Fast Facts

• Over 100 government and diplomatic entities targeted by Iranian group MuddyWater.
• Attackers used phishing emails with malicious Word documents to deliver the Phoenix backdoor (version 4).
• Campaign focused on Middle East and North Africa, using compromised VPN accounts.
• Phoenix v4 can steal files, run remote commands, and harvest browser passwords.
• Iran’s MuddyWater group is linked to previous high-profile cyber-espionage campaigns.

A Familiar Storm: MuddyWater Returns

Picture a diplomat opening their inbox on a muggy August morning, an unremarkable Word document beckoning them to “enable content.” By clicking, they unwittingly swing open the doors of their digital embassy to an invisible invader: Phoenix, the latest backdoor in the arsenal of Iran’s notorious MuddyWater hacking group.

Since at least 2017, MuddyWater - also known as Static Kitten, Mercury, and Seedworm - has been a persistent thorn in the side of Middle Eastern cyber defense. Their attacks often blend old-school phishing with newer, stealthier tools, targeting ministries, embassies, and diplomatic missions. This latest campaign, uncovered by cybersecurity firm Group-IB, saw the group hitting over 100 government organizations across the Middle East and North Africa in a single, orchestrated strike.

The Phoenix Backdoor: Old Tricks, New Wings

MuddyWater’s method was a throwback: emails with booby-trapped Word files, relying on macros - a trick that lost its shine after Microsoft started disabling macros by default. But here, the group doubled down, counting on unsuspecting recipients to enable the feature. Once activated, the macro dropped a hidden program called FakeUpdate, which in turn decrypted and unleashed the Phoenix backdoor.

Phoenix version 4, the star of this campaign, is a digital Swiss Army knife for espionage. It quietly profiles the infected machine - gathering computer names, usernames, and Windows versions - then phones home to its Iranian handlers using encrypted web traffic. Phoenix can upload and download files, open a secret command window, and even steal browser passwords from Chrome, Opera, Edge, and Brave. The group also deployed utilities like PDQ and Action1 RMM, typically used by IT admins, to help control and spread across networks.

Espionage in the Age of Geopolitics

MuddyWater’s campaigns are more than digital mischief - they’re chess moves on the world’s geopolitical board. Iran has been ramping up its cyber operations, often in response to regional tensions or international sanctions. By targeting foreign ministries and diplomatic posts, MuddyWater aims to scoop up intelligence, negotiate from a position of strength, or simply sow confusion and mistrust among rivals.

Similar attacks have rattled the Middle East before. In 2021, the same group used a combination of spear-phishing and custom malware to breach telecom and government networks. Western intelligence agencies and private firms have repeatedly warned that Iranian cyber units, including MuddyWater, are growing bolder and more sophisticated, using a mix of homegrown tools and borrowed techniques.

WIKICROOK

• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Macro: A macro is a small program in documents that automates tasks, but can be exploited by attackers to spread malware.
• Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.
• Infostealer: An infostealer is malware designed to steal sensitive data - like passwords, credit cards, or documents - from infected computers without the user's knowledge.