Ethical Hacking News
Iranian nation-state hackers have employed the MuddyViper backdoor in targeted attacks against Israeli entities across various sectors, as part of a broader campaign by Iranian group known as MuddyWater (aka Mango Sandstorm or TA450). This latest development highlights the sophistication and adaptability of Iranian APT groups, emphasizing the importance of robust cybersecurity measures to prevent such breaches.
MuddyViper, a Slovakian cybersecurity company, has been identified as an advanced persistent threat (APT) group employed by Iranian nation-state actors. The attackers have utilized various tools and techniques to breach numerous systems worldwide, including backdoors like MuddyViper. MuddyWater's operations target multiple sectors in Israel, including local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and SMEs. The group's tactics, techniques, and procedures have evolved with the deployment of new tools and components, such as CE-Notes and Fooder loader. Internal documents from Unit 1500 of the Islamic Revolutionary Guard Corps (IRGC) reveal a structured command architecture and distinct hierarchies within the group. The operation's leader is believed to be Abbas Rahrovi, who oversees daily activity, tracks phishing success rates, and tests weaponized exploits.
In a recent report shared with prominent cybersecurity news outlets, Slovakian cybersecurity company MuddyViper has been identified as an advanced persistent threat (APT) group employed by Iranian nation-state actors. According to the data, the attackers have utilized various tools and techniques to breach numerous systems worldwide, including backdoors like MuddyViper, which enables them to collect system information, execute files, transfer files, exfiltrate Windows login credentials, and steal browser data.
MuddyWater's (aka Mango Sandstorm or TA450) first discovery dates back to November 2017 when Palo Alto Networks Unit 42 detailed targeted attacks against the Middle East between February and October of that year using a custom backdoor dubbed POWERSTATS. The group has since been linked to destructive attacks on Israeli organizations utilizing a Thanos ransomware variant known as PowGoop, part of an operation referred to as Operation Quicksand.
The Israel National Cyber Directorate (INCD) data also highlights the scope of MuddyWater's operations, targeting the country's local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and small and medium-sized enterprises (SMEs). Typical attack chains involve phishing campaigns that deliver the MuddyViper backdoor or other tools such as Blackout, AnchorRat, CannonRat, Neshta, and Sad C2.
These cyber espionage operations signal an evolution in the tactics, techniques, and procedures of Iranian nation-state actors. The deployment of previously undocumented components, like the Fooder loader, indicates a deliberate effort to enhance stealth, persistence, and credential harvesting capabilities. Moreover, the group's use of tools such as CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers.
The release of internal documents from the hacking unit known as Unit 1500 of the Islamic Revolutionary Guard Corps (IRGC) has shed further light on the group's structure and operations. This data dump, posted to GitHub in September and October 2025 by an anonymous collective named KittenBusters, reveals a structured command architecture rather than a decentralized hacking collective, with distinct hierarchies, performance oversight, and bureaucratic discipline.
Furthermore, the trove identifies Abbas Rahrovi as the operation's leader. The data leak also exposes a self-sustaining ecosystem where clerks log daily activity, quantify phishing success rates, and track reconnaissance hours. Technical staff test and weaponize exploits against current vulnerabilities.
The publication of this report signifies an escalation in the global cyber landscape as Iranian nation-state actors demonstrate their growing sophistication and determination to exploit vulnerabilities worldwide. As organizations navigate these evolving threat landscapes, it is crucial they maintain a vigilant posture and adapt their security measures accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/MuddyViper-The-Latest-Chapter-in-Iranian-Nation-State-Hackers-Campaign-to-Exploit-Global-Vulnerabilities-ehn.shtml
Published: Tue Dec 2 20:42:01 2025 by llama3.2 3B Q4_K_M
