MuddyWater Cyber-Espionage Campaign Deploys MuddyViper Backdoor via Fooder Loader
December 12th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring a new MuddyWater (aka Mango Sandstorm / TA450) cyber-espionage campaign targeting critical infrastructure organizations, mainly in Israel, with at least one confirmed victim in Egypt. Active from late September 2024, the campaign uses a custom Fooder loader to reflectively execute the newly documented MuddyViper backdoor in memory. Initial access is gained through spear-phishing emails with PDF attachments that link to remote monitoring and management (RMM) installers such as Atera, Syncro, and PDQ, hosted on free file-sharing platforms. These payloads allow in-memory execution, stealthy credential theft, and persistent access within victim environments, supporting a broader espionage effort against sensitive infrastructure networks.
Technical Details
Attack Type: Targeted cyber espionage campaign using spear phishing and custom malware (Fooder loader + MuddyViper backdoor).
Severity: High.
Delivery method: Spear-phishing emails containing PDF attachments that link to legitimate-looking RMM software installers (Atera, Syncro, PDQ) hosted on free file-sharing platforms.
Evasion:
Uses the Windows CNG cryptographic API for AES-CBC encryption in multiple components.
Employs custom execution delays and Sleep API calls (via Fooder’s Snake-style delay loop) to evade sandbox analysis.
Executes key payloads entirely in memory via reflective loading.
Displays fake Windows Security dialogs to harvest credentials (MuddyViper and LP-Notes).
Command and Control: Communication with command-and-control servers uses HTTPS with AES-CBC encryption via the CNG API, facilitating covert data exfiltration and operator control.
Impact
Compromise of critical infrastructure environments across sectors such as engineering, utilities, local government, manufacturing, technology, transportation, and academia.
Long-term persistence allows stealthy espionage operations.
Theft of browser data and sensitive user credentials (via MuddyViper, CE-Notes, LP-Notes, Blub, and HackBrowserData).
Unauthorized remote access to internal systems using RMM tools.
Potential further lateral movement can occur using harvested credentials.
Increased difficulty in detection due to memory-based payload execution and encrypted C2 traffic.
Social-engineering attacks using fake Windows Security dialogs to capture login details.
Detection Method
Identify spear-phishing emails that contain PDF attachments or links directing users to download Syncro, Atera, PDQ, or other RMM installers from free file-sharing services (e.g., OneHub, Egnyte, Mega).
Review email and web proxy logs for suspicious PDF files or URLs referencing remote tool installers hosted on file-sharing platforms.
Enable memory-scanning and behavioral analysis features in EDR/endpoint security platforms to detect reflective loading and in-memory backdoors.
Monitor for unexpected installation or execution of RMM tools (Atera, Syncro, PDQ, SimpleHelp, etc.) in environments where they are not formally approved.
Hunt for telemetry indicative of reflective loading behavior / payloads executing entirely in memory.
Look for registry modifications and scheduled tasks associated with persistence, including changes to Startup folder registry keys and tasks named ManageOnDriveUpdater.
Monitor for unusual access to browser credential stores and anomalous outbound data exfiltration consistent with CE-Notes/LP-Notes/Blub activity.
Analyze unknown executables exhibiting unexplained delays or frequent Sleep calls consistent with time-based sandbox evasion.
Alert on fake Windows Security credential prompts or unusual Windows Security dialog activity reported by users.
