"The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan, according to a report from Fortinet FortiGuard Labs. "This malware enables remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads - all communicated through UDP channels designed to evade traditional network defenses," security researcher Cara Lin said. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled."
"Attached along with the emails are a ZIP file ("seminer.zip") and a Word document ("seminer.doc"). The ZIP file also contains the same Word file, opening which users are asked to enable macros to stealthily execute embedded VBA code. For its part, the VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country."
MuddyWater deployed a new backdoor named UDPGangster that communicates command-and-control traffic over UDP to evade network defenses. Campaigns targeted users in Turkey, Israel, and Azerbaijan using spear-phishing emails impersonating official entities and inviting recipients to a seminar. Emails contained a ZIP ("seminer.zip") and Word document ("seminer.doc") that request macro enabling to execute embedded VBA. The VBA decodes Base64 data from UserForm1.bodf90.Text, writes the payload to C:\Users\Public\ui.txt, and launches it via CreateProcessA. UDPGangster establishes persistence via Windows Registry changes and enables remote command execution, file exfiltration, and additional payload deployment.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]