Snakes by the riverbank

Dec. 3, 2025, 6:36 p.m.

Description

ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.

External References

https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank
https://otx.alienvault.com/pulse/692efb6b9069e8bb95df4011
Tags
backdoor
spearphishing
iran
cyberespionage
custom malware
defense evasion
critical infrastructure
israel
2025-12-02
blub
lp-notes
go-socks5
muddyviper
ce-notes
fooder
egypt

Date

  • Created: Dec. 2, 2025, 2:44 p.m.
  • Published: Dec. 2, 2025, 2:44 p.m.
  • Modified: Dec. 3, 2025, 6:36 p.m.

Attack Patterns

  • go-socks5
  • Blub
  • LP-Notes
  • CE-Notes
  • Fooder
  • MuddyViper
  • MuddyWater

Additional Informations

  • Engineering
  • Utilities
  • Technology
  • Transportation
  • Education
  • Government
  • Manufacturing
  • Egypt
  • Israel