S9032: MuddyViper
MuddyViper is custom backdoor written in C and C++ used by MuddyWater for command and control (C2) communications and persistence. MuddyViper is loaded by Fooder and sends frequent messages to the C2 server.[1]
Analyst context for executives and security teams
MuddyViper matters because ATT&CK describes it as a custom Windows backdoor used for command-and-control communications and persistence, loaded by Fooder, with frequent C2 messaging. For leaders, the decision value is not the malware name alone: it is whether Windows endpoint, identity, and network controls can prove visibility into persistence, scripted execution, credential-prompt abuse, tool transfer, encrypted/web C2, collection, and exfiltration over the same C2 channel.
Executive priority
Prioritize MuddyViper as a resilience and readiness validation scenario for Windows environments, especially where espionage-driven intrusion risk is material. Security leaders should ask whether SOC and IR teams can connect endpoint persistence events, suspicious PowerShell/cmd activity, C2 traffic, possible credential capture prompts, archive creation, and outbound data movement into one investigation story. Because ATT&CK provides no official detection text for this object, the priority is evidence quality and control validation rather than assuming existing tools already detect it.
Technical view
ATT&CK lists MuddyViper as Windows malware and relates it to MuddyWater, Fooder loading, C2, persistence, and multiple techniques including Scheduled Task, Registry Run Keys/Startup Folder, Modify Registry, PowerShell, Windows Command Shell, Native API, Reflective Code Loading, Web Protocols, Symmetric Cryptography, Ingress Tool Transfer, Archive Collected Data, Exfiltration Over C2 Channel, Process Discovery, Security Software Discovery, GUI Input Capture, Deobfuscate/Decode Files or Information, and Delay Execution. SOC teams should validate correlation across Windows process creation, PowerShell and command-line logging, scheduled task and registry changes, suspicious memory/code-loading indicators, and outbound web-like encrypted traffic with repeated beaconing or file-transfer characteristics. IR teams should be prepared to preserve host and network evidence because frequent C2 messages and exfiltration over C2 may blur command traffic and data-theft traffic.
Likely telemetry
- Windows process creation and command-line telemetry
- PowerShell execution logs and script block/module logging where available
- Windows Task Scheduler creation, modification, and execution events
- Windows Registry modification telemetry, especially Run keys and persistence-relevant locations
- Endpoint detection telemetry for memory execution, reflective loading, native API use, and fileless behavior
Detection direction
- Do not rely on a single malware signature; ATT&CK does not provide official detection guidance for MuddyViper, so coverage should be behavior-based and tested against the related techniques.
- Correlate persistence changes such as scheduled tasks, Run keys, startup folder entries, and registry modifications with new or unusual binaries, PowerShell, cmd, or C2 connections.
- Tune PowerShell and Windows Command Shell analytics for suspicious execution context, encoded or obfuscated content, unusual parent-child process chains, and follow-on network activity, while accounting for administrative automation false positives.
- Review outbound web-protocol traffic for repeated client-to-server messaging, unusual destinations, encrypted payload patterns, and file-transfer behavior, recognizing that symmetric cryptography and common web protocols can limit content inspection.
- Look for discovery activity that enumerates running processes or security tools, especially when followed by delayed execution, tool transfer, persistence, or network beaconing.
Mitigation priorities
- Harden Windows persistence surfaces by controlling who can create scheduled tasks, modify autorun registry locations, and write to startup folders.
- Restrict and monitor script and command interpreter usage, especially PowerShell and cmd, using least privilege, logging, and execution control appropriate to the environment.
- Strengthen egress controls and proxy/DNS visibility so unusual web-based C2 and tool transfer activity can be investigated and, where appropriate, blocked.
- Maintain endpoint protection and EDR coverage on Windows systems with tamper resistance and visibility into process, registry, scheduled task, memory, and network behaviors.
- Apply least privilege and credential-protection practices to reduce the value of GUI credential capture attempts and limit what captured credentials can access.
Analyst notes and limits
The most important defensive interpretation is the combination of persistence plus C2 plus collection/exfiltration behaviors. The relationship to MuddyWater provides threat-intelligence context, but local prioritization should be based on the organization’s Windows exposure, sector/geography risk model, logging maturity, and ability to investigate C2 and persistence together.
This take is limited to the supplied ATT&CK fields and relationships. The object has no official detection text, no aliases, no object-level tactics, and only Windows is specified as the malware platform. Related techniques list broader platforms, but those should not be treated as MuddyViper platforms without additional evidence.
MuddyViper
MuddyViper is custom backdoor written in C and C++ used by MuddyWater for command and control (C2) communications and persistence. MuddyViper is loaded by Fooder and sends frequent messages to the C2 server.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1678 | Delay Execution | MuddyViper has the ability to sleep for a certain amount of time, with the default being one minute.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | MuddyViper has the ability to check for a specified list of security tools in the compromised environment.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1105 | Ingress Tool Transfer | MuddyViper has the ability to download files from the C2 server. Additionally, MuddyViper has the ability to download a file in chunks with sleep time between each chunk.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | MuddyViper has the ability to encrypt C2 communication using AES-CBC using the CNG API, the key `0608101047106453101617106423101013101012101083109710108585106969`, and the initialization vector `0`.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1560 | Archive Collected Data | MuddyViper has archived collected web browser data into a file named CacheDump.zip.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | MuddyViper has the ability to establish persistence by creating a scheduled task named ManageOnDriveUpdater to launch itself during system startup.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1057 | Process Discovery | MuddyViper has the ability to collect running processes.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | MuddyViper has used HTTP GET requests over port 443 and with the WINHTTP_FLAG_SECURE set to SSL/TLS via the WinHTTP API.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1106 | Native API | MuddyViper has the ability to relaunch itself using the `CreateProcessW` API.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1112 | Modify Registry | MuddyViper has the ability to clear the Registry values in the Windows Startup folder that were previously set for persistence.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | MuddyViper has displayed a fake Windows Security dialog to gather credentials.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1620 | Reflective Code Loading | MuddyViper has reflectively loaded the decrypted HackBrowserData tool in a new thread.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | MuddyViper has decrypted the embedded HackBrowserData tool prior to execution.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | MuddyViper has uploaded files to the C2 server. Additionally, MuddyViper has the ability to upload the specified file in chunks with sleep time between each chunk.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | MuddyViper has used PowerShell.exe to launch a reverse shell.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1059 | Command and Scripting Interpreter | MuddyViper has launched a reverse shell using a provided command line.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MuddyViper has used cmd.exe to launch a reverse shell.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | MuddyViper has the ability to establish persistence by configuring its installation directory as a Windows Startup folder by setting the following Registry values to `%APPDATALOCAL%\Microsoft\Windows\PPBCompatCache\ManagerCache`: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup` and `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup`.CitationESET_MuddyWater_Dec2025 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 256ec59833f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET_MuddyWater_Dec2025
ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.
Open source URL -
[2]
mitre-attack S9032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.