Iran-linked hackers target Israeli, Egyptian critical infrastructure through phishing campaign

Steven

Iran-linked hackers target Israeli, Egyptian critical infrastructure through phishing campaign

Summary

Researchers at ESET uncovered a MuddyWater campaign active between September 2024 and March 2025 that targeted critical infrastructure organisations in Israel and Egypt. The threat actor used spearphishing emails with PDF attachments containing links to spyware installers hosted on free file-sharing services such as OneHub and Mega. The operation deployed a new backdoor named MuddyViper and a custom loader called Fooder, which masqueraded its delays and execution logic as the classic Snake game to evade automated analysis.

MuddyViper can exfiltrate Windows login credentials and browser data, gather system information, transfer and execute files, and run shell commands. After initial compromise, the attackers also employed multiple credential stealers — CE-Notes (Chromium-based), LP-Notes (staging and verification), and Blub (Chrome, Edge, Firefox, Opera) — to harvest credentials and browser-stored data. ESET assesses MuddyWater as aligned with Iran’s Ministry of Intelligence and National Security and notes a clear technical evolution in precision, persistence and evasion techniques.

Key Points

  • MuddyWater ran a spearphishing campaign from Sep 2024 to Mar 2025 targeting Israeli and Egyptian organisations across tech, engineering, local government, education and manufacturing.
  • Phishing messages used PDFs linking to spyware installers hosted on free file-sharing platforms (OneHub, Mega).
  • New backdoor MuddyViper enables credential and browser-data theft, system reconnaissance, file transfer and remote execution.
  • The custom loader Fooder hides activity by reflectively loading MuddyViper into memory and using a Snake-game based delay routine to evade automated analysis.
  • Post-compromise tools included CE-Notes, LP-Notes and Blub credential stealers to harvest browser and Windows credentials.
  • ESET links MuddyWater to Iran’s intelligence apparatus and highlights the group’s increased technical sophistication and targeted approach.

Context and Relevance

This campaign underscores persistent nation-state threats against critical infrastructure in the Middle East and the increasing use of creative evasion techniques to bypass detection. The use of legitimate file-sharing services for malware hosting complicates blocking strategies, while memory-resident loaders and game-mimicking delays reveal a trend towards stealthier, more resilient tools. For security teams, this raises the urgency of layered defences: robust email filtering, multi-factor authentication, endpoint detection, privileged-access controls and rapid incident response playbooks.

Why should I read this?

Because if you run security for an organisation — especially in critical sectors — this is the sort of campaign that can quietly bleed credentials and pivot into core systems. It’s a tidy snapshot of how a national-level actor is getting craftier: sneaky loaders, browser stealers, and free-hosted installers. We read the details so you don’t have to — skim the key points, lock down MFA, and patch the obvious gaps.

Source

Source: https://therecord.media/iran-linked-hackers-target-israel-egypt-phishing