Iran-Linked MuddyWater Deploys UDPGangster Backdoor, Using UDP Protocol for Covert C2

A sophisticated new malware campaign attributed to the Iranian-linked threat group MuddyWater has been discovered targeting government and critical infrastructure entities across Turkey, Israel, and Azerbaijan. A new report from FortiGuard Labs details the deployment of “UDPGangster,” a custom backdoor designed to evade traditional network defenses by communicating exclusively over the User Datagram Protocol (UDP).

The infection chain begins with a highly targeted spear-phishing email impersonating the “Turkish Republic of Northern Cyprus Ministry of Foreign Affairs”. The message, written in formal Turkish, invites recipients to an online seminar titled “Presidential Elections and Results”.

Attached is a malicious Word document (seminer.doc) embedded with a VBA macro. Once a user enables macros—often prompted by a deceptive warning—the malware executes. Interestingly, researchers noted a geopolitical mismatch in the lures: “Notably, while the phishing email was written in Turkish, the decoy image embedded within the document displayed an image related to Israel.”

UDPGangster is engineered for stealth. Unlike typical malware that uses HTTP/HTTPS for command and control (C2), this backdoor “enables remote control… all communicated through UDP channels designed to evade traditional network defenses”.

Once executed, the malware performs a series of rigorous anti-analysis checks to determine if it is running in a sandbox or virtual machine. It checks for:

• Debugger presence: Using Windows APIs to see if it’s being analyzed.
• Hardware specs: Verifying CPU core count and RAM size (less than 2GB RAM or single-core CPUs trigger self-termination).
• Virtualization artifacts: Scanning for MAC addresses and registry keys associated with VMware, VirtualBox, and Xen.

If the environment is deemed safe, UDPGangster establishes persistence by copying itself to the %AppData%\RoamingLow directory as SystemProc.exe and creating a registry run key.

The backdoor grants attackers comprehensive control over the victim’s machine, including:

• Remote Command Execution: Running shell commands via cmd.exe.
• File Exfiltration: Stealing sensitive documents.
• C2 Updates: Dynamically updating its C2 IP address to maintain connection.

The campaign has been linked to MuddyWater (also known as Mango Sandstorm or Static Kitten), a threat group associated with Iran’s Ministry of Intelligence and Security (MOIS). The use of shared infrastructure, specific coding patterns, and geopolitical targeting aligns with the group’s historical modus operandi.

Related Posts:

• MuddyWater APT Shifts Tactics to Custom Malware
• Iran-Linked MuddyWater Deploys Phoenix v4 Backdoor via Compromised Emails and NordVPN Exit Node
• New malware uses specially crafted UDP protocol for C&C Communications
• Chrome consumes more RAM, because of Spectre security fixes