MuddyWater’s Retro‑Game Ruse: New ‘Fooder’ Loader Cloaks Malware as Snake to Hit Israeli and Egyptian Orgs

What happened

Security researchers at ESET uncovered a new MuddyWater campaign in which the threat actor used a novel loader (dubbed “Fooder”) masquerading as the classic mobile game “Snake.” The loader delays its execution (using game‑style timing loops) to evade detection by automated analysis tools. Once the delay passes, Fooder reflectively loads a previously unknown backdoor called “MuddyViper” directly into memory, avoiding disk writes and standard detection mechanisms.

MuddyViper gives attackers extensive control, allowing them to execute commands, transfer files, exfiltrate data, steal Windows credentials and browser data, and persist in compromised environments.

Who is affected

The campaign, active between September 30, 2024, and March 18, 2025, primarily targeted critical infrastructure and organizations in Israel, as well as at least one confirmed target in Egypt.

In Israel, victims spanned a variety of sectors: three universities, three engineering firms, two local‑government institutions, and one company each in technology, transportation, utilities, and manufacturing.

A separate Egyptian technology firm was also compromised during this campaign. 

Why CISOs should care

• Advanced evasion techniques: This campaign marks a notable shift for MuddyWater from their earlier, noisier operations to a more stealthy, automated, and memory‑only approach, making detection by conventional AV and sandboxing far more difficult.
• High‑value targets & infrastructure risk: The targeting of universities, government, critical infrastructure, and manufacturing underscores the potential impact, data theft, disruption, and long‑term access. If MuddyWater succeeds in similar campaigns elsewhere, the consequences for victims’ operations could be severe.
• Evolution towards sophistication: The use of legitimate Windows APIs (cryptography, in-memory execution), custom backdoors, and reverse tunneling demonstrates growing maturity, signalling that even established threat actors are continuously refining their tooling.

3 Practical Actions

1. Enhance behavioral and endpoint‑monitoring detection: Focus less on signature-based AV and more on behavior: look for unusual in-memory execution, long sleep/delay loops, unusual process behavior, or unauthorized command shells. Deploy EDR tools capable of memory instrumentation and anomalous process detection.
2. Strengthen phishing defenses and zero‑trust for remote‑management tools: Since the initial attack vector remains spear‑phishing, delivering fake installers or RMM tools, invest in phishing-resistant authentication (MFA, phishing-resistant MFA), strict email filtering, user awareness training, and limit RMM installation privileges.
3. Audit and harden credentials & access controls: Rotate and enforce strong credentials, enforce least-privilege access, implement credential vaulting where possible, and monitor for suspicious credential dumping or transfer activity. Consider isolating high‑sensitivity systems and evaluating lateral‑movement detection for attackers.