Fast Facts

• MuddyWater, an Iranian state-linked hacking group, targeted at least 17 Israeli organizations in a recent campaign.
• The attackers used a malware loader disguised as the retro "Snake" game to evade security detection.
• The new malware, dubbed "Fooder," delays its malicious actions to outlast automated security scans.
• MuddyWater’s tactics show a shift toward more sophisticated, quieter attacks - but operational mistakes persist.
• Targets included universities, engineering firms, utilities, and local governments across Israel.

Game Over? Not Quite - A Classic Comes Back to Haunt

Picture this: a digital snake quietly slithering across a computer’s memory, not for points, but for secrets. This is no childhood pastime - it's the latest ploy from MuddyWater, one of Iran’s most notorious cyber-espionage groups. In their recent assault on Israeli institutions, these hackers have swapped brute force for guile, hiding their malicious code behind the familiar quirks of a 1990s mobile game.

From Clumsy to Cunning: MuddyWater’s Evolution

MuddyWater, also known by the codename TA450, has long been infamous for its messy, sometimes amateurish attacks. Historically, their operations have left obvious footprints - unnecessary files, redundant malware, and a penchant for noisy network activity. Yet, according to ESET researchers, their latest campaign marks a shift. Between September 2023 and March 2024, the group struck 17 Israeli targets, including universities, engineering firms, and critical infrastructure, as well as an Egyptian tech company.

What sets this campaign apart is the introduction of a new malware loader called "Fooder." Instead of launching attacks immediately, Fooder mimics the logic of the old Snake game, using deliberate time delays - much like a game’s looping movement - to hide its true intent. This means automated security tools, which often only watch for a few minutes, may miss the real danger that emerges only after the initial lull.

Retro Games, Modern Threats: The Technical Twist

Malware masquerading as innocent programs is nothing new, but MuddyWater’s use of a Snake-inspired loader is a clever twist. The code even includes a cheeky "Welcome to snake Game" banner, providing plausible deniability and confusing analysts. More importantly, Fooder leverages Windows’ cryptography systems (called CNG) to blend in with legitimate processes - a trick akin to a thief dressing as a janitor to roam unnoticed.

These living-off-the-land tactics, where attackers use built-in system tools rather than custom code, make detection and investigation much harder. Although MuddyWater’s operators still make rookie mistakes - like deploying redundant tools or leaving unnecessary logs - the evolution is clear: stealthier, more persistent, and increasingly creative.

Geopolitics and the Cyber Chessboard

The timing of this campaign is no accident. As tensions between Iran and Israel simmer, cyberspace becomes a shadowy extension of real-world conflict. Attacks like these are not just about stealing data - they’re about psychological warfare, probing defenses, and sending a message. Similar APT (advanced persistent threat) groups, like Russia’s Fancy Bear or China’s APT41, have used comparable tactics to infiltrate adversaries, often learning from each other’s innovations.

For defenders, the lesson is clear: yesterday’s obvious threats are being replaced by subtle, patient adversaries willing to play the long game - literally and figuratively.

WIKICROOK

• Malware Loader: A malware loader is a program that secretly installs other, often more dangerous, malicious software onto a device or network.
• Living: Living off the Land means attackers use trusted system tools (LOLBins) for malicious actions, making their activities stealthy and hard to detect.
• Advanced Persistent Threat (APT): An Advanced Persistent Threat (APT) is a prolonged, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Cryptography API (CNG): Cryptography API (CNG) is a Windows feature for managing encryption and security, but it can also be misused by hackers to conceal malicious actions.