New MuddyWater Campaign Hits Israeli Targets

A new, technically advanced campaign by the Iran-aligned cyberespionage group known as MuddyWater has been targeting critical infrastructure organizations in Israel and deploying a new backdoor called MuddyViper that’s used for persistence and data theft.

The victims in Israel span multiple industries, including technology, engineering, manufacturing, local government, and education. Researchers at ESET, who identified the campaign, also have found at least one victim in Egypt. MuddyWater, which is linked to the Ministry of Intelligence and National Security of Iran, continues its focus on attacking government and critical infrastructure organizations. Aside from the deployment of the previously unseen MuddyViper backdoor, this campaign mainly used known tools and techniques that threat researchers are able to identify and contain relatively easily. 

This campaign starts with targeted spearphishing emails that often contain PDF attachments that link to installers for legitimate Remote Monitoring and Management (RMM) software, such as Atera, Level, PDQ, and SimpleHelp. The installers are hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega, establishing a foothold in the victim's network.

New and Evolving Toolset

The new campaign showcases a set of previously undocumented, custom tools designed for improved defense evasion and persistence, indicating a technical evolution for the group:

• MuddyViper Backdoor: A new backdoor that is a central component of the attack. It allows operators to collect system information, execute files and shell commands, transfer files, and exfiltrate sensitive data, including Windows login credentials and browser data.
• Fooder Loader: This custom loader is responsible for reflectively loading and executing the MuddyViper backdoor directly into memory. In a notable evasion technique, several versions of Fooder masquerade as the classic Snake game. Fooder also implements a custom delay function based on the Snake game’s core logic, combined with "Sleep" API calls, to frustrate automated analysis systems.
• Post-Compromise Credential Stealers:The attackers deploy additional credential-stealing tools, including CE-Notes (targeting Chromium-based browsers), LP-Notes (for staging and verifying credentials), and Blub (stealing login data from Chrome, Edge, Firefox, and Opera).
• VAX One Backdoor: The operators also use the VAX One backdoor, which impersonates legitimate software like Veeam, AnyDesk, Xerox, and the OneDrive updater service.

Stealth and Sophistication

Beyond the new malware, the campaign demonstrates increased operational stealth. The developers adopted CNG, the next-generation Windows cryptographic API, a technique that ESET researchers say is unique to Iran-aligned groups. Also, the operators deliberately avoided "hands-on-keyboard" interactive sessions, a noisy historical technique, in favor of a more precise and strategically targeted approach. MuddyWater is one of the more prominent Iran state-backed threat groups and threat intelligence teams have been tracking its activities for more than eight years. The group typically focuses on cyberespionage and often targets Israeli companies and governments organizations. 

While some components remain easily detected, ESET’s analysis shows the overall campaign reflects a clear evolution for MuddyWater toward increased precision and a more advanced toolset. This activity follows a pattern of cooperation with other Iran-aligned groups, such as an operational overlap with the Lyceum (OilRig subgroup) campaign in early 2025, which suggests MuddyWater may be acting as an initial access broker.