Israeli organisations across academia, engineering, local government, manufacturing, technology, transport, and utilities have been targeted in a new wave of cyber attacks carried out by Iranian state-backed hackers. The campaign delivered a previously unseen backdoor dubbed MuddyViper.

ESET has attributed the activity to MuddyWater (also known as Mango Sandstorm, Static Kitten, or TA450), a group linked to Iran’s Ministry of Intelligence and Security (MOIS). One tech firm in Egypt was also hit. The operation ran from 30 September 2024 to 18 March 2025.

MuddyWater, active since at least 2017, has a long history of targeting the Middle East, including destructive attacks on Israeli entities using the PowGoop ransomware variant. According to Israel’s National Cyber Directorate, the group has aimed at local authorities, civil aviation, telecoms, healthcare, tourism, IT providers, and SMEs.

Their attacks typically use spear-phishing and exploitation of known VPN flaws to plant legitimate remote-management tools. Since mid-2024, phishing emails have carried another backdoor called BugSleep.

MuddyWater’s toolkit includes various RATs (Blackout, AnchorRat, CannonRat), the file-infecting virus Neshta, and the Sad C2 framework, which deploys the BlackPearl RAT and other payloads.

The latest campaign again begins with phishing emails containing PDFs that link to tools such as Atera, Level, PDQ and SimpleHelp. A loader called Fooder decrypts and runs the MuddyViper backdoor and, in some cases, installs SOCKS5 tunnelling proxies or the HackBrowserData utility.

MuddyViper can gather system information, run commands and files, transfer data, and steal Windows credentials and browser information. It supports 20 commands for covert access and control. Some Fooder variants mimic the classic Snake game to evade detection.

The attackers also used other tools, including:

• VAXOne, a backdoor impersonating Veeam, AnyDesk, Xerox, or OneDrive
• CE-Notes, a Chrome data-stealer bypassing app-bound encryption
• Blub, a browser-data stealer for Chrome, Edge, Firefox, and Opera
• LP-Notes, a fake Windows Security prompt used to harvest passwords

ESET also observed overlaps between MuddyWater and Lyceum (Hexane/Spirlin), another Iran-aligned group. In early 2025, MuddyWater likely acted as an initial-access broker, installing remote-desktop tools and a custom Mimikatz loader inside an Israeli manufacturing firm, enabling Lyceum to deepen its access.

ESET says the campaign shows clear operational evolution, with new components aimed at enhancing stealth and persistence.

Charming Kitten leaks

The findings follow Israel’s attribution of a recent espionage campaign named SpearSpecter to APT42, which overlaps with APT35/Charming Kitten. This comes amid a major leak of internal APT35 documents published on GitHub in late 2025 by a group called KittenBusters.

The leaked material allegedly exposes the Iranian IRGC Unit 1500 cyber division, its leadership, and its network of front companies. It also includes the full source code of the BellaCiao malware.

According to analysts, the documents reveal a highly bureaucratic intelligence structure with strict hierarchies, performance tracking, and organised workflows – far from the image of a loose hacking collective.