A cyberespionage group linked to Iran has been targeting critical infrastructure in Israel and Egypt with a sophisticated phishing campaign that leverages spyware disguised as the classic Snake computer game.
According to new findings from ESET, the threat actor known as MuddyWater believed to be associated with Iran’s Ministry of Intelligence and Security, conducted the operation from September 2024 through March 2025. The group focused on organizations in Israel’s technology, engineering, local government, education, and manufacturing sectors.
The campaign relied on spearphishing emails that delivered PDFs containing links to malicious installers hosted on free file-sharing services such as OneHub and Mega. Once opened, the installers deployed a new backdoor called ‘MuddyViper,’ capable of exfiltrating Windows credentials and browser data, collecting system information, transferring files, and executing commands.
To evade detection, MuddyViper was paired with a custom loader named Fooder, which mimics elements of the Snake game. ESET researchers say Fooder reflectively loads the backdoor into memory and delays execution using logic inspired by the game combined with repeated “Sleep” API calls.
After gaining initial access, the hackers deployed several credential-stealing tools, including CE-Notes for Chromium-based browsers, LP-Notes for validating stolen credentials, and Blub, which harvests login data from Chrome, Edge, Firefox, and Opera.
MuddyWater has been active since at least 2017 and continues to expand its operations. The group was previously linked to a widespread phishing operation last October that targeted more than 100 government and international organizations across the Middle East and North Africa.