UDPGangster backdoor deployed by MuddyWater
Malware Activity
Summary
Hide ▲
Show ▼
The MuddyWater group has deployed UDPGangster, a new backdoor that uses UDP C2 to control compromised systems and expand post-compromise access. The malware can execute commands, exfiltrate files, and deliver additional payloads, increasing the impact on infected hosts. It was delivered through spear-phishing Word documents with macros enabled and targeted users in Turkey, Israel, and Azerbaijan.
Related Happenings
Dindoor backdoor activity in MuddyWater operations
Malware Activity
First: 06.03.2026 17:15
Last: 06.03.2026 17:15
Sources 1
About this happening:
Researchers identified **Dindoor**, a previously unknown backdoor, on targeted networks tied to **MuddyWater**, showing the group was using a new intrusion toolset. The malware ap...
Dindoor backdoor activity in MuddyWater operations
Malware ActivityAbout this happening: Researchers identified **Dindoor**, a previously unknown backdoor, on targeted networks tied to **MuddyWater**, showing the group was using a new intrusion toolset. The malware ap...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
Campaign
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
About this happening:
The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
CampaignAbout this happening: The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater RustyWater spear-phishing campaign against Middle East entities
Campaign
First: 10.01.2026 12:35
Last: 10.01.2026 12:35
Sources 1
About this happening:
**MuddyWater** is conducting an active **spear-phishing campaign** against **diplomatic, maritime, financial, and telecom entities in the Middle East**, using **RustyWater** to ga...
MuddyWater RustyWater spear-phishing campaign against Middle East entities
CampaignAbout this happening: **MuddyWater** is conducting an active **spear-phishing campaign** against **diplomatic, maritime, financial, and telecom entities in the Middle East**, using **RustyWater** to ga...
MgBot backdoor delivery and injection via secondary loader
Malware Activity
First: 26.12.2025 16:44
Last: 26.12.2025 16:44
Sources 1
About this happening:
The **MgBot** backdoor was delivered through a **secondary loader** and injected into **svchost.exe**, giving operators a stealthy foothold on infected systems. The payload suppor...
MgBot backdoor delivery and injection via secondary loader
Malware ActivityAbout this happening: The **MgBot** backdoor was delivered through a **secondary loader** and injected into **svchost.exe**, giving operators a stealthy foothold on infected systems. The payload suppor...
Infy Foudre and Tonnerre malware activity
Malware Activity
First: 21.12.2025 06:22
Last: 21.12.2025 06:22
Sources 1
About this happening:
The **Infy** group is actively using **Foudre** and **Tonnerre** to deliver a **second-stage implant** that extracts data from **high-value machines**. The malware activity matter...
Infy Foudre and Tonnerre malware activity
Malware ActivityAbout this happening: The **Infy** group is actively using **Foudre** and **Tonnerre** to deliver a **second-stage implant** that extracts data from **high-value machines**. The malware activity matter...
Timeline
-
08.12.2025 08:46 2 articles · 5mo ago
MuddyWater uses UDPGangster against users in Turkey, Israel, and Azerbaijan
Initial DisclosureMuddyWater deployed UDPGangster, a new backdoor using UDP for command-and-control, in a campaign against users in Turkey, Israel, and Azerbaijan. The malware was delivered through spear-phishing Microsoft Word documents and ZIP attachments that prompted macro activation, used a macro dropper to write decoded content to C:\Users\Public\ui.txt, launched the payload with CreateProcessA, established persistence through Windows Registry changes, ran anti-analysis checks, and could connect to 157.20.182[.]75 over UDP port 1269 to gather system information, execute cmd.exe commands, exfiltrate files, update C2, and drop additional payloads.
Show sources
- MuddyWater Deploys UDPGangster Backdoor in Targeted Turkey-Israel-Azerbaijan Campaign — thehackernews.com — 08.12.2025 08:46
- MuddyWater Deploys UDPGangster Backdoor in Targeted Turkey-Israel-Azerbaijan Campaign — thehackernews.com — 08.12.2025 08:46