Key Findings

• The Iranian hacking group known as MuddyWater has been observed deploying a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) communication.

• The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan.

• The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled.

• UDPGangster establishes persistence through Windows Registry modifications and performs extensive anti-analysis checks to evade detection.

• The backdoor grants attackers comprehensive control over the victim's machine, including remote command execution, file exfiltration, and C2 server updates.

Background

The development comes days after ESET attributed the threat actor to attacks spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors in Israel that delivered another backdoor referred to as MuddyViper.

Infection Chain

• The infection chain begins with a highly targeted spear-phishing email impersonating the "Turkish Republic of Northern Cyprus Ministry of Foreign Affairs".

• The message, written in formal Turkish, invites recipients to an online seminar titled "Presidential Elections and Results".

• Attached is a malicious Word document (seminer.doc) embedded with a VBA macro.

• Once a user enables macros—often prompted by a deceptive warning—the malware executes.

• Interestingly, researchers noted a geopolitical mismatch in the lures: "Notably, while the phishing email was written in Turkish, the decoy image embedded within the document displayed an image related to Israel."

UDPGangster Backdoor

• UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart.

• These checks include verifying if the process is being debugged, analyzing CPU configurations for sandboxes or virtual machines, and searching for known sandboxing or debugging tools.

• Once the checks are satisfied, UDPGangster proceeds to gather system information and connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

Threat Actor Attribution

• The campaign has been linked to MuddyWater (also known as Mango Sandstorm or Static Kitten), a threat group associated with Iran's Ministry of Intelligence and Security (MOIS).

• The use of shared infrastructure, specific coding patterns, and geopolitical targeting aligns with the group's historical modus operandi.

Sources

• https://thehackernews.com/2025/12/muddywater-deploys-udpgangster-backdoor.html

• https://securityonline.info/iran-linked-muddywater-deploys-udpgangster-backdoor-using-udp-protocol-for-covert-c2/