Suspected Iranian state hackers use new malware to target Israeli organizations

Avatar

A new campaign by the suspected Iranian state hacking group MuddyWater is targeting organizations in Israel and across the Middle East with a previously unseen custom backdoor, according to new research.

The new malware variant, discovered in May, was analyzed by researchers at Check Point, who dubbed it BugSleep, as well as researchers at Sekoia, who called it MuddyRot.

According to Check Point, which has headquarters in Tel Aviv, the new tool is still under development: Some of the samples collected for analysis contained bugs, and parts of the code were poorly written. However, the threat actor “is continuously improving BugSleep’s functionality and addressing bugs,” researchers said in a report Monday.

In a recent campaign, MuddyWater reportedly used BugSleep against unnamed organizations in Israel — one of the group’s most popular targets. It is also likely that the hackers attacked other countries, including Azerbaijan, as evidenced by the phishing emails they used.

MuddyWater is affiliated with Iran’s Ministry of Intelligence and Security and has been active since at least 2017. The group has previously targeted government entities, municipalities, media outlets, and travel agencies in Israel, Turkey, Saudi Arabia, India, and Portugal.

The deployment of BugSleep allows hackers to remotely execute commands on the compromised system and transfer files between the infected device and the attacker’s servers.

According to Check Point, BugSleep was likely created to partially replace the group’s reliance on legitimate remote management tools (RMM) which they previously deployed on their victims’ devices.

“It is likely that the increased monitoring of RMM tools by security vendors, following their rise in abuse by malicious threat actors, has influenced this change,” Sekoia said in its own report Monday.

Researchers noticed other changes in the group’s tactics during the latest campaigns.

Previously, MuddyWater mostly used tailored malicious emails sent to dozens of targets in the same sector. Lately, however, the group has shifted to “generic-themed, yet well-crafted phishing lures,” according to Check Point, such as invitations to online courses and websites, as in the case of Azerbaijan.

“This approach allows them to reuse the same lure across different targets and regions,” Check Point researchers added.

Another change, according to Sekoia, is that the hackers seem to have started embedding the malicious links in PDF files instead of emails. Their previous phishing lures included a link to an online storage service hosting a malicious ZIP archive, which contained the remote monitoring and management software.

Since the beginning of the Israel-Hamas war in October 2023, MuddyWater has significantly increased its activities in Israel and other countries, researchers said.

Overall, since February 2024, Check Point said it identified over 50 spear phishing emails linked to MuddyWater targeting more than 10 sectors that were sent to hundreds of recipients.

CybercrimeGovernmentNewsNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Suspected Iranian state hackers use new malware to target Israeli organizations

Next Post

Hackney Council in London reprimanded for failing to prevent ransomware attack

Related Posts

Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool

In a new campaign detected in March 2025, senior members of the World Uyghur Congress (WUC) living in exile have been targeted by a Windows-based malware that's capable of conducting surveillance. The spear-phishing campaign involved the use of a trojanized version of a legitimate open-source word processing and spell check tool called UyghurEdit++ developed to support the use of the Uyghur
Avatar
Read More

Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach

Enterprise data backup platform Commvault has revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928 but emphasized there is no evidence of unauthorized data access. "This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance," the company
Avatar
Read More