Skip to content

Iranian hacking group releases new backdoor dubbed BugSleep

  • by
  • 2 min read

Iranian state-sponsored hacking group MuddyWater has started dropping what appears to be a custom backdoor that researchers named BugSleep. The group previously used to control infected systems with legitimate remote-management programs but seems to have upped its ante since at least May 2024, using the newly made backdoor in phishing attacks.

A technical report detailing the new backdoor claims that MuddyWater has significantly increased activity in Israel since the beginning of the Israel-Hamas war, with targeting increasing in Azerbaijan, India, Portugal, Saudi Arabia, and Turkey.

The new tool quickly improves, receiving constant updates that add new features and quash existing bugs. It delays its execution once on the target system to avoid being detected or running into a sandbox (hence the name, BugSleep). However, researchers have noted many instances where the encryption wasn’t properly executed, suggesting that the backdoor might be rushed through development.

The new infection chain after the introduction of BugSleep. | Source: Check Point Research

However, despite its current buggy form, researchers discovered at least 11 commands that let the backdoor do anything from sending file contents to its command and control (C2) servers, writing content into a file, running commands through the cmd pipe, and even delete its persistence task to cover up its tracks.

The infection starts when the backdoor’s loader injects shell code into processes for Edge, Opera, Chrome, AnyDesk, OneDrive, or even PowerShell,, depending on the active process. Once the code is injected, BugSleep is loaded into the system’s memory and starts communicating with its C2 servers.

As mentioned before, researchers have discovered plenty of mistakes, including improper encryption methods and use of unencrypted APIs, suggesting that the hacking group is taking a trial-and-error approach with the backdoor. With the group’s activity continuously increasing, sectors from government entities and municipalities to media outlets and travel agencies are all at risk of being compromised. Although it’ll take a while for the backdoor to perfect itself, it’s still functional, meaning infections and data breaches are still compromised if you happen to fall for one of the group’s phishing lures.

In the News: Microsoft adds Nvidia’s GeForce Now to Xbox game store

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>