Indicators of Compromise
Type | Indicator | Description |
File (SHA-1) | 76632910CF67697BF5D7285FAE38BFCF438EC082 | Fooder loader executable (OsUpdater.exe) |
File (SHA-1) | 1723D5EA7185D2E339FA9529D245DAA5D5C9A932 | Blub browser-data stealer (Blub.exe) |
File (SHA-1) | 69B097D8A3205605506E6C1CC3C13B71091CB519 | Blub browser-data stealer |
File (SHA-1) | B7A8F09CB5FF8A33653988FFBA585118ACF24C13 | Blub browser-data stealer |
File (SHA-1) | B8997526E4781A6A1479690E30072F38E091899D | Blub browser-data stealer (stealer.exe) |
File (SHA-1) | 8E21DE54638A79D8489C59D958B23FE22E90944A | CE-Notes browser-data stealer (DLL) |
File (SHA-1) | CD47420F5CE408D95C98306D78B977CDA0400C8F | CE-Notes browser-data stealer (EXE) |
File (SHA-1) | C1299E8C9A8567A9C292157F3ED65B818AA78900 | CE-Notes browser-data stealer (vmsvc.exe) |
File (SHA-1) | 29CDA06701F9A9C0A6791775C3EB70F5B52BBEFF | LP-Notes credential stealer (EXE) |
File (SHA-1) | 8F3ED626E7B929450E36E97BA5539C8371DF0EF8 | LP-Notes credential stealer (EXE) |
File (SHA-1) | 007B5CD6D6ACF972F7743F79E23CAB9BB2ECBEE3 | Mimikatz-loader (Dsync-es.exe) |
File (SHA-1) | CD36F93DBC4C718930593D8F029EFDCAA52B619B | Fooder loader variant with embedded browser-stealer (App_chek.exe) |
File (SHA-1) | 47B70C47BEB33E88B4197D6AF1B768230E51B067 | Fooder loader variant with embedded go-socks5 reverse tunnel (steam.exe) |
File (SHA-1) | D46900D78AE036967E0B37F9EC6A8000131AE604 | Fooder loader variant with embedded go-socks5 reverse tunnel (antimage.exe) |
File (SHA-1) | 0657D0B0610618886DDD74C3D0A1D582CDD24863 | Fooder loader / MuddyViper backdoor (wtsapi32.dll) |
File (SHA-1) | 2939FD218E0145D730BD94AA1C76386A5259EACE | Fooder loader / MuddyViper backdoor (msi.dll) |
File (SHA-1) | 3BC6502A55A4D5D29132DA4D9943E154A810CC83 | Fooder loader / MuddyViper backdoor (WinWin.exe) |
File (SHA-1) | 7950296331802188EB99E232E2C383CB9FDD5D7D | Fooder loader / MuddyViper backdoor (20241118_223247_Launcher.exe) |
File (SHA-1) | 8580824FE14DB158388102B16C1C79DFBBA36083 | Fooder loader / MuddyViper backdoor (Launcher.dll) |
File (SHA-1) | B48B93B4EB69D01588D371356EDE614C5E7378DE | Fooder loader / MuddyViper backdoor (Launcher.exe) |
File (SHA-1) | EA8A1C2382FF765709D7F78EF60482598E4C0DEB | Fooder loader / MuddyViper backdoor (vcruntime140_1.dll) |
File (SHA-1) | EAF4BAFC62170C9FCA1F6B591848883DBF97F93D | Fooder loader / MuddyViper backdoor (Launcher.exe alternate) |
File (SHA-1) | F5EFBA6CCBA5A6AD6C3AFA928C0E5EAA44597411 | Fooder loader / MuddyViper backdoor (ncrypt.dll) |
File (SHA-1) | 13DA612D75DC5268F5235F5BACE6D8F0DB0091FF | Fooder loader / MuddyViper backdoor (WinWin(persist).exe) |
Network (IP) | 3.95.7.142 | Known MuddyWater C2 server |
Network (IP) | 35.175.224.64 | Known MuddyWater C2 server |
Network (IP) | 51.16.209.105 | Known MuddyWater C2 server (api.tikavodot.co.il) |
Network (IP) | 62.106.66.112 | Known staging server for MuddyWater |
Network (IP) | 157.20.182.45 | Known staging server for MuddyWater |
Network (IP) | 161.35.172.55 | Known staging server for MuddyWater |
Network (IP) | 167.99.224.13 | Known MuddyWater C2 server (magicallyday.com) |
Network (IP) | 194.11.246.78 | Known MuddyWater C2 server |
Network (IP) | 194.11.246.101 | Known MuddyWater staging or C2 server (processplanet.org) |
Network (IP) | 206.71.149.51 | Known staging server for MuddyWater |
Network (IP) | 212.232.22.136 | Known MuddyWater C2 server |
Recommendations
Strengthen user awareness and block untrusted or suspicious email attachments and links.
Enable advanced endpoint detection with memory analysis.
Restrict installation of remote management utilities to approved processes only.
Implement strong access controls and network segmentation.
Enforce multi factor authentication for all administrative accounts.
Conduct regular audits of systems for unknown executables and persistence methods.
Share indicators and intelligence with relevant infrastructure security partners.
Conclusion
This MuddyWater activity demonstrates a focused and well-resourced effort to compromise critical infrastructure using stealthy loaders, newly developed backdoor capabilities, and credential-theft tooling. The combination of spear-phishing delivery, in-memory execution, encrypted C2, and fake Windows Security dialogs makes this campaign highly effective against organizations with limited visibility into RMM usage and endpoint behavior. We urge organizations to take prompt action: Improving email defenses, tightening control over remote-access tooling, and enhancing endpoint and network monitoring are essential to prevent further compromise.