The Iranian state-sponsored hacking group known as MuddyWater has been observed employing a new backdoor, dubbed UDPGangster, which utilizes the User Datagram Protocol (UDP) for its command-and-control (C2) communications. This sophisticated malware targets users in Turkey, Israel, and Azerbaijan, enabling remote control over compromised systems by executing commands, exfiltrating sensitive files, and deploying additional malicious payloads, all while attempting to bypass traditional network defenses through its use of UDP channels.
According to a recent report from Fortinet FortiGuard Labs, the cyber espionage campaign begins with spear-phishing tactics. Attackers distribute specially crafted Microsoft Word documents that, upon enabling macros, trigger the execution of a malicious payload. Some of these phishing emails impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, inviting recipients to an online seminar focused on “Presidential Elections and Results.”
MuddyWater’s UDPGangster: A Stealthy Network Intrusions Tool
The phishing emails typically contain an attached ZIP file, named “seminer.zip,” which in turn holds a Word document (seminer.doc). When a user opens this document and enables macros, embedded Visual Basic for Applications (VBA) code is stealthily executed. This VBA script is designed to mask malicious activity by displaying a decoy image. Notably, this decoy is a Hebrew-language image from the Israeli telecommunications provider Bezeq, seemingly referencing supposed disconnection periods in early November 2025 across various Israeli cities.
The macro script leverages the `Document_Open()` event to auto-execute after the user enables macros. It then decodes Base64-encoded data hidden within a form field, writing the decoded content to a file named “ui.txt” in the public user directory. This newly created file is subsequently executed using the `CreateProcessA` Windows API function, launching the UDPGangster payload itself.
Advanced Evasion and Anti-Analysis Techniques
UDPGangster incorporates robust measures to establish persistence on compromised systems, notably through modifications to the Windows Registry. Furthermore, it boasts an extensive set of anti-analysis routines designed to thwart detection and reverse-engineering efforts by security researchers. These checks include verifying if the process is currently being debugged, analyzing CPU configurations for signs of sandboxes or virtual machines, and determining if the system has less than the specified RAM threshold of 2048 MB.
Additionally, the malware examines network adapter information to identify MAC address prefixes associated with known virtual machine vendors. It also validates whether the computer is part of a default Windows workgroup rather than a joined domain. The backdoor searches for running processes associated with virtualization tools such as VBoxService.exe, VBoxTray.exe, vmware.exe, and vmtoolsd.exe. It also performs Registry scans for identifiers linked to common virtualization vendors like VBox, VMBox, QEMU, VIRTUAL, VIRTUALBOX, VMWARE, and Xen.
Before proceeding with its malicious objectives, UDPGangster ascertains that it is not operating within an analysis environment, and it seeks out known sandboxing or debugging tools. Only after these comprehensive anti-analysis checks are successfully passed does UDPGangster proceed to gather information about the compromised system. It then establishes a connection to an external server, identified as “157.20.182[.]75,” utilizing UDP port 1269. This communication channel is used to exfiltrate collected data, execute commands via “cmd.exe,” transmit files, update its C2 server, and download and execute further payloads.
The use of macro-based droppers for initial access, coupled with extensive anti-analysis routines, highlights MuddyWater’s focus on evading detection during network intrusions. Security experts advise users and organizations to exercise extreme caution when encountering unsolicited documents, particularly those that request the enabling of macros to view their content. This development follows closely on the heels of ESET attributing other threat activities, delivered via a backdoor named MuddyViper, to the same threat actor, targeting various sectors including academia, engineering, local government, manufacturing, technology, transportation, and utilities within Israel.
The ongoing sophistication of MuddyWater’s tactics, especially the innovative use of UDP for C2 and its multi-layered evasion techniques, suggests a continued focus on stealthy cyber espionage. Organizations operating in the targeted regions, and those within sectors identified as prone to attack, should remain vigilant for signs of spear-phishing campaigns and ensure their network security defenses are robust and updated to counter UDP-based command-and-control traffic and advanced anti-analysis malware.