, using spearphishing emails with links to RMM software (Syncro, PDQ) and deploying tools like a Mimikatz loader and the VAX‑One backdoor. The researchers noted that they continue to rely on PowerShell and Go backdoors, targeting telecom, government, and energy sectors. Despite collaboration with Lyceum, their predictable script-based playbook makes detection feasible.
ESET identified overlaps between new tools and previous MuddyWater malware. LP-Notes mirrors CE-Notes, and a Mimikatz loader shares its design. New go‑socks5 reverse tunnels appear in 2024–2025 campaigns, sometimes embedded in the Fooder loader to deploy MuddyViper.
“In two instances, we observed the customized go‑socks5 reverse tunnels embedded in a new MuddyWater loader, internally named Fooder. In a dozen other cases, this loader was used to load MuddyWater’s new backdoor, MuddyViper. Interestingly, MuddyViper and the CE-Notes/LP-Notes/Mimikatz loader variants use the CNG API for data encryption and decryption.” reads the report published by ESET. “To the best of our knowledge, this is unique to Iran-aligned groups. Another trait these tools share is that they attempt to steal user credentials by opening a fake Windows Security dialog.”
Both MuddyViper and these loaders use the CNG API for encryption and fake Windows Security dialogs to steal credentials, a technique unique to Iran-aligned groups.
MuddyWater used new custom tools in this campaign: the Fooder loader, which disguises as Snake to load MuddyViper, a C/C++ backdoor for system access and data theft. The toolset also includes CE-Notes and Blub (browser-data stealers), LP-Notes (credential stealer), and multiple go‑socks5 reverse tunnels.
“Fooder is a 64-bit C/C++ loader designed to decrypt and then reflectively load the embedded payload, with MuddyViper being the most frequently observed payload.
Fooder seems to be the internal name of this tool, based on its PDB paths:
- C:UserswinDesktopFooderDebugLauncher.pdb
- C:UserspcDesktopmainMy_ProjectFooderx64DebugLauncher.pdb
Although we have only captured one sample of it, we believe that Fooder is executed by a simple launcher application, written in C.” continues the report. “It has no string obfuscation and verbose logging to the console, and the PDB path left intact:”
This campaign shows MuddyWater’s growing sophistication, using new tools like Fooder and MuddyViper to improve stealth, persistence, and credential theft. Game-inspired evasion, reverse tunneling, and a diverse toolset reflect a refined approach, making campaigns more effective and harder to defend, while ESET continues monitoring their activity.
“MuddyWater continues to demonstrate the ability to execute campaigns ranging from average to above average, i.e., being timely, effective, and increasingly challenging to defend against.” concludes the report. “While we assess that MuddyWater will remain a leading actor in Iranian-nexus activity, we anticipate a continued pattern of typical campaigns enhanced by more advanced TTPs.”
The first MuddyWater campaign was observed in late 2017, when the APT group targeted entities in the Middle East.
Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States. Over the years, the group has evolved by adding new attack techniques to its arsenal and has also targeted European and North American countries.
The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.
In January 2022, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
According to the joint report published by UK and US agencies, MuddyWater is targeting organizations in multiple sectors, including telecommunications, defense, local government, and oil and natural gas in Asia, Africa, Europe, and North America.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Iran)
APT
Hacking
information security news
Iran
IT Information Security
malware
MuddyWater
Pierluigi Paganini
Security Affairs
Security News
