CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities

First reported
Last updated
3 unique sources, 8 articles

Summary

Hide ▲

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities. The MuddyWater threat actor has launched a new campaign codenamed Operation Olalampo targeting organizations and individuals in the Middle East and North Africa (MENA) region. The campaign involves the deployment of new malware families including GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor. GhostFetch is a first-stage downloader that profiles the system, validates mouse movements, checks screen resolution, and fetches and executes secondary payloads directly in memory. GhostBackDoor is a second-stage backdoor delivered by GhostFetch that supports an interactive shell, file read/write, and re-run GhostFetch. HTTP_VIP is a native downloader that conducts system reconnaissance and deploys AnyDesk from the C2 server. CHAR is a Rust backdoor controlled by a Telegram bot (username "stager_51_bot") that executes cmd.exe or PowerShell commands. The PowerShell command executed by CHAR is designed to execute a SOCKS5 reverse proxy or another backdoor named Kalim, upload data stolen from web browsers, and run unknown executables referred to as "sh.exe" and "gshdoc_release_X64_GUI.exe." The MuddyWater threat actor has been observed exploiting recently disclosed vulnerabilities on public-facing servers to obtain initial access to target networks. The MuddyWater APT group remains an active threat within the MENA region, with this operation primarily targeting organizations in the MENA region. The MuddyWater threat actor has targeted US companies in a new campaign that started in early February 2026. The campaign involves a previously unknown backdoor dubbed 'Dindoor' by cyber threat researchers. The Dindoor backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. The backdoor was signed with a certificate issued to 'Amy Cherne'. An attempt to exfiltrate data from a software company using Rclone to a Wasabi cloud storage bucket was observed. A different, Python backdoor called Fakeset was found on the networks of a US airport. The Fakeset backdoor was signed by certificates issued to 'Amy Cherne' and 'Donald Gay'. The Donald Gay certificate has been used previously to sign malware linked to MuddyWater. The Donald Gay certificate was also used to sign a sample from the malware family tracked as 'Stagecomp', which downloads the Darkcomp backdoor. The Stagecomp and Darkcomp malware have been linked to MuddyWater by security vendors including Google, Microsoft, and Kaspersky.

Timeline

  1. 06.03.2026 17:15 1 articles · 23h ago

    MuddyWater Targets US Companies with Dindoor and Fakeset Backdoors

    The MuddyWater threat actor has targeted US companies in a new campaign that started in early February 2026. The campaign involves a previously unknown backdoor dubbed 'Dindoor' that leverages Deno for execution and is signed with a certificate issued to 'Amy Cherne'. An attempt to exfiltrate data from a software company using Rclone to a Wasabi cloud storage bucket was observed. A different, Python backdoor called Fakeset was found on the networks of a US airport, signed by certificates issued to 'Amy Cherne' and 'Donald Gay'. The Donald Gay certificate has been used previously to sign malware linked to MuddyWater.

    Show sources
    Open in new tab
  2. 23.02.2026 09:25 1 articles · 12d ago

    MuddyWater Launches Operation Olalampo with New Malware Families

    The MuddyWater threat actor has launched a new campaign codenamed Operation Olalampo targeting organizations and individuals in the Middle East and North Africa (MENA) region. The campaign involves the deployment of new malware families including GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor. GhostFetch is a first-stage downloader that profiles the system, validates mouse movements, checks screen resolution, and fetches and executes secondary payloads directly in memory. GhostBackDoor is a second-stage backdoor delivered by GhostFetch that supports an interactive shell, file read/write, and re-run GhostFetch. HTTP_VIP is a native downloader that conducts system reconnaissance and deploys AnyDesk from the C2 server. CHAR is a Rust backdoor controlled by a Telegram bot (username "stager_51_bot") that executes cmd.exe or PowerShell commands. The PowerShell command executed by CHAR is designed to execute a SOCKS5 reverse proxy or another backdoor named Kalim, upload data stolen from web browsers, and run unknown executables referred to as "sh.exe" and "gshdoc_release_X64_GUI.exe." The MuddyWater threat actor has been observed exploiting recently disclosed vulnerabilities on public-facing servers to obtain initial access.

    Show sources
    Open in new tab
  3. 10.01.2026 12:35 2 articles · 1mo ago

    MuddyWater Deploys RustyWater RAT in New Campaign

    The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

    Show sources
    Open in new tab
  4. 08.12.2025 08:46 2 articles · 2mo ago

    MuddyWater Deploys UDPGangster Backdoor in Targeted Campaign

    The MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

    Show sources
    Open in new tab
  5. 02.12.2025 15:37 3 articles · 3mo ago

    MuddyWater Targets Israeli Entities with MuddyViper Backdoor

    The MuddyWater threat actor has targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The backdoor supports 20 commands that facilitate covert access and control of infected systems. The campaign uses go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers. The campaign uses VAXOne, a backdoor that impersonates Veeam, AnyDesk, Xerox, and the OneDrive updater service. The campaign uses CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers. The campaign uses Blub, a C/C++ browser-data stealer that gathers user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. The campaign uses LP-Notes, a credential stealer written in C/C++ that tricks users into entering their system username and password by displaying a fake Windows Security dialog.

