CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MuddyWater Expands Campaign with MuddyViper Backdoor Targeting Israeli Entities

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

Timeline

  1. 10.01.2026 12:35 1 articles · 23h ago

    MuddyWater Deploys RustyWater RAT in New Campaign

    The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

    Show sources
    Open in new tab
  2. 08.12.2025 08:46 1 articles · 1mo ago

    MuddyWater Deploys UDPGangster Backdoor in Targeted Campaign

    The MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

    Show sources
    Open in new tab
  3. 02.12.2025 15:37 2 articles · 1mo ago

    MuddyWater Targets Israeli Entities with MuddyViper Backdoor

    The MuddyWater threat actor has targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The backdoor supports 20 commands that facilitate covert access and control of infected systems. The campaign uses go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers. The campaign uses VAXOne, a backdoor that impersonates Veeam, AnyDesk, Xerox, and the OneDrive updater service. The campaign uses CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers. The campaign uses Blub, a C/C++ browser-data stealer that gathers user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. The campaign uses LP-Notes, a credential stealer written in C/C++ that tricks users into entering their system username and password by displaying a fake Windows Security dialog.

    Show sources
    Open in new tab
  4. 22.10.2025 18:00 6 articles · 2mo ago

    MuddyWater Phishing Campaign Using Compromised Mailboxes

    The campaign started on August 19, 2025. The threat actor is also known as Static Kitten, Mercury, and Seedworm. The emails contained malicious Word documents with macro code that decoded and wrote the FakeUpdate malware loader to disk. The FakeUpdate malware loader decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload. The Phoenix backdoor establishes persistence by modifying the Windows Registry entry. The Phoenix backdoor version 4 includes an additional COM-based persistence mechanism and several functional differences. The Phoenix backdoor gathers information about the system to profile the victim. The Phoenix backdoor connects to its command-and-control (C2) via WinHTTP and starts to beacon and poll for commands. The supported commands in Phoenix v4 include Sleep, Upload file, Download file, Start shell, and Update sleep interval time. The custom infostealer attempts to exfiltrate the database from Chrome, Opera, Brave, and Edge browsers, extract credentials, and snatch the master key to decrypt them. The C2 infrastructure included the PDQ utility for software deployment and management, and the Action1 RMM tool. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Infy APT Resurfaces with Updated Malware and Expanded Targeting

The Iranian APT group Infy (Prince of Persia) has resumed activity after years of silence, targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe. The group has updated its malware tools Foudre and Tonnerre, employing new techniques such as domain generation algorithms (DGA) and Telegram for command-and-control (C2) communication. The campaign highlights the group's continued relevance and sophistication in cyber espionage. The latest findings reveal that Infy has been active since at least 2004, leveraging malware like Foudre and Tonnerre to profile and exfiltrate data from high-value machines. The group's recent activities include using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50), with the latest Tonnerre version detected in September 2025.

Open in new tab

Spiderman Phishing Kit Targets European Banks and Cryptocurrency Services

A new phishing kit named Spiderman is targeting customers of numerous European banks and cryptocurrency services. The kit creates pixel-perfect replicas of legitimate sites to capture login credentials, 2FA codes, and credit card data. It is modular, allowing for the addition of new banks, portals, and authentication methods. The kit is popular among cybercriminals, with one of its groups on Signal counting 750 members. The Spiderman phishing kit targets financial institutions in five countries, including major brands such as Deutsche Bank, ING, Comdirect, Blau, O2, CaixaBank, Volksbank, and Commerzbank. It can also steal seed phrases for Ledger, Metamask, and Exodus cryptocurrency wallets. The kit allows operators to view victim sessions in real time, capture credentials, perform one-click data export, intercept PhotoTAN/OTP codes, and harvest credit card details. Varonis researchers warn that the data captured by Spiderman can lead to banking account takeover, SIM swapping, credit card fraud, and identity theft. The Spiderman phishing kit is marketed in a Signal messenger group with about 750 members. The kit targets customers of financial services providers such as Klarna and PayPal. The kit uses techniques like ISP allowlisting, geofencing, and device filtering to ensure only intended targets can access the phishing pages.

Open in new tab

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab

Iranian APT Phishing Campaign Targets US Think Tanks

Between June and August 2025, an Iranian advanced persistent threat (APT) group, tentatively named UNK_SmudgedSerpent, conducted targeted phishing attacks against prominent US think tanks and policy experts. The campaign impersonated influential figures in US foreign policy, including Suzanne Maloney and Patrick Clawson, to steal credentials and deploy remote monitoring and management (RMM) software. The group's tactics, techniques, and procedures (TTPs) overlapped with multiple known Iranian APTs, suggesting possible reorganization or collaboration within Iranian cyber operations. The phishing attempts involved impersonating key figures in US policy discussions on Iran, using tailored emails to lure targets into clicking malicious links. The group used a combination of techniques reminiscent of multiple Iranian APTs, including TA453 (Charming Kitten) and TA455 (Smoke Sandstorm), and deployed RMM software, a tactic previously associated with TA450 (MuddyWater). The campaign targeted over 20 subject matter experts at a U.S.-based think tank and used decoy documents and zip files containing RMM installers. The attackers also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute, and used spoofed login pages to harvest Microsoft account credentials. The group's activity was observed to have paused, but concerns persist due to the tactical overlap with known Iranian APTs. The group's tactics and infrastructure suggest possible personnel movement or shared infrastructure procurement between Iranian contracting outfits.

Open in new tab

RMM Software Exploited in Logistics and Freight Network Intrusions

Cybercriminals have been targeting trucking and logistics companies since at least January 2025, using remote monitoring and management (RMM) software to infiltrate networks and steal cargo freight. The primary targets are food and beverage products, which are often sold online or shipped overseas. The attackers collaborate with organized crime groups and use various methods to gain access, including compromised email accounts, spear-phishing emails, and fraudulent freight listings. They leverage legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve to maintain persistence and evade detection. Once inside, they conduct reconnaissance, harvest credentials, and manipulate dispatch systems to steal cargo. The use of RMM software allows them to operate undetected, as these tools are commonly used in enterprise environments and are often not flagged as malicious. The attackers have conducted nearly two dozen campaigns targeting North American freight companies in September and October 2025, with volumes ranging from less than 10 to over 1000 messages per campaign. The attackers have been active since at least June 2025, with evidence suggesting campaigns began as early as January 2025. Similar activity has been observed in Brazil, Mexico, India, Germany, Chile, and South Africa. The National Insurance Crime Bureau (NICB) estimates cargo theft losses in the U.S. to $35 billion annually. The attackers use compromised accounts on load boards to post fraudulent freight listings and hijack email threads to lead victims to malicious URLs. They send direct phishing emails to asset-based carriers, freight brokerage firms, and integrated supply-chain providers, targeting a wide range of carriers from small businesses to large transport firms. The attackers aim to compromise any carrier that responds to fake load postings and identify and bid on profitable loads to steal. They use various methods to steal cargo, including direct collaboration with truckers and double brokering, which disrupts the supply chain, leading to increased costs, delays, and insurance claims, and erodes trust within the supply chain.

Open in new tab