UDPGangster Campaigns Target Multiple Countries

Date: 12/08/2025

Severity: High

Summary

UDPGangster is a UDP-based backdoor linked to the MuddyWater threat group, active in cyber-espionage across the Middle East. It enables remote control of infected systems, supporting command execution, file exfiltration, and payload delivery over stealthy UDP channels. Recent campaigns have targeted users in Turkey, Israel, and Azerbaijan. The malware is typically delivered via malicious Word documents containing VBA macros that trigger the payload when enabled. Collected samples show advanced anti-analysis features designed to detect and evade virtual environments and sandboxes.

Indicators of Compromise (IOC) List

Domains\URLs :

https://reminders.trahum.org/Scheduled_Internet_Outages.doc

IP Address :

157.20.182.75

64.7.198.12

Hash :

d177cf65a17bffcd152c5397600950fc0f81f00990ab8a43d352f9a7238428a1

3d3fbd586f61043ff04ab0369b913a161c0159425fb269d52b7d8d8a14838ece

232e979493da5329012022d3121300a4b00f813d5b0ecc98fdc3278d8f4e5a48

e84a5878ea14aa7e2c39d04ea7259d7a4ed7f666c67453a93b28358ccce57bc5

fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430

44deab99e22340fc654494cc4af2b2c27ef1942c6fea6eace9fb94ce7855c0ca

13d36f3011ed372ad4ec4ace41a6dee52361f221161192cb49c08974c86d160e

b7276cad88103bdb3666025cf9e206b9fb3e66a6d934b66923150d7f23573b60

b552e1ca3482ad4b37b1a50717ac577e1961d0be368b49fa1e4e462761ae6eeb

bca7d23b072a2799d124977fdb8384325b30bb1d731741d84a1dfc5e3cf6ac26

01b1073cb0480af3bde735f559898774e1a563e06f9fe56ec3845ea960da0f3c

7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "https://reminders.trahum.org/Scheduled_Internet_Outages.doc" or url like "https://reminders.trahum.org/Scheduled_Internet_Outages.doc" or siteurl like "https://reminders.trahum.org/Scheduled_Internet_Outages.doc"
Detection Query 2 :	dstipaddress IN ("64.7.198.12","157.20.182.75") or srcipaddress IN ("64.7.198.12","157.20.182.75")
Detection Query 3 :	sha256hash IN ("7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53","d177cf65a17bffcd152c5397600950fc0f81f00990ab8a43d352f9a7238428a1","3d3fbd586f61043ff04ab0369b913a161c0159425fb269d52b7d8d8a14838ece","232e979493da5329012022d3121300a4b00f813d5b0ecc98fdc3278d8f4e5a48","e84a5878ea14aa7e2c39d04ea7259d7a4ed7f666c67453a93b28358ccce57bc5","fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430","44deab99e22340fc654494cc4af2b2c27ef1942c6fea6eace9fb94ce7855c0ca","13d36f3011ed372ad4ec4ace41a6dee52361f221161192cb49c08974c86d160e","b7276cad88103bdb3666025cf9e206b9fb3e66a6d934b66923150d7f23573b60","b552e1ca3482ad4b37b1a50717ac577e1961d0be368b49fa1e4e462761ae6eeb","bca7d23b072a2799d124977fdb8384325b30bb1d731741d84a1dfc5e3cf6ac26","01b1073cb0480af3bde735f559898774e1a563e06f9fe56ec3845ea960da0f3c")

Reference:

https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries

UDPGangster Campaigns Target Multiple Countries

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

UDPGangster Campaigns Target Multiple Countries

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments