Cybersecurity researchers have revealed details of a cyber espionage campaign conducted by Iran linked threat actors that used a previously undocumented backdoor known as MuddyViper to compromise organizations across several industries. According to a report published by cybersecurity firm ESET, the attacks targeted entities in sectors including academia, engineering, local government, manufacturing, technology, transportation and utilities. One technology company located in Egypt was also affected during the operation. Researchers said the campaign took place between September 30, 2024 and March 18, 2025 and reflects continued activity by the hacking group MuddyWater, also tracked as Mango Sandstorm, Static Kitten and TA450. The group is believed to be affiliated with Iran Ministry of Intelligence and Security.
MuddyWater has been active in cyber operations for several years and was first publicly documented in November 2017 when Palo Alto Networks Unit 42 reported targeted attacks in the Middle East conducted between February and October of that year. Those early operations involved a custom backdoor named POWERSTATS. Over time the group has developed a reputation for targeting government institutions and critical infrastructure organizations using a combination of custom malware and widely available administrative tools. Previous campaigns attributed to the group also included destructive attacks using a variant of Thanos ransomware called PowGoop as part of a campaign referred to as Operation Quicksand. According to data shared by Israel National Cyber Directorate, the group has frequently targeted sectors such as local authorities, civil aviation, tourism, healthcare, telecommunications, information technology and small and medium sized enterprises.
The latest campaign follows a pattern previously used by the group, beginning with spear phishing emails that contain PDF attachments. These attachments include links that lead victims to download legitimate remote desktop tools including Atera, Level, PDQ and SimpleHelp. Once the attackers gain a foothold in a network, they deploy additional tools to expand access and collect sensitive information. In earlier operations the phishing campaigns delivered a backdoor known as BugSleep, also referred to as MuddyRot, which has been used by the group since at least May 2024. Researchers also identified several other tools associated with the group’s operations, including Blackout which is a remote administration tool, AnchorRat and CannonRat which provide command execution and file transfer capabilities, and Sad C2 which acts as a command and control framework capable of delivering additional malware such as TreasureBox and BlackPearl RAT. Another tool used by the group is Pheonix which allows the attackers to download further payloads from command and control servers.
In the most recent operation the attackers deployed a loader known as Fooder that decrypts and launches the MuddyViper backdoor written in C and C++. In some cases the loader was also used to install reverse tunneling proxies known as go socks5 along with an open source utility called HackBrowserData that collects browser information from multiple browsers except Safari on Apple macOS systems. According to ESET, MuddyViper allows attackers to gather system details, execute commands, transfer files and extract sensitive information including Windows login credentials and browser data. The backdoor contains support for twenty commands that enable remote access and system control while remaining concealed. Several Fooder variants were designed to mimic the classic Snake game and include delayed execution techniques intended to evade detection by security systems. Researchers noted that Fooder activity had previously been reported by Group IB in September 2025.
The investigation also identified additional tools deployed during the campaign, including VAXOne which is a backdoor designed to imitate trusted software services such as Veeam, AnyDesk, Xerox and OneDrive updater services. Another tool called CE Notes acts as a browser data stealer that attempts to bypass Google Chrome encryption protections by stealing encryption keys stored within the Local State file of Chromium based browsers. Security researchers also observed the use of Blub, a browser data stealing program that collects login credentials from Google Chrome, Microsoft Edge, Mozilla Firefox and Opera browsers. LP Notes was also identified during the campaign. This credential stealing tool displays a fake Windows Security prompt to trick victims into entering system login credentials.
ESET researchers also discovered operational overlap between MuddyWater and another Iran aligned threat actor known as Lyceum, also tracked as Hexane, Spirlin or Siamesekitten. Lyceum is considered a subgroup of OilRig, also known as APT34, which has targeted organizations across the Middle East since at least April 2018. Activity observed in January and February 2025 suggests that MuddyWater may have acted as an initial access provider in at least one case, delivering remote desktop tools and a custom Mimikatz loader to a manufacturing organization. Researchers believe the stolen credentials were later used by Lyceum to gain deeper access and control within the victim network environment.
Additional developments surrounding Iranian cyber operations emerged following the disclosure of an internal document leak associated with threat actors tracked as APT42. According to Israel National Digital Agency, this group carried out espionage operations targeting selected individuals and organizations in a campaign referred to as SpearSpecter. APT42 is believed to share links with another group tracked as APT35, also known as Charming Kitten or Fresh Feline. British Iranian activist Nariman Gharib reported that a large collection of internal files linked to the group was leaked online in September and October 2025 by a collective calling itself KittenBusters. The data set reportedly included documents describing cyber operations conducted by a unit connected to Iran Islamic Revolutionary Guard Corps counterintelligence division known as Unit 1500.
Security researchers and analysts reviewing the leaked information indicated that the documents outline a structured cyber intelligence organization with defined hierarchies and operational processes rather than an informal group of independent hackers. According to analysis from DomainTools, the material describes a coordinated system in which operational staff track phishing campaign success rates, record reconnaissance activities and test exploits against known vulnerabilities as part of a broader cyber intelligence framework. The leak also reportedly included the full source code for BellaCiao malware which had previously been linked to cyber operations targeting organizations across the United States, Europe, the Middle East and India.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
