Cybersecurity firm Group-IB has revealed that the Iranian state-sponsored hacker group MuddyWater—also known as Static Kitten, Mercury, or Seedworm—has targeted over 100 government organizations using an updated version of the Phoenix backdoor. The campaign, beginning on August 19, focused on embassies, consulates, and foreign affairs ministries across the Middle East and North Africa.
The attackers used phishing emails sent from a compromised account via NordVPN, disguised as official correspondence. Notably, MuddyWater reverted to using malicious Microsoft Word macros, a tactic considered outdated after Microsoft disabled macros by default. Recipients were prompted to “enable content,” which triggered VBA code to deploy the FakeUpdate loader and install Phoenix v4. The malware was written to C:\ProgramData\sysprocupdate.exe and modified Windows Registry entries for persistence.
Phoenix v4 combines legacy macro-based delivery with modern encryption, obfuscation, and COM-based persistence mechanisms. It can collect device metadata, establish remote access, upload and download files, initiate shell commands, and adjust beaconing intervals. A custom infostealer targets browser credentials and encryption keys from Chrome, Edge, Opera, and Brave.
Investigators also found legitimate IT management tools, including PDQ Deploy and Action1 RMM, used to maintain control and move laterally across networks. Group-IB attributes the campaign to MuddyWater with high confidence, citing coding patterns, string-decoding techniques, and the group’s long-standing focus on regional government targets.
Active since at least 2017 under Iran’s Ministry of Intelligence and Security, MuddyWater has a history of espionage and attacks against critical infrastructure and diplomatic institutions in the Middle East, Central Asia, and Europe. The use of Phoenix v4 highlights the group’s approach of blending outdated delivery methods with advanced payload engineering to exploit institutional vulnerabilities.
Analysts note that “MuddyWater isn’t innovating for novelty; it’s innovating for stealth.” With parts of the campaign’s infrastructure dismantled, experts warn that its tools will likely reappear in modified forms, continuing the cycle of state-sponsored espionage.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