    Show sources
    Open in new tab
  6. 22.10.2025 18:00 7 articles · 4mo ago

    MuddyWater Phishing Campaign Using Compromised Mailboxes

    The campaign started on August 19, 2025. The threat actor is also known as Static Kitten, Mercury, and Seedworm. The emails contained malicious Word documents with macro code that decoded and wrote the FakeUpdate malware loader to disk. The FakeUpdate malware loader decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload. The Phoenix backdoor establishes persistence by modifying the Windows Registry entry. The Phoenix backdoor version 4 includes an additional COM-based persistence mechanism and several functional differences. The Phoenix backdoor gathers information about the system to profile the victim. The Phoenix backdoor connects to its command-and-control (C2) via WinHTTP and starts to beacon and poll for commands. The supported commands in Phoenix v4 include Sleep, Upload file, Download file, Start shell, and Update sleep interval time. The custom infostealer attempts to exfiltrate the database from Chrome, Opera, Brave, and Edge browsers, extract credentials, and snatch the master key to decrypt them. The C2 infrastructure included the PDQ utility for software deployment and management, and the Action1 RMM tool. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Iran-linked Dust Specter Targets Iraqi Officials with AI-Assisted Malware

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

Open in new tab

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking and Malware Delivery

Cybersecurity researchers have uncovered a China-linked adversary-in-the-middle (AitM) framework called DKnife, active since at least 2019. The framework targets routers and edge devices to perform deep packet inspection, manipulate traffic, and deliver malware. It primarily targets Chinese-speaking users by harvesting credentials and delivering malware via popular Chinese services and applications. DKnife comprises seven Linux-based implants that enable a wide range of malicious activities, including DNS hijacking, binary download hijacking, and real-time user activity monitoring. The framework is linked to the Earth Minotaur threat activity cluster and shares infrastructural connections with WizardNet, a Windows implant deployed by TheWizards APT group. DKnife's infrastructure overlaps with a campaign delivering WizardNet, suggesting a shared development or operational lineage. The framework uses a component called yitiji.bin to create a bridged TAP interface on the router at the private IP address 10.3.3.3, allowing the threat actor to intercept and rewrite network packets in transit to the intended host. Additionally, DKnife monitors WeChat activities more analytically, tracking voice and video calls, text messages, images sent and received, and articles read on the platform.

Open in new tab

Lotus Blossom Hacking Group Exploits Notepad++ Hosting Breach to Deploy Chrysalis Backdoor

The China-linked Lotus Blossom hacking group exploited a hosting provider breach to deliver a previously undocumented backdoor, Chrysalis, to Notepad++ users. The attack, which occurred between June and December 2025, involved hijacking update traffic and exploiting insufficient update verification controls in older versions of the software. The group used a multi-layered shellcode loader and integrated undocumented system calls to enhance stealth and resilience. The breach was discovered and mitigated in December 2025, with Notepad++ migrating to a new hosting provider and rotating all credentials. The Chrysalis backdoor is a feature-rich implant capable of gathering system information, executing commands, and maintaining persistence. It communicates with a command-and-control (C2) server to receive additional instructions. The C2 server is currently offline, but the malware's capabilities suggest ongoing development and adaptation by the threat actor.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required.

Open in new tab

VoidLink Malware Framework Targets Cloud and Container Environments

VoidLink is a Linux-based command-and-control (C2) framework capable of long-term intrusion across cloud and enterprise environments. The malware generates implant binaries designed for credential theft, data exfiltration, and stealthy persistence on compromised systems. VoidLink combines multi-cloud targeting with container and kernel awareness in a single Linux implant, fingerprinting environments across major cloud providers and adjusting its behavior based on what it finds. The implant harvests credentials from environment variables, configuration files, and metadata APIs, and profiles security controls, kernel versions, and container runtimes before activating additional modules. VoidLink employs a modular plugin-based architecture that loads functionality as needed, including credential harvesting, environment fingerprinting, container escape, Kubernetes privilege escalation, and kernel-level stealth. The malware uses AES-256-GCM over HTTPS for encrypted C2 traffic, designed to resemble normal web activity. VoidLink stands out for its apparent development using a large language model (LLM) coding agent with limited human review, as indicated by unusual development artifacts such as structured "Phase X:" labels, verbose debug logs, and documentation left inside the production binary. The research concludes that VoidLink is not a proof-of-concept but an operational implant with live infrastructure, highlighting how AI-assisted development is lowering the barrier to producing functional, modular, and hard-to-detect malware. A previously unknown threat actor tracked as UAT-9921 has been observed leveraging VoidLink in campaigns targeting the technology and financial services sectors. UAT-9921 has been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. The threat actor uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network. VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan. VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. The framework supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics. VoidLink comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly. VoidLink has an auditability feature and a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. There are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading.

Open in new tab