This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): MuddyWater
- Tool type(s): Loader and backdoor
- Confidence level(s): Medium
- Source ID(s):
SRC-ESET-MUDDYWATER-SNAKES
Behavior
| Actor | Behavior Summary |
|---|
| MuddyWater | ESET reports Fooder as a MuddyWater loader paired with MuddyViper; reported behavior includes in-memory payload loading, sandbox-delay logic, RMM-assisted access, and post-compromise collection against Israeli and regional critical-infrastructure targets. |
Hash And IOC Status
| Actor | Status | Reference |
|---|
| MuddyWater | Hash not committed; validate ESET IOC availability before IOC-level use. | SRC-ESET-MUDDYWATER-SNAKES |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|
| MuddyWater | Hunt lure-to-RMM chains, new SimpleHelp/Atera/Level/PDQ installs outside IT inventory, in-memory loader behavior, sleep/delay loops before payload execution, and unusual cloud-service C2. |
Handling Notes
| Actor | Handling Notes |
|---|
| MuddyWater | Source-backed behavior can drive hunts; sample-level hashes require primary IOC verification. |
Crosslinks
Mapped ATT&CK Techniques For Associated Actor(s)
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
Source Review
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.