S9033: Fooder
Fooder is a custom 64-bit C/C++ loader used by MuddyWater that can decrypt and reflectively load embedded payloads such as a go-socks5 proxy utility, the open-source HackBrowserData infostealer, or the MuddyViper backdoor. Fooder has frequently masqueraded as an entertainment executable, such as the Snake game (e.g., `Snake_Game.exe`).[1]
Analyst context for executives and security teams
Fooder matters because it is described as a Windows loader, not just a standalone malware sample. Its value to an intrusion is that it can decrypt and reflectively load embedded payloads, including a proxy utility, an infostealer, or the MuddyViper backdoor, while masquerading as benign entertainment software such as Snake_Game.exe. For leaders, the practical issue is whether endpoint, SOC, and IR processes can detect and investigate memory-loaded payload activity rather than relying only on obvious malicious files on disk.
Executive priority
Prioritize validation of Windows endpoint visibility and incident response readiness for loader-style malware. Fooder’s ATT&CK relationships point to stealth, reflective code loading, token impersonation/theft, native API use, delayed execution, obfuscation, and masquerading. These behaviors can undermine file-centric prevention and slow triage. Executives should ask whether teams can prove collection of process, memory, identity-token, and suspicious executable evidence, and whether IR playbooks cover loaders that may deploy different embedded payloads.
Technical view
Fooder is a custom 64-bit C/C++ Windows loader associated in ATT&CK with MuddyWater. Defensive validation should focus on the linked behaviors: obfuscated or encrypted embedded content, deobfuscation at runtime, reflective code loading, native API interaction, possible token impersonation/theft, delay-based evasion, and masquerading as a legitimate-looking or entertainment executable. SOC teams should not depend on the filename alone; Snake_Game.exe-style naming is useful context, but the higher-value detection work is correlating unusual executable launch, memory allocation/execution patterns, token activity, delayed behavior, and follow-on payload indicators such as proxy, browser data theft, or backdoor execution where locally observable.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Executable file metadata, path, hash, and reputation context
- EDR memory and code-loading signals, especially executable memory or reflective loading indicators
- Windows security events or EDR identity telemetry related to token duplication or impersonation
- API-level or behavioral telemetry for native Windows API use where available
Detection direction
- Validate whether detections cover loader behavior, not only known hashes or filenames.
- Tune for suspicious Windows executables masquerading as benign games or entertainment programs, while accounting for legitimate games and software to reduce false positives.
- Correlate obfuscation, runtime decoding, reflective loading, and native API behavior in the same process lineage.
- Review identity telemetry for token impersonation/theft patterns, especially when tied to unusual process ancestry.
- Account for delayed execution: sandbox or detonation workflows may miss behavior if observation windows are too short.
Mitigation priorities
- Ensure Windows endpoint protection and EDR policies are deployed to systems where untrusted executables may run.
- Strengthen application control and software allowlisting where practical, especially for high-risk users and sensitive systems.
- Limit user privileges and monitor privileged token use to reduce the value of token impersonation/theft behavior.
- Harden incident response procedures for loader cases: preserve memory, collect process trees, capture suspicious binaries, and investigate follow-on payloads.
- Improve SOC playbooks for masquerading, obfuscation, reflective loading, and delayed execution rather than relying on static file indicators alone.
Analyst notes and limits
This take is based only on ATT&CK S9033 Fooder fields, the ESET external reference, and supplied relationships. The strongest decision value is in validating coverage for Windows loader tradecraft: encrypted embedded payloads, reflective loading, masquerading, and token-related behavior. MuddyWater is a supplied relationship, but local investigations should avoid asserting attribution from Fooder-like behavior alone.
ATT&CK provides no official detection guidance for Fooder, no object-level tactics, no aliases, and no labels. The relationship descriptions are partial and should be treated as context, not complete procedure documentation. Actual exposure, detection coverage, and business impact depend on the organization’s Windows estate, telemetry retention, endpoint controls, and observed incident evidence.
Fooder
Fooder is a custom 64-bit C/C++ loader used by MuddyWater that can decrypt and reflectively load embedded payloads such as a go-socks5 proxy utility, the open-source HackBrowserData infostealer, or the MuddyViper backdoor. Fooder has frequently masqueraded as an entertainment executable, such as the Snake game (e.g., `Snake_Game.exe`).[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | Fooder has stored its embedded payload in encrypted form within the binary, using a hardcoded key modified at runtime to produce the AES decryption key.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Fooder has used the `DuplicateTokenEx` API to duplicate the token of a specified process, and `CreateProcessAsUserA` to execute its payload.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1106 | Native API | Fooder has used the WinCrypt API for payload decryption, `DuplicateTokenEx` to duplicate the token of a specified process, and `CreateProcessAsUserA` for payload execution.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1620 | Reflective Code Loading | Fooder has reflectively loaded a payload into memory.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Fooder has frequently masqueraded as the Snake game, using strings such as “Welcome to snake Game” and mutexes such as “SNAKE_G.”CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1678 | Delay Execution | Fooder has used a custom delay function (`delayExecution(integer)`) and Sleep API calls (`Sleep(integer)`) to slow code execution.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Fooder has decrypted payloads using the WinCrypt API and the AES key.CitationESET_MuddyWater_Dec2025 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b79bf2b6ed37… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET_MuddyWater_Dec2025
ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.
Open source URL -
[2]
mitre-attack S9033Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.