Iran-Linked Hackers Deploy New MuddyViper Backdoor

Targeted Sectors

·         Government

·         Defense

·         Technology organizations

Countries

·         Israel

·         US

·         Taiwan

·         South Korea

BLUF

An Iran-linked state-sponsored group is using new malware, including the "MuddyViper" backdoor and various infostealers (VAXOne, CE-Notes, Blub, LP-Notes), in targeted attacks against Israeli sectors to steal sensitive credentials and data.

Date of First Reported Activity

·         New activity reported on December 2, 2025

o   The actor is likely a known, persistent threat.

Date of Last Reported Activity Update

·         December 2, 2025

APT Names

·         Appears to be linked to known Iranian APTs, potentially APT33 or similar.

Associated Criminal Organization Names

·         N/A (state-sponsored)

IOCs

·         Malware Variants/Files

o   VAXOne

o   CE-Notes

o   Blub

o   LP-Notes

o   MuddyViper backdoor

·         Deceptive Executables

o   Impersonates Veeam

o   AnyDesk

o   Xerox

o   OneDrive updater services

TTPs:

·         T1025 Drive-by Compromise

o   Tricking users with fake prompts.

·         T1071.001 Application Layer Protocol: Web Protocols

o   Malware maintains persistent connection to attacker infrastructure.

·         T1083 File and Directory Discovery

o   Gathers user data from browsers

·         Chrome

·         Edge

·         Firefox

·         Opera

·         T1555.001 Credential from Password Stores

·         Keychain/Credential Research API Steals encryption keys/logins from browsers.

Malware Names

MuddyViper (backdoor)

VAXOne

CE-Notes

Blub

LP-Notes (infostealers)

Malware Sample

The hashes are dynamic the one provided here is for behavioral review only

Muddy Viper

·         795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f

SHA256 URL
hxxps://www.virustotal.com/gui/file/795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f

CVEs and CVSS Vectors (3.1 & 4.0)

·         None specified

Nessus ID

·         Nothing applicable at this time

Suggested Rules/ potential Hunts

Suggested Suricata Rules

Monitor for known C2 IP addresses associated with Iranian threat actors or unusual data exfiltration from government/defense systems.

Suggested Sentinel Rules

Implement rules that flag processes attempting to access and exfiltrate browser encryption keys or impersonate known software like AnyDesk/Veeam.

Suggested Splunk Hunts

Search logs for file modifications related to browser Local State files or instances of chrome.exe/firefox.exe communicating with suspicious external IPs.

Delivery Method

Potentially phishing, leading to the installation of deceptive software (fake updates/tools).

Email Samples

The emails used to deliver the MuddyViper backdoor generally follow these patterns, often implying a critical business need or an internal update:

Potential Email Sample (Impersonating IT/Internal Update)

This email style is designed to look like an official, internal communication requiring an action from the user.

·         From

o   IT Department <it.support@[compromised-org].com>

·         Subject

o   Urgent: New VPN Gateway Configuration Update Required

o   Body

Dear Employee,

Our organization has recently updated the security protocols for the remote access VPN gateway. All employees are required to configure the new access rules by the end of the day today, December 2, 2025, to maintain seamless access to internal resources.

Please follow the instructions in the attached document to implement the necessary changes. The document provides step-by-step instructions.

Thank you for your cooperation in maintaining our network security.

Best regards,

IT Security Team

·         Attachment

o   VPN_Gateway_Rules_and_Instructions.doc (Malicious document with macros, or a ZIP/IMG archive containing the Fooder loader)

Potential Email Sample (Impersonating a Financial/HR Matter)

This type of email uses a pay-related social engineering lure to create urgency.

·         From

o   Payroll & Compensation <salary@[compromised-org].com>

·         Subject

o   Important Information Regarding Your December Compensation

·         Body

Dear [Employee Name],

Please review the attached document regarding an update to your compensation structure, effective this pay period. We require you to verify the details before the payroll run.

The document is password protected for security reasons. Please use your standard network password to access the file.

[Link to file hosted on a compromised file-sharing site like OneHub, Egnyte, or Sync]

Thank you,

Human Resources

Key Red Flags to Watch For

·         The actual delivery mechanism involves the user downloading and executing a file (often a loader named Fooder which might be disguised as a "Snake game" executable or a legitimate software installer).

·         Sense of Urgency: The emails often pressure the victim to act quickly to avoid negative consequences (e.g., losing network access, missing a payment).

·         Malicious Attachments/Links: They contain unexpected attachments (like .doc files requiring macros to "view content") or links to external file-sharing sites that host the malware payload.

·         Spoofed Sender: The emails come from seemingly legitimate internal or government email addresses, sometimes from a previously compromised mailbox.

References

The Hacker News

Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks

·         hxxps://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html

RedNovember Targets Government, Defense, and Technology Organizations (related regional/sector targeting info)

·         hxxps://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations

VirusTotal

·         hxxps://www.virustotal.com/gui/file/795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f