Tehran-linked hackers attack Israel using malware inspired by retro game

Published: 4 December 2025
Last updated: 4 December 2025
snake-iran-hackers
Image by Cybernews.

Iranian nation-state hackers have been inspired by a legendary mobile phone time-killing mainstay, say security researchers, who spotted them downloading malware masquerading as the Snake video game.

In a new report, Eset researchers said that the Iran-aligned cyberespionage group MuddyWater used fresh tools and stealthier tactics to deploy previously undocumented custom malware against targets in Israel and Egypt earlier this year.

To the researchers, these updates to its defense evasion techniques seem like a significant evolution in MuddyWater’s capabilities and a departure from the group’s typically noisier style.

ADVERTISEMENT

The group, linked to Tehran's Ministry of Intelligence and National Security, also seems to have taken inspiration from a classic Snake mobile game, which we all remember coming preloaded on Nokia phones by default starting in 1998.

During the uncovered campaign, MuddyWater used a loader that masquerades as the Snake game to skirt security tools. The loader used the same delay logic used in the game.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Just as the game delays reaction time to the player control commands, a dropper – dubbed the “Fooder” and deployed by MuddyWater – introduces execution delays to avoid detection by antivirus tools that check for rapid malicious activity.

“The use of game-inspired evasion techniques, reverse tunneling, and a diversified tool set reflects a more refined approach than in earlier campaigns, even though traces of the group’s operational immaturity remain,” Eset said in the report.

Eset, a cybersecurity firm based in Slovakia, said it spotted MuddyWater targeting telecoms, government agencies and the oil and energy sectors in Israel and Egypt. The campaign allegedly began on September 30th last year and concluded on March 18th, 2025.

Eset, a cybersecurity firm based in Slovakia, said it spotted MuddyWater targeting telecoms, government agencies and the oil and energy sectors in Israel and Egypt.

MuddyWater attacked one Egyptian technology company and 17 Israeli organizations: three universities, three engineering companies, two local government institutions, and one company in each of the technology, transportation, utilities, and manufacturing sectors.

It’s possible, the researchers said, that MuddyWater is acting as an initial access broker for other Tehran hacking operations, based on the overlap they observed between the group and other known Iranian threat actors.

ADVERTISEMENT

According to the researchers, MuddyViper – a new backdoor by MuddyWater – enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data.

Already in 2022, the US Cyber Command attributed MuddyWater activity to the Iranian Ministry of Intelligence, saying that the group primarily targets Middle Eastern, European, and North American nations.

Unlock exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT