Cybersecurity firm ESET said it found new activity by the Iran aligned MuddyWater group that targeted critical infrastructure in Israel and one organization in Egypt.

MuddyWater, also known as Mango Sandstorm or TA450, has links to Iran’s Ministry of Intelligence and National Security and has targeted government and infrastructure in the Middle East and beyond since at least 2017.

Researchers said victims in Israel included technology, engineering, manufacturing, local government and education sectors. They said the group used new custom tools to improve its ability to hide and stay active inside networks, including a backdoor called MuddyViper that can gather system data, run commands, move files and steal Windows credentials and browser data.

The report said the attackers used Fooder, a loader that reflects malware into memory and at times imitates the classic Snake game, to deploy MuddyViper. It said the group also used several credential stealers and avoided interactive sessions to reduce detection.

Researchers said the campaign relied on spearphishing emails that sent victims to installers for remote monitoring tools hosted on free file sharing sites. They said the operators used a range of malware, including VAX One, which imitates products such as Veeam and AnyDesk.

Past MuddyWater operations include attacks in Saudi Arabia and campaigns that overlapped with Lyceum, suggesting the group may serve as an initial access broker for other Iran linked actors.