The Advanced Persistent Threat group MuddyWater, widely recognized as an Iran-linked espionage actor, has orchestrated a sophisticated phishing campaign targeting more than 100 government entities and international organizations across the Middle East, North Africa, and beyond.
The operation, which became active in mid-August 2025, represents a significant escalation in the group’s tradecraft, introducing version 4 of the Phoenix backdoor malware alongside newly developed tools designed to evade traditional security defenses.
The campaign gained momentum through a deceptively simple yet effective technique: a compromised mailbox accessed via NordVPN.
MuddyWater leveraged this access point to send phishing emails to high-value targets, impersonating legitimate correspondence from trusted organizations.
The emails contained Microsoft Word attachments that appeared innocuous, prompting recipients to “enable content” to view the document.
This social engineering approach exploited the inherent trust users place in familiar communication channels, significantly increasing the likelihood of successful infections.
Once recipients enabled macros within the Word documents, malicious Visual Basic for Application code executed on their systems, initiating a multi-stage attack chain.
.webp)
The embedded macros functioned as a dropper, retrieving and executing the FakeUpdate loader—an injector-style component that decrypts and injects encrypted payloads directly into its own process memory, bypassing traditional file-based detection mechanisms.
Group-IB analysts identified the second-stage payload as Phoenix backdoor version 4, a custom malware exclusively tied to MuddyWater operations.
This latest iteration demonstrates technological refinement, employing registry-based persistence through modifications to the Winlogon shell value while simultaneously creating mutex objects for coordination.
The backdoor registers infected hosts with attacker command-and-control infrastructure, establishing continuous beaconing relationships that enable remote command execution, data exfiltration, and post-exploitation activities.
Technical Evolution and Persistence Mechanisms
The Phoenix v4 variant introduces sophisticated persistence tactics beyond traditional registry manipulation.
Analysis revealed embedded Component Object Model Dynamic Link Library artifacts designed to launch additional malware, such as Mononoke.exe, through alternative execution pathways.
The malware systematically gathers comprehensive system information—computer names, domain configurations, Windows versions, and user credentials—before initiating communication with C2 servers via WinHTTP protocols.
Command mappings indicate support for file uploads, shell execution, and sleep interval modifications, providing attackers granular control over compromised systems.
Infrastructure investigation uncovered the hardcoded C2 domain screenai[.]online, registered on August 17, 2025, and operational for approximately five days.
The real server address, 159.198.36.115, hosted additional tools including a custom Chromium browser credential stealer and legitimate Remote Monitoring and Management utilities like PDQ and Action1.
The credential stealer specifically targets stored passwords from Chrome, Opera, Brave, and Microsoft Edge by extracting encrypted master keys and writing harvested credentials to staging files for exfiltration.
MuddyWater’s deployment of this integrated toolkit—combining custom malware with legitimate RMM solutions—demonstrates sophisticated understanding of operational security and persistence mechanisms, underscoring the group’s commitment to long-term espionage objectives rather than opportunistic campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
