MuddyWater phishing campaign targeting Israeli entities with MuddyViper
Campaign
Summary
Hide ▲
Show ▼
A MuddyWater phishing campaign is targeting Israeli academia, government, industry, transport, and utilities, and the operation matters because it is delivering the MuddyViper backdoor for covert access and credential theft. The activity also reached one technology company in Egypt, showing broader regional reach. Attack chains rely on PDF lure emails, legitimate remote desktop tools, and a loader used to unpack and run the malware.
Related Happenings
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
Campaign
First: 06.03.2026 12:23
Last: 06.03.2026 12:23
Sources 1
About this happening:
**MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
CampaignAbout this happening: **MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
UnsolicitedBooker Central Asian telecom phishing campaign
Campaign
First: 24.02.2026 11:54
Last: 24.02.2026 11:54
Sources 1
About this happening:
The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
UnsolicitedBooker Central Asian telecom phishing campaign
CampaignAbout this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
UDPGangster backdoor deployed by MuddyWater
Malware Activity
First: 08.12.2025 08:46
Last: 08.12.2025 08:46
Sources 1
About this happening:
The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
UDPGangster backdoor deployed by MuddyWater
Malware ActivityAbout this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
PlushDaemon global espionage campaign
Campaign
First: 19.11.2025 14:00
Last: 19.11.2025 14:00
Sources 1
About this happening:
**PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
PlushDaemon global espionage campaign
CampaignAbout this happening: **PlushDaemon** is running a long-lived **global espionage campaign** that targets organizations across **multiple countries**, increasing the risk of cross-border compromise and...
Timeline
-
02.12.2025 15:37 2 articles · 5mo ago
MuddyWater campaign uses MuddyViper against Israeli entities
Initial DisclosureESET attributes a new MuddyWater operation to Iranian state-linked operators targeting Israeli entities across academia, engineering, local government, manufacturing, technology, transportation, and utilities, with one technology company in Egypt also singled out. The phishing-led intrusion chain uses PDF lure emails that point to legitimate remote desktop tools such as Atera, Level, PDQ, and SimpleHelp, then a Fooder loader to decrypt and execute the MuddyViper backdoor, which can collect system information, run files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data.
Show sources
- Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks — thehackernews.com — 02.12.2025 15:37
- Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks — thehackernews.com — 02.12.2025 15:37