The Iran-tied threat actor MuddyWater targeted critical infrastructure in Egypt and Israel with spyware that masqueraded as the classic Snake game, researchers say.
Active between September 2024 and March 2025, the operation primarily targeted organizations in Israel’s technology, engineering, local government, educational and manufacturing sectors, according to researchers at ESET, who uncovered the campaign.
The new activity unfolded through spearphishing emails which typically featured PDF attachments that included links to installers for spyware hosted on free file-sharing platforms such as OneHub and Mega, according to an ESET blog post.
A new backdoor called MuddyViper allowed attackers to exfiltrate Windows login credentials and browser data, gather system information, transfer files and execute files and shell commands, ESET researchers say.
The custom loader MuddyViper uses, dubbed Fooder, makes the malware harder to detect because of how it mirrors the Snake game.
MuddyViper shows MuddyWater, which is aligned with the Ministry of Intelligence and National Security of Iran, is evolving technically and has grown more capable at evading detection and remaining persistent, according to ESET.
Fooder “reflectively loads MuddyViper into memory and executes it,” ESET said in a press release. The loader also relies on a custom delay function that implements the “core logic” of the Snake game, combined with “Sleep” API calls, ESET says.
“These features are intended to delay execution in an attempt to hide malicious behavior from automated analysis systems,” ESET said. “Overall this campaign shows signs of technical evolution – increased precision, strategic targeting and a more advanced toolset.”
After the initial compromise, MuddyWater deployed multiple credential stealers in the attacks, ESET said. These included CE-Notes, which targets Chromium-based browsers; LP-Notes, which “stages and verifies” stolen credentials; and Blub, which steals login data from Chrome, Edge, Firefox and Opera browsers.
MuddyWater first became publicly known in 2017 through its cyberespionage campaigns. In October, the threat actor was linked to a phishing campaign which targeted more than 100 government entities and international organizations across the Middle East and North Africa.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.
