Fortinet FortiGuard Labs reported that Iranian-linked group MuddyWater has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol for command-and-control and has targeted users in Turkey, Israel and Azerbaijan. Security researcher Cara Lin said the malware enables attackers to execute commands, exfiltrate files and deploy additional payloads over UDP channels designed to evade traditional network defenses.
The intrusion chain observed by Fortinet begins with spear-phishing messages that carry a ZIP attachment named “seminer.zip” and a Word document “seminer.doc”. The documents prompt users to enable macros; once activated, embedded VBA code decodes Base64 data, writes an output file to C:\\Users\\Public\\ui.txt and launches that file with the Windows CreateProcessA API. The dropper also displays a Hebrew-language decoy image purportedly from an Israeli telecommunications provider to conceal the activity.
UDPGangster establishes persistence by modifying the Windows Registry and includes extensive anti-analysis checks before proceeding. Those checks include verifying whether the process is being debugged, inspecting CPU configuration for sandbox indicators, confirming the system has at least 2,048 MB of RAM, checking network adapter MAC prefixes against known virtual-machine vendors, validating whether the host is domain-joined, scanning running processes for virtualization services and searching registry keys for virtualization and sandbox identifiers, the report said.
Only after these environment checks does the backdoor collect system information and open communications with an external server at “157.20.182[.]75” over UDP port 1269, where it can exfiltrate data, execute commands via cmd.exe, transmit files, update its command-and-control configuration and drop additional payloads, Fortinet researchers observed.
Lin warned that the campaign relies on macro-based droppers and anti-analysis routines to evade detection and urged users and organisations to be cautious with unsolicited documents that request macro activation. The Fortinet report recommends avoiding enabling macros on unexpected attachments and maintaining layered network defenses against atypical UDP traffic patterns.
The Fortinet findings come days after ESET attributed related activity to the same actor that delivered another backdoor known as MuddyViper against organisations in Israel across sectors including academia, engineering, local government, manufacturing, technology, transportation and utilities.