Iran-linked state actors have targeted Israeli organisations across academia, engineering, local government, manufacturing, technology, transportation and utilities with a previously undocumented backdoor called MuddyViper, a Slovak cybersecurity company found, and singled out one technology company in Egypt; the activity was attributed to a group tracked as MuddyWater.
Investigators report the campaign uses a loader called Fooder to decrypt and execute the C/C++ MuddyViper backdoor, and that operators have also deployed go-socks5 reverse tunneling proxies and an open-source utility, HackBrowserData, to collect browser data from multiple browsers. The backdoor supports about 20 commands that researchers say enable collection of system information, execution of files and shell commands, file transfer and exfiltration of Windows login credentials and browser data.
MuddyWater has been active for years. Security researchers first linked the cluster to targeted operations in 2017 in reporting that detailed those campaigns, and the group has been tied to destructive activity including a Thanos ransomware variant in a campaign reviewed under Operation Quicksand. Israeli government reporting cited by researchers indicates the group’s activity has targeted local authorities, civil aviation, tourism, healthcare, telecommunications, IT and small and medium-sized enterprises; related official material is available here.
Typical intrusion techniques observed include spear-phishing with PDF attachments and exploitation of known VPN vulnerabilities to deploy legitimate remote management tools. In several cases the C/C++ loader has been observed deploying credential and browser data stealers and tools that proxy traffic, while some Fooder variants mimic a Snake game and include delayed execution to evade detection. Other tools associated with the set of intrusions include VAXOne, browser-data stealers named CE-Notes and Blub, and a credential prompt tool called LP-Notes.
The disclosure follows separate reporting and a large data dump that exposed internal materials linked to Iran-affiliated hacking clusters. The trove, posted to GitHub by an anonymous group called KittenBusters, included multiple internal files described in a massive set of posts and additional leak, internal notes and other documents that researchers and commentators say outline organisational structure and tooling; one write-up said the material feeds into a system used to identify targets. Independent observers have also commented on the leak; FalconFeeds said it reads like a complete map of an IRGC cyber unit and DomainTools said the materials show a bureaucratised cyber-intelligence apparatus.
Researchers and government reporting differ in attribution and scope, and the available public reporting does not provide a full inventory of affected organisations or a complete timeline of infections.