Iran-Linked Hackers Hit Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks

A report released by Palo Alto Networks' Unit 42 earlier this month details the cyber attacks directed at organisations in the Middle East, specifically in Israel, by a group between February and October 2017. In addition to outlining the use of the custom-built backdoor, POWERSTATS, and using a number of destructive attack techniques against Israeli organisations such as the campaign referred to as "Operation Quicksand" which employed the Thanos Ransomware variant of PowGoop, the report explains the connection between the attacks reported on by ESET and a new backdoor that has not previously been identified, known as MuddyViper, which is associated with the MuddyWater hacking group (also referred to as Mango Sandstorm or TA450) that has been determined to work for Iran's Ministry of Intelligence and Security (MOIS), and which has also identified a new cyber attack against a technology firm in Egypt. The activities reported on by AQW# in relation to MuddyWater were against Israeli firms from various industries including education, manufacturing, engineering, local governments, technology, transportation and utilities.

According to the report of The Israel National Cyber Directorate (also known as INCD), the attacks launched by the cyberterrorism group known as MuddyWater focused primarily on infrastructure belonging to the State of Israel, such as " Local Authorities, Civil Aviation, Tourism, Health, Telcos, IT and Small to Medium Size Enterprises (SME)."

MuddyWater typically performs phishing attacks using Spear Phishing techniques that typically contain either .exe files or .dll files with exploit code which have been used to exploit target computers’ networks and deploy the trusted Remote Management Tools (RMTs) that MuddyWater has been deploying for months. One example of RMT they have been deploying through their Spear Phishing campaigns recently is the so-called BugSleep backdoor (aka MuddyRot) they have been delivering via spearphishing campaigns since May of this year (2023).

The main tools that MuddyWater typically uses include the following: 1) The Rat tool Blackout; 2) The RAT tool AnchorRat which has the capability of uploading files and executing commands; 3) The RAT tool CannonRAT, which allows the RAT to send and receive commands, as well as, send data; 4) The virus Neshta, a file infector; 5) The C2 Framework called Sad C2 with a loader called TreasureBox which boots a RAT called BlackPearl that allows an attacker to remotely access a victim's computer; 6) Finally a Binary called Pheonix that downloads files from the Command and Control server.

Cyber Espionage Group has attacked a variety of industries, specifically government and critical infrastructure. Cyber Espionage Group has utilized custom malware and public tools. Cyber Espionage Group's latest attack utilizes the same method as its previous attacks: phishing emails with PDF attachments that link back to legitimate remote desktop tools, e.g., Atera, Level, PDQ, and SimpleHelp.

The current attack utilizes a loader called Fooder. The purpose of Fooder is to decrypt (decrypt means to decode) and run (run means execute) a C/C++ software program called MuddyViper. Fooder can also send out (proxies) encrypted data back to the attacker's system via go-socks5. Fooder can also collect browser data, including login credentials, from multiple browsers, except Safari in the Apple macOS Operating System.

MuddyViper gives the attackers the ability to gather computer information, run files and commands in a shell, move files from one computer to another, and to capture (hijack) login credentials from Windows computers and browser information as well. When the threat actors run MuddyViper through Fooder, they are able to gain access and control of that computer.

Fooder has 20 commands to help keep the threat actor concealed while executing commands. Some of these types of Fooder pretend to be the old, popular Snake game, while having delayed execution to avoid detection. Group-IB identified the relationship between the Fooder malware and MuddyWater Cyber Espionage Group in a report it shared with other organizations in September.

The attacks also employed the following tools: VAXOne (Backdoor posing as Veeam), AnyDesk, Xerox, OneDrive Updater Service, CE-Notes (Browser Data Stealer), Blub (C/C++ Browser Data Stealer), LP-Notes (C/C++ Credential Stealer).

ESET further notes that "The maturity of MuddyWater's development and operations has increased to include new tools such as the previously undocumented Fooder Loader and MuddyViper backdoor, indicating their continued evolution towards higher levels of stealth and persistence, as well as an increased focus on credential harvesting capabilities."

Charming Kitten Leaks

The notification regarding this news comes shortly after the disclosure from the Israel National Digital Agency (INDA), which had already attributed Iranian association actor APT42 to numerous attacks against both individuals and organisations of interest to it in an espionage-based campaign known as SpearSpecter (this is generally ascribed to NTRO at the same time as APT42). It appears that both APT42 and APT35 (also referred to as Charming Kitten or Fresh Feline) share certain characteristics with them.

This latest report also follows the recent extensive publication of documents about the hacking organisation's cyber operations and which was produced/sponsored by British Iranian activist Nariman Gharib and which claims that APT42 is part of a system used to track and ultimately facilitate the targeted killings of individuals that are viewed as potential threats to Iran. The information and documents released all point to the involvement of the Islamic Revolutionary Guard Corps (IRGC), and it appears to be specifically connected to the IRGC's Counterintelligence Division/Unit 1500.

As FalconFeeds noted, the stories surrounding these events "read like a horror movie written in Powershell and Persian", and they also stated that the released documents illustrate "an entire outline of the IRGC Cyber Unit 1500".

The data dump was posted on GitHub by an anonymous group known as KittenBusters in September and October 2025, who have not disclosed why they released this information publicly. The dump also lists Abbas Rahrovi (also referred to as Abbas Hosseini) as the top figure of this group, and states that the hackers responsible for these attacks operate through a complex series of front companies.

One of the most significant findings from this release was the full source code for the BellaCiao malware. On April 11, 2023, Bitdefender identified this malware as being used against organizations across North America, Europe, Africa, and Asia, including many American companies such as Target and Home Depot. According to Gharib, the backdoor for the BellaCiao malware was created by a group based at the Shuhada Base in Tehran.

According to DomainTools: "These materials demonstrate a structured chain of command and hierarchy rather than a decentralized hacking group. The documents show that this is an organized entity, with hierarchy, performance measures, and a bureaucratic discipline."

"Through the documents associated with this leak, we have come to understand that APT35 is a bureaucratized cyber-intelligence service of the Iranian government. These documents show us a bureaucratized cyber-intelligence apparatus of the Iranian state, which leaves the impression of defined hierarchies, workflows, and measures of success for every action taken. The clerks who are part of this cyber-intelligence service create logs to record their daily activities, as well as the success rates of phishing attacks and hours spent on recon. The technical staff then tests the exploits that are released on the internet against the most updated vulnerabilities unearthed by the researchers."