Advanced Persistent Threat (APT) MuddyWater has orchestrated a sophisticated phishing campaign targeting over 100 government entities across the Middle East, North Africa, and international organizations worldwide.
Group-IB Threat Intelligence has attributed the campaign to the Iran-linked threat actor with high confidence, revealing an alarming escalation in the group’s espionage capabilities and operational sophistication.
The attack leveraged a compromised mailbox accessed through NordVPN to distribute the Phoenix backdoor malware version 4, along with custom credential-stealing tools designed to exfiltrate sensitive intelligence from high-value government targets.
The campaign demonstrates MuddyWater’s evolving tradecraft and their continued focus on state-sponsored cyber espionage operations across geopolitically sensitive regions.
By exploiting trusted communication channels and abusing legitimate services, the threat actor successfully bypassed conventional security defenses to infiltrate critical government infrastructure and international organizations engaged in diplomatic and humanitarian missions.
Phishing to Backdoor Deployment
MuddyWater initiated the operation by sending malicious emails from a compromised account accessed via a NordVPN exit node located in France.
The phishing emails contained Microsoft Word attachments designed to deceive recipients into enabling macros by displaying blurred content with instructions to “enable content” to view the document.
The real C2 server infrastructure, hosted at IP address 159.198.36.115, contained an exposed directory with multiple post-exploitation tools including a custom browser credential stealer, PDQ Remote Monitoring and Management tool, and Action1 RMM utility.
Once macros were activated, embedded Visual Basic for Applications (VBA) code executed, triggering a multi-stage infection chain.
The initial dropper, identified as FakeUpdate, decrypted an embedded second-stage payload using Advanced Encryption Standard (AES) encryption and injected it into its own process memory.
The injected component was Phoenix backdoor version 4, which executed a series of reconnaissance and persistence activities on infected systems.
The backdoor copied itself to C:ProgramDatasysprocupdate.exe and established persistence by modifying the Windows registry key HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon, altering the Shell value to maintain access across system reboots.
Phoenix v4 registered infected hosts with the attacker’s command-and-control infrastructure and began continuous beaconing to poll for remote commands.
The backdoor gathered system information including computer name, domain, Windows version, and username before transmitting this data to MuddyWater’s servers.
The malware supported multiple operational commands including file upload and download capabilities, shell execution, and remote monitoring functions.
Group-IB uncovered critical infrastructure details revealing MuddyWater’s operational security practices and attack window.
The malware samples contained a hardcoded C2 domain, screenai[.]online, registered on August 17, 2025, through NameCheap. The domain remained operational for only five days, from August 19 through August 24, 2025, indicating a carefully planned and time-limited attack campaign.
The Chromium_Stealer, disguised as a calculator application, targets credentials stored by Google Chrome, Opera, Brave, and Microsoft Edge browsers, decrypting master keys using OS cryptographic APIs and harvesting login credentials.
Strategic Implications
Group-IB attributes this campaign to MuddyWater based on multiple indicators including custom malware families used exclusively in previous MuddyWater operations, matching macro code with identical hash signatures, and C2 infrastructure hosting tools previously linked to the threat actor.
However, we were able to uncover it through the Secure Sockets Layer (SSL) certificate, which showed that the real IP of the server was 159[.]198[.]36[.]115 which is registered under NameCheap’s Autonomous System Number (ASN).
The targeting patterns aligned perfectly with MuddyWater’s historical focus on Middle Eastern government entities and international organizations.
MuddyWater’s persistent focus on governmental targets amid ongoing geopolitical tensions underscores a long-term strategic intelligence objective.
Security researchers expect similar campaigns will continue emerging as the threat actor leverages newly compromised accounts and evolving payloads to maintain access and gather foreign intelligence from high-value targets across multiple continents.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
