Ethical Hacking News
MuddyWater, a notorious Iranian hacking group, has recently deployed a new backdoor dubbed UDPGangster as part of its targeted campaign against users in Turkey, Israel, and Azerbaijan. The UDPGangster backdoor uses macro-based droppers for initial access and incorporates extensive anti-analysis routines to evade detection. Users and organizations should remain cautious of unsolicited documents, particularly those requesting macro activation.
MuddyWater, a notorious Iranian hacking group, has deployed a new backdoor dubbed UDPGangster. The UDPGangster backdoor targets users in Turkey, Israel, and Azerbaijan, and enables remote control of compromised systems through UDP channels. The attack chain involves spear-phishing tactics with booby-trapped Microsoft Word documents that trigger a malicious payload when macros are enabled. UDPGangster uses anti-analysis checks to evade detection and boasts persistence through Windows Registry modifications.
MuddyWater, a notorious Iranian hacking group known for its sophisticated cyber espionage campaigns, has recently been observed deploying a new backdoor dubbed UDPGangster. This particular campaign targets users in Turkey, Israel, and Azerbaijan, according to a report from Fortinet FortiGuard Labs.
The UDPGangster backdoor is designed to enable remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads – all communicated through UDP channels that are specifically designed to evade traditional network defenses. This level of sophistication underscores the complexity and menace posed by advanced persistent threats (APTs) like those perpetrated by MuddyWater.
According to Cara Lin, a security researcher at Fortinet, the attack chain for this campaign involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. Some of the phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results."
Attached along with the emails are a ZIP file ("seminer.zip") and a Word document ("seminer.doc"). The ZIP file also contains the same Word file, opening which users are asked to enable macros to stealthily execute embedded VBA code. For its part, the VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country.
"The macro uses the Document_Open() event to automatically execute, decoding Base64-encoded data from a hidden form field (UserForm1.bodf90.Text) and writing the decoded content to C:\Users\Public\ui.txt," Lin explained. "It then executes this file using the Windows API CreateProcessA, launching the UDPGangster payload."
UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. This includes verifying if the process is being debugged, analyzing CPU configurations for sandboxes or virtual machines, determining if the system has less than 2048 MB of RAM, retrieving network adapter information to validate if the MAC address prefix matches a list of known virtual machine vendors, validating if the computer is part of the default Windows workgroup rather than a joined domain, examining running processes for tools like VBoxService.exe, VBoxTray.exe, vmware.exe, and vmtoolsd.exe, running Registry scans to searches for matches to known virtualization vendor identifiers, searching for known sandboxing or debugging tools, and ascertaining whether the file is running in an analysis environment.
This backdoor uses macro-based droppers for initial access and incorporates extensive anti-analysis routines to evade detection. Users and organizations should remain cautious of unsolicited documents, particularly those requesting macro activation. The development comes days after ESET attributed the threat actor to attacks spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors in Israel that delivered another backdoor referred to as MuddyViper.
"The use of such tactics by APT groups underscores the importance of employee education and awareness in preventing phishing attempts," said Lin. "Organizations must prioritize staying informed about emerging threats and take proactive steps to improve their security posture."
Related Information:
https://www.ethicalhackingnews.com/articles/MuddyWater-Deploys-UDPGangster-Backdoor-in-Targeted-Turkey-Israel-Azerbaijan-Campaign-ehn.shtml
https://thehackernews.com/2025/12/muddywater-deploys-udpgangster-backdoor.html
https://cyberpress.org/muddywater-cyber-attack/
https://cybersecuritynews.com/muddywater-hackers-using-udpgangster-backdoor/
https://securityaffairs.com/185244/apt/muddywater-strikes-israel-with-advanced-muddyviper-malware.html
https://www.darkreading.com/cyberattacks-data-breaches/irans-muddywater-levels-up-muddyviper-backdoor
Published: Mon Dec 8 01:26:19 2025 by llama3.2 3B Q4_K_M
