MuddyWater, an Iran-aligned cyberespionage group also known as Mango Sandstorm, has escalated its operations with a new, sophisticated campaign targeting critical infrastructure in Israel and Egypt. The operation, active from September 2024 through March 2025, demonstrates a significant evolution in the group’s tactics, moving towards stealthier, long-term access methods and employing custom-built malware.
The primary objective of this refined campaign appears to be intelligence gathering and potentially long-term compromise of sensitive systems. Sectors targeted include engineering, utilities, local government, and technology, indicating a broad strategic interest in disrupting or gaining insights into crucial national assets. This marks a departure from MuddyWater’s previously observed, more overt attack methodologies.
MuddyWater’s Evolving Attack Vector and Custom Malware
The initial entry point for this campaign remains consistent with MuddyWater’s established playbook: highly targeted spearphishing emails. These emails lead victims to download seemingly legitimate installer packages for Remote Monitoring and Management (RMM) software, such as Atera, Syncro, and PDQ. To evade detection, these installers are hosted on free file-sharing services, a common tactic to avoid raising immediate security alerts.
Once the RMM software is compromised, MuddyWater operators leverage this access to deploy a sophisticated toolset. The focus shifts to discreetly stealing credentials and exfiltrating sensitive browser data. Notably, the group is deliberately avoiding direct, interactive hands-on-keyboard sessions, which are more likely to trigger security monitoring systems and alert defenders. This adjustment reflects a mature understanding of modern cybersecurity defenses.
Welivesecurity security analysts have identified previously undocumented tools employed by MuddyWater in this operation. These include a custom loader dubbed “Fooder” and a backdoor named “MuddyViper.” A striking technical detail is these components’ utilization of the Windows CNG (Cryptography API: Next Generation), a feature rarely observed among cyberespionage groups with Iranian affiliations, suggesting an investment in advanced development capabilities.
The Fooder Loader and MuddyViper Mechanics
The “Fooder” loader represents a technically intricate component of this campaign. Identified by internal PDB paths such as C:UserswinDesktopFooderDebugLauncher.pdb, the custom C++ executable is designed to reflectively load the MuddyViper backdoor directly into the targeted system’s memory, leaving minimal traces on the disk.
In a notable evasion tactic, Fooder masquerades as the classic “Snake” video game. The malware integrates the game’s core logic into its functionality, employing custom delay functions alongside standard Windows Sleep API calls. These mimic game loops, effectively stalling program execution to bypass automated sandbox analysis, a common tool used by security researchers to detect malware behavior.
Upon execution, Fooder decrypts its payload using a hardcoded AES key. The subsequently loaded MuddyViper backdoor operates entirely in memory. It signals its activation with verbose status logs, such as “[+] Persist: ——————– Hi,I am Live.” Persistence is established through techniques like registry key modifications or scheduled tasks, allowing the backdoor to maintain access even after reboots.
Communication with command-and-control (C&C) servers is conducted using encrypted traffic, further obscuring the malicious activity. MuddyViper also incorporates social engineering elements, displaying fake login prompts to trick users into revealing their credentials. This combination of sophisticated obfuscation techniques and powerful spyware capabilities underscores a significant and concerning advancement in MuddyWater’s operational toolkit.
The ongoing nature of this campaign, extending through March 2025, suggests that MuddyWater is committed to maintaining its access and extracting value from compromised systems. The use of custom malware and advanced evasion tactics highlights the persistent threat posed by state-sponsored hacking groups and the ongoing need for robust, multi-layered cybersecurity defenses for critical infrastructure organizations.