UDPgangster

UDPGangster is a custom backdoor used by the Iran-linked threat actor MuddyWater, also tracked as Boggy Serpens and assessed in the provided reporting as linked to Iran’s Ministry of Intelligence and Security (MOIS). It is described as a basic or lighter backdoor that communicates with its command-and-control infrastructure over the UDP protocol, including use of UDP port 1269, and has been characterized as a custom UDP C2 framework recovered from source code file udp_3.0.py with a SQLite backend for victim tracking. Reported C2 endpoints include 157.20.182.75:1269/UDP and 64.7.198.12:1269/UDP, and one delivery domain mentioned is reminders[.]trahum[.]org.

The malware has been delivered in phishing campaigns using malicious Microsoft Word documents and executable files disguised as PDFs or DOC files. In documented campaigns, victims were lured into enabling VBA macros, after which the macro decoded embedded data, wrote payload material to disk, and executed the UDPGangster payload. One reported lure used a ZIP file named seminer.zip containing a Word document named seminer.doc, and some phishing emails impersonated the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and referenced a fake seminar titled "Presidential Elections and Results." The malware has also been associated with broader MuddyWater phishing operations using hijacked legitimate email accounts and macro-enabled Office attachments.

Observed targeting in the provided content includes Microsoft Windows systems and entities in Turkey, Israel, and Azerbaijan, with additional reporting tying MuddyWater campaigns using UDPGangster to diplomatic, energy, maritime, government, aviation, financial, telecommunications, academia, engineering, local government, manufacturing, technology, transportation, and utilities-related targets in the Middle East and nearby regions. Unit 42 reporting in the content also states UDPGangster was used in a four-wave campaign against a UAE-based marine and energy company between August 2025 and February 2026.

Capabilities directly described in the content include persistence via Windows Registry modification and use of the victim persistence path %AppData%\RoamingLow\SystemProc.exe; system information gathering; command execution through cmd.exe; file transmission; exfiltration of data; updating the C2 server; and dropping additional payloads. Anti-analysis behavior reported for UDPGangster includes checks for debugging, sandboxing, virtualization, CPU, RAM, MAC address, workgroup, running processes, virtual machine artifacts, and debugger presence, with execution proceeding only if checks are satisfied. One report states the malware connected to 157.20.182[.]75 over UDP port 1269 after collecting host information.

The content also links UDPGangster to a shared MuddyWater development pipeline. Unit 42 reporting states that UDPGangster operations deployed a lighter UDP backdoor in parallel with the Phoenix lineage, and that both tracks shared an identical decryption key and the novaservice.exe file path, indicating common development. Additional reporting notes UDPGangster alongside other MuddyWater malware families including Phoenix, BugSleep, Nuso, RustyWater, GhostBackDoor, and LampoRAT/CHAR.