MuddyViper
MuddyViper is a previously undocumented backdoor associated with the Iran-aligned threat actor MuddyWater (also tracked as Mango Sandstorm and TA450), which multiple sources in the content link to Iran’s MOIS. It was observed in campaigns active from late September 2024 through March 2025, primarily targeting organizations in Israel, with at least one confirmed victim in Egypt. Reported victim sectors include technology, engineering, manufacturing, local government, education, telecommunications, government, and oil and energy-related organizations.
MuddyViper is delivered by a custom loader named Fooder, which is often disguised as the classic Snake game. Fooder reflectively loads the backdoor into memory and executes it, and uses custom delay logic based on Snake-game behavior combined with Windows Sleep calls to hinder automated analysis. Several reports state MuddyViper was observed only in memory. Initial access in the associated campaigns was typically achieved through spearphishing emails with PDF attachments that linked victims to installers for legitimate remote monitoring and management tools hosted on free file-sharing services such as OneHub, Egnyte, and Mega. Referenced tools include Atera, Level, PDQ, and SimpleHelp.
The backdoor provides extensive control over compromised Windows systems. High-confidence capabilities directly described in the content include collecting system information, executing arbitrary files and shell commands, transferring files, exfiltrating Windows login credentials and browser data, stealing credentials, exfiltrating data, establishing reverse shells, and maintaining persistence. One source states it supports 20 commands. Reported persistence mechanisms include use of a Windows Startup folder installation directory and a scheduled task launched after restart. The malware and related tooling were also described as using Windows CNG cryptographic APIs, which the reporting notes is unusual among Iran-aligned groups.
MuddyViper was used alongside additional MuddyWater tooling including the CE-Notes, LP-Notes, and Blub credential stealers, and in some reporting alongside VAX One and go-socks5 reverse tunnels. The campaign is assessed in the content as focused on credential harvesting, network mapping, and initial-access brokering, including support to Lyceum. The reporting consistently characterizes MuddyViper as part of MuddyWater’s technical evolution toward more focused and sophisticated operations, while still retaining some detectable tradecraft.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Implant: MuddyViper reflectively loaded into memory Objective: Credential harvesting, network mapping, initial-access brokering for Lyceum
Hackers used the loader to deploy a previously undocumented backdoor Eset dubs "MuddyViper," malware that researchers observed only in computer memory.
Techniques & procedures
44 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Execution
6 techniques
Execution
MuddyWater TTPs list includes “Execution T1047 Windows Management Instrumentation.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The group's WMI-based persistence and memory-resident implant execution are specifically designed to evade the host-based detection tools most commonly deployed in government environments.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
4 techniques
Persistence
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
MuddyWater TTPs list includes “Persistence T1137.001 Office Application Startup: Office Template Macros.”
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Stealth
8 techniques
Stealth
Black Shrantac TTPs list includes “Defense Evasion T1027 Obfuscated Files or Information.” MuddyWater TTPs list includes multiple T1027 sub-techniques (command obfuscation, steganography, compile after delivery).
Bisonal has deleted Registry keys to clean up its prior activity. FIN8 has deleted Registry keys during post compromise cleanup activities. SUNBURST also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.
MuddyWater TTPs list includes “Defense Evasion T1140 Deobfuscate/Decode Files or Information.”
CastleRAT TTPs list includes “Defense Evasion T1218.011… Rundll32.” MuddyWater also lists “T1218.011… Rundll32.”
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
7 techniques
Discovery
MuddyWater TTPs list includes “Discovery T1016 System Network Configuration Discovery.”
MuddyWater TTPs list includes “Discovery T1033 System Owner/User Discovery.”
MuddyWater TTPs list includes “Discovery T1049 System Network Connections Discovery.”
Black Shrantac TTPs list includes “Discovery T1057 Process Discovery.” MuddyWater TTPs list includes “Discovery T1057 Process Discovery.”
Black Shrantac TTPs list includes “Discovery T1082 System Information Discovery.” CastleRAT describes collecting “system metadata” and lists “Discovery T1082.” MuddyWater lists “Discovery T1082.”
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
MuddyWater TTPs list includes “Collection T1074.001 Data Staged: Local Data Staging.”
Command and Control
8 techniques
Command and Control
The content repeatedly describes threat actors, malware, and campaigns using HTTP, HTTPS, HTTP GET/POST, cookies in headers, WebSockets/WSS, and web APIs for command and control or related communications.
"reverse SOCKS5 tunnel connected to a proxy machine as a way of hiding the location of the server."
MuddyWater TTPs list includes “Command and Control T1102.002 Web Service: Bidirectional Communication.”
MuddyWater TTPs list includes “Command and Control T1104 Multi-Stage Channels.”
CastleRAT TTPs list includes “Command and control T1105 Ingress Tool Transfer.” MuddyWater also lists T1105.
MuddyWater TTPs list includes “Command and Control T1132.001 Data Encoding: Standard Encoding.”
Exfiltration
1 technique
Exfiltration
Impact
1 technique
Impact
The impact tier is the most varied; Shamoon 4.0, Meteor, BibiWiper, and MuddyViper represent the confirmed destructive payload suite. IOCONTROL directly targets IoT and fuel management OT systems. BaqiyatLock and Sicarii deploy pseudo-ransomware designed to destroy data rather than hold it for ransom.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A destructive payload included in the confirmed active suite during the conflict.
A memory-resident implant used for credential harvesting, network mapping, and initial-access brokering.
Custom MuddyWater backdoor reflecting the group’s move toward more tailored malware.
Backdoor used in targeted attacks against multiple Israeli sectors; attributed to MuddyWater by ESET.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.