Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

MuddyWater Deploys UDPGangster Backdoor in Targeted Turkey-Israel-Azerbaijan Campaign

The Hacker News by The Hacker News
December 8, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Dec 08, 2025Ravie LakshmananNetwork Security / Vulnerability

The Iranian hacking group known as MuddyWater has been observed leveraging a new backdoor dubbed UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes.

The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan, according to a report from Fortinet FortiGuard Labs.

“This malware enables remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads – all communicated through UDP channels designed to evade traditional network defenses,” security researcher Cara Lin said.

The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. Some of the phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled “Presidential Elections and Results.”

Cybersecurity

Attached along with the emails are a ZIP file (“seminer.zip”) and a Word document (“seminer.doc”). The ZIP file also contains the same Word file, opening which users are asked to enable macros to stealthily execute embedded VBA code.

For its part, the VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country.

“The macro uses the Document_Open() event to automatically execute, decoding Base64-encoded data from a hidden form field (UserForm1.bodf90.Text) and writing the decoded content to C:UsersPublicui.txt,” Lin explained. “It then executes this file using the Windows API CreateProcessA, launching the UDPGangster payload.”

UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. This includes –

  • Verifying if the process is being debugged
  • Analyzing CPU configurations for sandboxes or virtual machines
  • Determining if the system has less than 2048 MB of RAM
  • Retrieving network adapter information to validate if the MAC address prefix matches a list of known virtual machine vendors
  • Validating if the computer is part of the default Windows workgroup rather than a joined domain
  • Examining running processes for tools like VBoxService.exe, VBoxTray.exe, vmware.exe, and vmtoolsd.exe
  • Running Registry scans to searches for matches to known virtualization vendor identifiers, such as VBox, VMBox, QEMU, VIRTUAL, VIRTUALBOX, VMWARE, and Xen
  • Searching for known sandboxing or debugging tools, and
  • Ascertaining whether the file is running in an analysis environment
Cybersecurity

It’s only after these checks are satisfied does UDPGangster proceed to gather system information and connects to an external server (“157.20.182[.]75”) over UDP port 1269 to exfiltrate collected data, run commands using “cmd.exe,” transmit files, update C2 server, and drop and execute additional payloads.

“UDPGangster uses macro-based droppers for initial access and incorporates extensive anti-analysis routines to evade detection,” Lin said. “Users and organizations should remain cautious of unsolicited documents, particularly those requesting macro activation.”

The development comes days after ESET attributed the threat actor to attacks spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors in Israel that delivered another backdoor referred to as MuddyViper.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Nagarro becomes OpenAI Services Partner to support industry-scale AI adoption

Nagarro becomes OpenAI Services Partner to support industry-scale AI adoption

Recommended.

Vanguard, BlackRock deliver second-half market plays that could cushion a potential growth slowdown

Vanguard, BlackRock deliver second-half market plays that could cushion a potential growth slowdown

July 9, 2025
How digital twins are helping people with motor neurone disease speak | Computer Weekly

How digital twins are helping people with motor neurone disease speak | Computer Weekly

December 10, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio