Snakes by the riverbank
ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Indicators of Compromise
- ip: 206.71.149.51
- ip: 212.232.22.136
- hash: 4103a09887b82ffd56a93bb431805224
- hash: 91a4e6f6d51daee773a8f00279792578
- hash: 76632910cf67697bf5d7285fae38bfcf438ec082
- hash: 0608101047106453101617106423101013101012101083109710108585106969
- hash: 6969697820511281801712341067111416133321394945138510872296106446
- hash: 9262a37df166ac1d5f582aac79f54ccb47623bfd9ba001228d284ae13a08f52f
- hash: ed15c8344b45daed1e0578f8bc1a32411812c61f4cb45d89b107287de0e09ffc
- ip: 157.20.182.45
- ip: 194.11.246.101
- ip: 194.11.246.78
- domain: processplanet.org
Snakes by the riverbank
Description
ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank"]
- Adversary
- MuddyWater
- Pulse Id
- 692efb6b9069e8bb95df4011
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip206.71.149.51 | — | |
ip212.232.22.136 | — | |
ip157.20.182.45 | — | |
ip194.11.246.101 | — | |
ip194.11.246.78 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4103a09887b82ffd56a93bb431805224 | — | |
hash91a4e6f6d51daee773a8f00279792578 | — | |
hash76632910cf67697bf5d7285fae38bfcf438ec082 | — | |
hash0608101047106453101617106423101013101012101083109710108585106969 | — | |
hash6969697820511281801712341067111416133321394945138510872296106446 | — | |
hash9262a37df166ac1d5f582aac79f54ccb47623bfd9ba001228d284ae13a08f52f | — | |
hashed15c8344b45daed1e0578f8bc1a32411812c61f4cb45d89b107287de0e09ffc | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainprocessplanet.org | — |
Threat ID: 69307ddeb129615efa1d7bf5
Added to database: 12/3/2025, 6:13:50 PM
Last updated: 2/4/2026, 8:40:49 PM
Views: 219
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
341 Malicious Clawed Skills Found by the Bot They Were Targeting
MediumAPT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks
MediumThreatFox IOCs for 2026-02-03
MediumNotepad++ supply chain attack breakdown
MediumInfostealers without borders: macOS, Python stealers, and platform abuse
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.