Snakes by the riverbank
ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Indicators of Compromise
- ip: 206.71.149.51
- ip: 212.232.22.136
- hash: 4103a09887b82ffd56a93bb431805224
- hash: 91a4e6f6d51daee773a8f00279792578
- hash: 76632910cf67697bf5d7285fae38bfcf438ec082
- hash: 0608101047106453101617106423101013101012101083109710108585106969
- hash: 6969697820511281801712341067111416133321394945138510872296106446
- hash: 9262a37df166ac1d5f582aac79f54ccb47623bfd9ba001228d284ae13a08f52f
- hash: ed15c8344b45daed1e0578f8bc1a32411812c61f4cb45d89b107287de0e09ffc
- ip: 157.20.182.45
- ip: 194.11.246.101
- ip: 194.11.246.78
- domain: processplanet.org
Snakes by the riverbank
Description
ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank"]
- Adversary
- MuddyWater
- Pulse Id
- 692efb6b9069e8bb95df4011
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip206.71.149.51 | — | |
ip212.232.22.136 | — | |
ip157.20.182.45 | — | |
ip194.11.246.101 | — | |
ip194.11.246.78 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4103a09887b82ffd56a93bb431805224 | — | |
hash91a4e6f6d51daee773a8f00279792578 | — | |
hash76632910cf67697bf5d7285fae38bfcf438ec082 | — | |
hash0608101047106453101617106423101013101012101083109710108585106969 | — | |
hash6969697820511281801712341067111416133321394945138510872296106446 | — | |
hash9262a37df166ac1d5f582aac79f54ccb47623bfd9ba001228d284ae13a08f52f | — | |
hashed15c8344b45daed1e0578f8bc1a32411812c61f4cb45d89b107287de0e09ffc | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainprocessplanet.org | — |
Threat ID: 69307ddeb129615efa1d7bf5
Added to database: 12/3/2025, 6:13:50 PM
Last updated: 12/5/2025, 12:55:25 AM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-04
MediumQilin Ransomware Claims Data Theft from Church of Scientology
MediumSilver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China
MediumNew Android malware lets criminals control your phone and drain your bank account
MediumNewly Sold Albiriox Android Malware Targets Banks and Crypto Holders
MediumActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.