MuddyWater Deploys New Toolset in Targeted Attacks on Israel and Egypt
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Fileless malware,Spyware,Trojan,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
ESET researchers uncovered a new MuddyWater campaign targeting organizations in Israel and one in Egypt, primarily within the telecommunications, government, oil and energy, and manufacturing sectors. The Iran-aligned group deployed a suite of newly developed tools, including the Fooder reflective loader and MuddyViper, a C/C++ backdoor capable of credential theft, system reconnaissance, and file operations. Additional stealers such as CE-Notes, LP-Notes, and Blub, along with customized go-socks5 reverse tunnels, enhanced persistence and defense evasion. The campaign also revealed operational overlap with Lyceum, indicating MuddyWater’s role as an initial access broker. Activity ran from September 30, 2024 to March 18, 2025.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Information Technology | Verified |
| Sector | Manufacturing | Verified |
| Sector | Transportation | Verified |
| Sector | University | Verified |
| Sector | Utilities | Verified |
| Region | Egypt | Verified |
| Region | Israel | Verified |
FAQs
Understanding the MuddyWater “Snake Game” Espionage Campaign
A new cyberespionage campaign by the Iran-aligned group MuddyWater targeted Israeli and Egyptian organizations using a custom toolset disguised as harmless applications, including a Snake game.
The campaign is attributed to MuddyWater, also known as Mango Sandstorm or TA450. They are known for cyberespionage targeting Middle Eastern governments and infrastructure and are believed to be backed by Iran’s intelligence apparatus.
Their objective was to gain persistent and covert access to high-value systems, steal sensitive credentials, and exfiltrate browser and login data for long-term intelligence gathering.
Primarily Israeli government and manufacturing organizations, with one confirmed target in Egypt. The attackers also likely targeted telecommunications and oil sectors.
It started with spearphishing emails leading to the installation of remote monitoring tools. Then, custom malware was stealthily deployed to steal information, remain hidden, and enable further infiltration.
Government, telecom, and industrial sectors hold sensitive data and critical infrastructure access, making them valuable espionage targets for state-backed actors.
The campaign was highly targeted, but it shows a pattern that could be replicated elsewhere. The tools and techniques used could easily be applied in other regional or global attacks.
Implement multi-layered email protection, enforce strong credential policies and MFA, monitor memory-based attacks, and use advanced EDR/XDR tools capable of detecting stealthy malware and unusual network behaviors.