Article Details

MuddyWater Deploys UDPGangster Backdoor in Targeted Turkey-Israel-Azerbaijan Campaign. The Iranian hacking group known as MuddyWater has been observed leveraging a new backdoor dubbed UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan, according to a report from Fortinet FortiGuard Labs. "This malware enables remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads – all communicated through UDP channels designed to evade traditional network defenses," security researcher Cara Lin said. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. Some of the phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." Attached along with the emails are a ZIP file ("seminer.zip") and a Word document ("seminer.doc"). The ZIP file also contains the same Word file, opening which users are asked to enable macros to stealthily execute embedded VBA code. For its part, the VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. "The macro uses the Document_Open() event to automatically execute, decoding Base64-encoded data from a hidden form field (UserForm1.bodf90.Text) and writing the decoded content to C:\Users\Public\ui.txt," Lin explained. "It then executes this file using the Windows API CreateProcessA, launching the UDPGangster payload." UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. This includes - It's only after these checks are satisfied does UDPGangster proceed to gather system information and connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. "UDPGangster uses macro-based droppers for initial access and incorporates extensive anti-analysis routines to evade detection," Lin said. "Users and organizations should remain cautious of unsolicited documents, particularly those requesting macro activation." The development comes days after ESET attributed the threat actor to attacks spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors in Israel that delivered another backdoor referred to as MuddyViper.