Ethical Hacking News
Iranian nation-state actors have been using a previously undocumented backdoor called MuddyViper to carry out targeted attacks against Israeli entities. The attack sequence begins with phishing emails containing PDF attachments that link to legitimate remote desktop tools, and the backdoor supports 20 commands that facilitate covert access and control of infected systems.
In a recent report, a Slovak cybersecurity company revealed that Iranian nation-state actors have been using the MuddyViper backdoor to carry out targeted attacks against Israeli entities. The attack sequence begins with phishing emails containing PDF attachments that link to legitimate remote desktop tools. The hacking group known as MuddyWater has been targeting a wide range of industries, including governments and critical infrastructure. MuddyViper supports 20 commands that facilitate covert access and control of infected systems. The attacks use custom malware and publicly available tools, with the group believed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). Other tools used in the attacks include VAXOne, CE-Notes, Blub, and LP-Notes, which facilitate credential stealing and browser data collection. The deployment of previously undocumented components signals an evolution in the operational maturity of MuddyWater. A massive leak of internal documents has exposed the hacking group's cyber operations, revealing a complete map of Iran's IRGC Unit 1500 cyber division.
In a recent report shared with The Hacker News, a Slovak cybersecurity company revealed that Iranian nation-state actors have been using a previously undocumented backdoor called MuddyViper to carry out targeted attacks against Israeli entities. The attack sequence begins with phishing emails containing PDF attachments that link to legitimate remote desktop tools like Atera, Level, PDQ, and SimpleHelp.
According to data from the Israel National Cyber Directorate (INCD), the hacking group known as MuddyWater has been targeting a wide range of industries, specifically governments and critical infrastructure. The attacks have aimed at local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and small and medium-sized enterprises (SMEs).
ESET attributed the attacks to a hacking group known as MuddyWater (aka Mango Sandstorm or TA450), which is believed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). The group has a track record of striking a wide range of industries, specifically governments and critical infrastructure, using a mix of custom malware and publicly available tools.
The MuddyViper backdoor supports 20 commands that facilitate covert access and control of infected systems. A number of Fooder variants impersonate the classic Snake game, while incorporating delayed execution to evade detection. MuddyWater's use of Fooder was first highlighted by Group-IB in September 2025.
Other tools used in the attacks include VAXOne, a backdoor that impersonates Veeam, AnyDesk, Xerox, and the OneDrive updater service; CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers; Blub, a C/C++ browser-data stealer that gathers user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera; LP-Notes, a credential stealer written in C/C++ that tricks users into entering their system username and password by displaying a fake Windows Security dialog.
The cyber espionage group has been using a loader named Fooder to decrypt and execute the MuddyViper backdoor. Alternatively, the C/C++ loader has also been found to deploy go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers, with the exception of Safari in Apple macOS.
This campaign indicates an evolution in the operational maturity of MuddyWater. The deployment of previously undocumented components – such as the Fooder loader and MuddyViper backdoor – signals an effort to enhance stealth, persistence, and credential harvesting capabilities.
In recent weeks, Iranian threat actors known as APT42 have been linked to attacks targeting individuals and organizations of interest in an espionage-focused campaign named SpearSpecter. APT42 is believed to share overlaps with another hacking group tracked as APT35 (aka Charming Kitten and Fresh Feline).
A massive leak of internal documents has exposed the hacking group's cyber operations, which feeds into a system designed to locate and kill individuals deemed a threat to Iran. The leak reveals "a complete map of Iran's IRGC Unit 1500 cyber division."
The disclosure comes weeks after the Israel National Digital Agency (INDA) attributed Iranian threat actors known as APT42 to attacks targeting individuals and organizations of interest in an espionage-focused campaign named SpearSpecter.
Iranian nation-state actors have been using a previously undocumented backdoor called MuddyViper to carry out targeted attacks against Israeli entities. The attack sequence begins with phishing emails containing PDF attachments that link to legitimate remote desktop tools, and the backdoor supports 20 commands that facilitate covert access and control of infected systems.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Layer-of-Deception-MuddyViper-Backdoor-Exposed-by-Iranian-Nation-State-Actors-ehn.shtml
https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html
https://www.cybersecuritydive.com/news/iranian-hackers-us-transportation-manufacturing-israel-nozomi/752612/
https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
https://malwaretips.com/blogs/remove-warning-virus-detected/
https://www.theregister.com/2025/10/21/malware_vaccines/
https://www.fortiguard.com/encyclopedia/virus/8119560
https://vms.drweb.com/virus/?i=2096709
https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/
https://securityaffairs.com/161042/apt/iran-ta450-rmm-atera.html
https://attack.mitre.org/groups/G0069/
https://en.wikipedia.org/wiki/Charming_Kitten
https://cybersecuritynews.com/apt35-hacker-groups-internal-documents/
Published: Tue Dec 2 08:54:06 2025 by llama3.2 3B Q4_K_M
