Snakes by the riverbank
ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Indicators of Compromise
- ip: 206.71.149.51
- ip: 212.232.22.136
- hash: 4103a09887b82ffd56a93bb431805224
- hash: 91a4e6f6d51daee773a8f00279792578
- hash: 76632910cf67697bf5d7285fae38bfcf438ec082
- hash: 0608101047106453101617106423101013101012101083109710108585106969
- hash: 6969697820511281801712341067111416133321394945138510872296106446
- hash: 9262a37df166ac1d5f582aac79f54ccb47623bfd9ba001228d284ae13a08f52f
- hash: ed15c8344b45daed1e0578f8bc1a32411812c61f4cb45d89b107287de0e09ffc
- ip: 157.20.182.45
- ip: 194.11.246.101
- ip: 194.11.246.78
- domain: processplanet.org
Snakes by the riverbank
Description
ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank"]
- Adversary
- MuddyWater
- Pulse Id
- 692efb6b9069e8bb95df4011
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip206.71.149.51 | — | |
ip212.232.22.136 | — | |
ip157.20.182.45 | — | |
ip194.11.246.101 | — | |
ip194.11.246.78 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4103a09887b82ffd56a93bb431805224 | — | |
hash91a4e6f6d51daee773a8f00279792578 | — | |
hash76632910cf67697bf5d7285fae38bfcf438ec082 | — | |
hash0608101047106453101617106423101013101012101083109710108585106969 | — | |
hash6969697820511281801712341067111416133321394945138510872296106446 | — | |
hash9262a37df166ac1d5f582aac79f54ccb47623bfd9ba001228d284ae13a08f52f | — | |
hashed15c8344b45daed1e0578f8bc1a32411812c61f4cb45d89b107287de0e09ffc | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainprocessplanet.org | — |
Threat ID: 69307ddeb129615efa1d7bf5
Added to database: 12/3/2025, 6:13:50 PM
Last updated: 1/18/2026, 10:03:52 PM
Views: 197
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-01-17
MediumLOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing
MediumGootLoader Malware Uses 500–1,000 Concatenated ZIP Archives to Evade Detection
MediumThreatFox IOCs for 2026-01-16
MediumThreatFox IOCs for 2026-01-15
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.