UDPGangster backdoor deployed by MuddyWater
Malware Activity
Summary
Hide ▲
Show ▼
The MuddyWater group has deployed UDPGangster, a new backdoor that uses UDP C2 to control compromised systems and expand post-compromise access. The malware can execute commands, exfiltrate files, and deliver additional payloads, increasing the impact on infected hosts. It was delivered through spear-phishing Word documents with macros enabled and targeted users in Turkey, Israel, and Azerbaijan.
Related Happenings
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
Fake AI study guide AsyncRAT lure campaign targeting Windows users
Campaign
H score33
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
About this happening:
A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
Fake AI study guide AsyncRAT lure campaign targeting Windows users
CampaignAbout this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
Dindoor backdoor activity in MuddyWater operations
Malware Activity
H score23
First: 06.03.2026 17:15
Last: 06.03.2026 17:15
Sources 1
About this happening:
Researchers identified **Dindoor**, a previously unknown backdoor, on targeted networks tied to **MuddyWater**, showing the group was using a new intrusion toolset. The malware ap...
Dindoor backdoor activity in MuddyWater operations
Malware ActivityAbout this happening: Researchers identified **Dindoor**, a previously unknown backdoor, on targeted networks tied to **MuddyWater**, showing the group was using a new intrusion toolset. The malware ap...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
Campaign
H score33
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
About this happening:
The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
CampaignAbout this happening: The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
H score21
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
Timeline
-
08.12.2025 08:46 2 articles · 7mo ago
MuddyWater uses UDPGangster against users in Turkey, Israel, and Azerbaijan
Initial DisclosureMuddyWater deployed UDPGangster, a new backdoor using UDP for command-and-control, in a campaign against users in Turkey, Israel, and Azerbaijan. The malware was delivered through spear-phishing Microsoft Word documents and ZIP attachments that prompted macro activation, used a macro dropper to write decoded content to C:\Users\Public\ui.txt, launched the payload with CreateProcessA, established persistence through Windows Registry changes, ran anti-analysis checks, and could connect to 157.20.182[.]75 over UDP port 1269 to gather system information, execute cmd.exe commands, exfiltrate files, update C2, and drop additional payloads.
Show sources
- MuddyWater Deploys UDPGangster Backdoor in Targeted Turkey-Israel-Azerbaijan Campaign — thehackernews.com — 08.12.2025 08:46
- MuddyWater Deploys UDPGangster Backdoor in Targeted Turkey-Israel-Azerbaijan Campaign — thehackernews.com — 08.12.2025 08:46