Stealthy Spies: MuddyWater Deploys UDPGangster to Evade Network Defenses

The Iranian threat group MuddyWater has intensified its cyber-espionage operations with the deployment of a new malicious program known as UDPGangster. According to Fortinet’s FortiGuard Labs, the attacks targeted Turkey, Israel, and Azerbaijan. The campaign sought to establish covert control over compromised systems via the UDP protocol—a tactic that helped the attackers evade corporate network defenses.

Initial access was achieved through phishing emails carrying counterfeit Microsoft Word documents. In several messages, the attackers impersonated the Ministry of Foreign Affairs of the Turkish Republic of Northern Cyprus and referred to a fictitious online seminar on presidential elections. The attachments contained an archive and a standalone Word file prompting recipients to enable macros. Once activated, an embedded script executed silently, disguising its malicious activity as a Hebrew-language notice from the Israeli telecom provider Bezeq about purported service outages.

The script launched automatically upon opening the document, decoded concealed data, and stored it in a system directory before initiating the execution of UDPGangster’s core component. This tool established persistence by modifying Registry parameters and conducted a series of environment checks to evade analysis. The malware examined CPU configuration, RAM capacity, network adapter settings, the system’s domain or workgroup, and signs of virtual machines or debugging tools. Only after confirming that the environment was safe for activation did it proceed to collect system information.

Once the checks were complete, UDPGangster connected to a remote server via a UDP channel on port 1269. Through this link, it transmitted gathered data, executed system commands, exfiltrated files, and downloaded additional payloads. According to Fortinet analysts, the use of macros and the choice of UDP as a command-and-control channel were pivotal in allowing the malware to remain undetected for an extended period.

It was also reported that shortly before this campaign, ESET had linked MuddyWater to attacks on Israeli organizations across multiple sectors that employed a different malicious tool known as MuddyViper.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy