The Iranian state-linked hacking group MuddyWater has been observed using a new backdoor dubbed ‘UDPGangster,’ which leverages the User Datagram Protocol (UDP) for command-and-control communication, according to Fortinet FortiGuard Labs.
The cyber-espionage activity has primarily targeted users in Turkey, Israel, and Azerbaijan. Researchers say the malware provides full remote control of infected systems, allowing attackers to run commands, steal files, and deploy additional payloads through stealthy UDP channels designed to bypass traditional network defenses.
The operation begins with spear-phishing emails with malicious Microsoft Word documents that execute harmful code once macros are enabled. The attachment include a ZIP file and a Word document containing macro-enabled payloads.
The macro automatically triggers via the Document_Open() event, decodes Base64-encoded data hidden in the form field UserForm1.bodf90.Text, writes it to C:UsersPublicui.txt, and then launches the UDPGangster backdoor using the Windows API CreateProcessA.
UDPGangster establishes persistence through Windows Registry modifications and includes multiple anti-analysis mechanisms to deter detection. After the checks are complete, the malware collect system information and communicate with an external server over UDP port 1269. From there, it can execute system commands via cmd.exe, transfer files, update C2 settings, and drop additional malicious components.
The report follows a separate ESET research detailing MuddyWater targeting critical infrastructure in Israel and Egypt with a sophisticated phishing campaign that leverages spyware disguised as the classic Snake computer game.