1. Home
  2. Software
  3. MuddyViper

MuddyViper

MuddyViper is custom backdoor written in C and C++ used by MuddyWater for command and control (C2) communications and persistence. MuddyViper is loaded by Fooder and sends frequent messages to the C2 server.[1]

ID: S9032
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 20 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MuddyViper has used HTTP GET requests over port 443 and with the WINHTTP_FLAG_SECURE set to SSL/TLS via the WinHTTP API.[1]    

Enterprise T1560 Archive Collected Data

MuddyViper has archived collected web browser data into a file named CacheDump.zip.[1]       
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

MuddyViper has the ability to establish persistence by configuring its installation directory as a Windows Startup folder by setting the following Registry values to %APPDATALOCAL%\Microsoft\Windows\PPBCompatCache\ManagerCache:  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup.[1]    

Enterprise T1059 Command and Scripting Interpreter

MuddyViper has launched a reverse shell using a provided command line.[1]
.001 PowerShell

MuddyViper has used PowerShell.exe to launch a reverse shell.[1]

.003 Windows Command Shell

MuddyViper has used cmd.exe to launch a reverse shell.[1]

Enterprise T1678 Delay Execution

MuddyViper has the ability to sleep for a certain amount of time, with the default being one minute.[1]    

Enterprise T1140 Deobfuscate/Decode Files or Information

MuddyViper has decrypted the embedded HackBrowserData tool prior to execution.[1]    
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

MuddyViper has the ability to encrypt C2 communication using AES-CBC using the CNG API, the key 0608101047106453101617106423101013101012101083109710108585106969, and the initialization vector 0.[1]    

Enterprise T1041 Exfiltration Over C2 Channel

MuddyViper has uploaded files to the C2 server. Additionally, MuddyViper has the ability to upload the specified file in chunks with sleep time between each chunk.[1]
Enterprise T1105 Ingress Tool Transfer

MuddyViper has the ability to download files from the C2 server. Additionally, MuddyViper has the ability to download a file in chunks with sleep time between each chunk.[1]    

Enterprise T1056 .002 Input Capture: GUI Input Capture

MuddyViper has displayed a fake Windows Security dialog to gather credentials.[1]    

Enterprise T1112 Modify Registry

MuddyViper has the ability to clear the Registry values in the Windows Startup folder that were previously set for persistence.[1]    

Enterprise T1106 Native API

MuddyViper has the ability to relaunch itself using the CreateProcessW API.[1]    

Enterprise T1057 Process Discovery

MuddyViper has the ability to collect running processes.[1]    
Enterprise T1620 Reflective Code Loading

MuddyViper has reflectively loaded the decrypted HackBrowserData tool in a new thread.[1]      
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

MuddyViper has the ability to establish persistence by creating a scheduled task named ManageOnDriveUpdater to launch itself during system startup.[1]    

Enterprise T1518 .001 Software Discovery: Security Software Discovery

MuddyViper has the ability to check for a specified list of security tools in the compromised environment.[1]   

Groups That Use This Software

ID Name References
G0069 MuddyWater

MuddyWater has used MuddyViper during operations.[1]

References

  1. ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.