Overview
- ESET attributes the campaign to MuddyWater (aka Mango Sandstorm/TA450), reporting victims across Israeli academia, engineering, local government, manufacturing, technology, transportation and utilities, plus one technology company in Egypt.
- Initial access relied on spear‑phishing PDFs that linked to installers for legitimate remote‑management tools hosted on free file‑sharing services, delivering products such as Atera, Level, PDQ and SimpleHelp.
- The attackers used a loader dubbed Fooder that impersonates the Snake game, reflectively loads payloads in memory and delays execution to evade analysis, and it was also observed deploying go‑socks5 proxies and HackBrowserData.
- MuddyViper, a previously undocumented C/C++ backdoor, supports roughly 20 commands to collect system details, run files and shell commands, transfer files and exfiltrate Windows credentials and browser data.
- Post‑compromise activity stacked credential stealers including CE‑Notes, LP‑Notes and Blub, incorporated the VAXOne backdoor that mimics well‑known software, and adopted low‑noise tradecraft with Windows CNG usage that ESET says reflects growing operational maturity.