A cyber espionage group deployed a malware tool called UDPGangster through phishing emails containing malicious Word documents. The malware allowed attackers to control infected systems remotely.

Who was behind the attack?

The activity is attributed to MuddyWater, a known Iranian-linked cyber espionage group active in the Middle East and surrounding regions.

What was the goal of the attack?

The attackers aimed to steal files, execute remote commands, and potentially deploy other malware for long-term surveillance and control.

Which countries or sectors were targeted?

The campaigns specifically targeted Turkey, Israel, and Azerbaijan using localized lures. Although sectors were not explicitly named, the content suggests targeting of government and geopolitical entities.

How did the attack work?

Victims received phishing emails with attachments posing as official documents. When opened and macros enabled, a backdoor was installed, allowing attackers remote access via UDP.

Why are these countries being targeted?

These regions are of strategic geopolitical interest. The attackers likely sought intelligence or access to sensitive systems in government, foreign affairs, or infrastructure.

What can organizations do to protect themselves?

Avoid enabling macros in documents from unknown sources. Use email gateways with phishing detection, monitor systems for unusual UDP traffic, and ensure endpoint protection tools are updated.

Is this a widespread issue or more targeted?

This was a targeted campaign, though the malware has been observed in multiple countries, suggesting coordinated, regionally-focused espionage efforts.

Threats Feed|MuddyWater|Last Updated 12/12/2025|AuthorCertfa Radar|Publish Date04/12/2025

MuddyWater Deploys UDPGangster Backdoor in Regional Espionage Campaigns

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Dropper,Malicious Macro,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

UDPGangster is a UDP-based backdoor used in recent MuddyWater cyber espionage campaigns targeting Turkey, Israel, and Azerbaijan. The attacks rely on phishing emails delivering malicious macro-enabled Word documents that decode and execute the payload. Once installed, the malware establishes persistence, performs extensive anti-analysis and sandbox evasion checks, and communicates with its C2 over non-standard UDP channels to execute commands, exfiltrate files, and deploy additional payloads. Related samples and shared infrastructure, including overlap with the Phoenix backdoor, confirm MuddyWater attribution across these regionally focused intrusions.

Reference and Credit: Fortinet - December 2025

UDPGangster Campaigns Target Multiple Countries

Detected Targets

Type	Description	Confidence
Region	Azerbaijan	Verified
Region	Israel	Verified
Region	Turkey	Verified

FAQs

Understanding the UDPGangster Campaigns

: A cyber espionage group deployed a malware tool called UDPGangster through phishing emails containing malicious Word documents. The malware allowed attackers to control infected systems remotely.
: The activity is attributed to MuddyWater, a known Iranian-linked cyber espionage group active in the Middle East and surrounding regions.
: The attackers aimed to steal files, execute remote commands, and potentially deploy other malware for long-term surveillance and control.
: The campaigns specifically targeted Turkey, Israel, and Azerbaijan using localized lures. Although sectors were not explicitly named, the content suggests targeting of government and geopolitical entities.
: Victims received phishing emails with attachments posing as official documents. When opened and macros enabled, a backdoor was installed, allowing attackers remote access via UDP.
: These regions are of strategic geopolitical interest. The attackers likely sought intelligence or access to sensitive systems in government, foreign affairs, or infrastructure.
: Avoid enabling macros in documents from unknown sources. Use email gateways with phishing detection, monitor systems for unusual UDP traffic, and ensure endpoint protection tools are updated.
: This was a targeted campaign, though the malware has been observed in multiple countries, suggesting coordinated, regionally-focused espionage efforts.

About Affiliation

MuddyWater

Associate threats