MuddyWater
-
MuddyWater campaign hit at least nine organizations across four continents, researchers say
MuddyWater was linked to a 2026 campaign that hit at least nine organizations in nine countries. Researchers said the group used DLL side loading, signed binaries and browser-stealing malware to support espionage.
-
MuddyWater hackers targeted South Korean electronics maker in broad espionage campaign
MuddyWater targeted at least nine organizations in a cyberespionage campaign that included a major South Korean electronics maker, government agencies and an airport, according to Symantec. The group used DLL sideloading, PowerShell and other legitimate tools.
-
MuddyWater linked to Microsoft Teams intrusion that used Chaos ransomware branding
A Rapid7 technical analysis says MuddyWater used Microsoft Teams, screen-sharing and remote access tools in an early 2026 intrusion that looked like Chaos ransomware but focused on data theft and persistence.
-
Iran-linked MuddyWater embeds Dindoor backdoor in multiple U.S. corporate networks
Iran-linked MuddyWater deployed a Dindoor backdoor across multiple U.S. corporate networks, including banks and an airport, and used cloud utilities in suspected data exfiltration attempts, with success unconfirmed.
-
MuddyWater launches Operation Olalampo targeting MENA with new Rust backdoor and loaders
A technical analysis by Group-IB found Iranian-linked MuddyWater launched Operation Olalampo on January 26, 2026 targeting MENA organisations. The campaign uses downloaders GhostFetch and HTTP_VIP, Rust backdoor CHAR and GhostBackDoor.
-
MuddyWater using UDP-based backdoor ‘UDPGangster’ in Turkey, Israel and Azerbaijan campaigns
Fortinet FortiGuard Labs says MuddyWater has been using a UDP-based backdoor named UDPGangster to target users in Turkey, Israel and Azerbaijan via spear-phishing Word documents that rely on macros; the backdoor includes persistence mechanisms and extensive anti-analysis checks before contacting a UDP command-and-control server.
-
Iran-linked MuddyWater group deploys MuddyViper backdoor against Israeli targets
Researchers say Iranian-linked MuddyWater has used a new MuddyViper backdoor, delivered via a Fooder loader, to target Israeli organisations across multiple sectors and to harvest credentials and browser data.
-
Amazon finds Iran-linked hackers using cyber reconnaissance to aid physical attacks
Amazon’s threat intelligence team reported that Iran-linked hackers conducted digital reconnaissance, including targeting ship AIS and CCTV, to support physical attacks—a trend the company calls cyber-enabled kinetic targeting.
-
Iran-linked MuddyWater used compromised email to deliver Phoenix backdoor to 100+ MENA government targets, Group-IB says
Group-IB says Iran-linked MuddyWater used a compromised mailbox accessed via NordVPN to phish MENA organisations, deploying weaponised Word documents that installed the Phoenix v4 backdoor across more than 100 government targets and hosting RMM tools and a browser credential stealer on its C2 infrastructure.
-
Iran-linked Subtle Snail Targets European Telecoms in LinkedIn Recruitment Scheme, 34 Devices Infected
A Iran-linked cyber espionage group known as UNC1549, also called Subtle Snail, has been attributed to a campaign against European telecommunications firms, infiltrating 34 devices across 11 organizations through LinkedIn-based recruitment lures and a modular backdoor named MINIBIKE designed for long-term data exfiltration.
