Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attacks
Severity Level: High

UDPGangster is a UDP-based backdoor associated with the MuddyWater threat group, which is known for its cyber espionage operations across the Middle East and neighboring regions. This malware enables remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads—all communicated through UDP channels designed to evade traditional network defenses.

FortiGuard Labs recently observed multiple UDPGangster campaigns targeting users in Turkey, Israel, and Azerbaijan. These campaigns primarily deliver their malware through malicious Microsoft Word documents that are embedded with VBA macros, which execute the payload once the macros are enabled. The samples collected include sophisticated anti-analysis techniques to detect and evade virtual environments and sandboxes, helping attackers avoid early detection.

Notably, while the phishing email was written in Turkish, the decoy image embedded within the document displayed an image related to Israel. Further investigation revealed multiple related campaigns delivering UDPGangster through similar macro-embedded documents and targeting victims in Israel and Azerbaijan. This blog presents a detailed analysis of the phishing delivery chain and the behavior of UDPGangster.

Phishing Email

The phishing message impersonates the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs. It claims to invite recipients to an online seminar titled “Presidential Elections and Results” and includes two attachments named seminer.doc and seminer.zip. The sender address and message format mimic an official government email and are written in formal Turkish.

The VBA code defines a subroutine named SmartToggle() that manipulates two image objects, FullImage1 and FullImage2. The script switches their display order by toggling the AlternativeText property between “Front” and “Back.” Depending on which image is in front, it uses ZOrder to bring one image forward and send the other behind.

This technique is used as a distraction—displaying an innocuous image in the document while concealing malicious activity within the same file. Although the original phishing email targeted Turkish recipients, the visible image shows scheduled outages in Israel, which is unusual. We describe related activities targeting different regions later in this post.

UDPGangster

UDPGangster is a UDP-based backdoor that communicates with its C2 server using the UDP protocol. The malware’s name derives from an embedded PDB path found in samples:
C:\Users\gangster\source\repos\udp_3.0 - Copy - Copy\x64\release_86\udp_3.0.pdb. A related executable extracted from another malicious document shows a similar path:
C:\Users\SURGE\source\repos\udp_3.0 - Copy\x64\release_86\udp_3.0.pdb.

After the macro successfully executes, UDPGangster installs persistence by copying itself to %AppData%\RoamingLow as SystemProc.exe. It then configures startup by writing the path to the Startup value under the registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell. The malware also creates a mutex named xhxhxhxhxhxpp.

Anti-Analysis Techniques

UDPGangster performs several checks to evade analysis:

1. Debugger detection: Verifies whether the process is being debugged.

Supported commands include:

• 0x04: Performs a keep-alive heartbeat
• 0x0A: Launches remote command execution via cmd.exe
• 0x14: Extracts files from the victim
• 0x1E: Triggers the execution of additional payloads
• 0x63: Updates the C2 address, which the malware decodes and writes as a new IP

Investigation

As noted earlier, the decoy image in the Turkish phishing email did not match its content. Further investigation into collected related indicators—mutex values, IPs, and PDB paths—revealed additional campaigns targeting Israel and Azerbaijan using similar VBA macro-embedded documents to distribute the UDPGangster backdoor.

The suspicious document found in the Turkish phishing email, titled Scheduled_Internet_Outages.doc, can be downloaded from hxxp://reminders[.]trahum.org. Telemetry data shows it was actually aimed at Israeli users. Analyzing similar behavioral patterns, we also uncovered an IP address linked to both the Phoenix Backdoor and UDPGangster, suggesting a strong connection to the MuddyWater threat group.

Conclusion

UDPGangster uses macro-based droppers for initial access and incorporates extensive anti-analysis routines to evade detection. These campaigns employ social engineering and custom tooling to target organizations across Israel, Azerbaijan, and Turkey. The consistent targeting, code similarities, and shared infrastructure strongly indicate MuddyWater involvement.

Users and organizations should remain cautious of unsolicited documents, particularly those requesting macro activation. Strong email filtering and endpoint protection are critical to preventing similar intrusions.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

VBA/Agent.NFYP!tr
W64/Agent.ALD!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing protection provided by FortiSandbox, embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions, offers advanced protection against both known and unknown phishing attempts. In addition, the FortiPhish phishing simulation service actively trains and tests your end-users against real-world phishing techniques, enabling them to recognize, avoid, and report email-based cyberthreats, including phishing, impersonation, Business Email Compromise (BEC), and ransomware.

The FortiGuard CDR (Content Disarm and Reconstruction) service, which runs on both FortiGate and FortiMail, can disarm the malicious macros in the document. We also suggest that organizations consider completing Fortinet’s free training module, Fortinet Certified Fundamentals (FCF) in Cybersecurity.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Domain

157.20.182[.]75
64.7.198[.]12

URL

hxxps://reminders[.]trahum[.]org/Scheduled_Internet_Outages.doc

Email

d177cf65a17bffcd152c5397600950fc0f81f00990ab8a43d352f9a7238428a1
3d3fbd586f61043ff04ab0369b913a161c0159425fb269d52b7d8d8a14838ece
232e979493da5329012022d3121300a4b00f813d5b0ecc98fdc3278d8f4e5a48
e84a5878ea14aa7e2c39d04ea7259d7a4ed7f666c67453a93b28358ccce57bc5
fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430
44deab99e22340fc654494cc4af2b2c27ef1942c6fea6eace9fb94ce7855c0ca
13d36f3011ed372ad4ec4ace41a6dee52361f221161192cb49c08974c86d160e
b7276cad88103bdb3666025cf9e206b9fb3e66a6d934b66923150d7f23573b60
b552e1ca3482ad4b37b1a50717ac577e1961d0be368b49fa1e4e462761ae6eeb
bca7d23b072a2799d124977fdb8384325b30bb1d731741d84a1dfc5e3cf6ac26
01b1073cb0480af3bde735f559898774e1a563e06f9fe56ec3845ea960da0f3c

Document

7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53