A phishing campaign by state-sponsored Iranian hackers has targeted over 100 government entities and other organizations with version 4 of the Phoenix malware backdoor.
The cyberespionage campaign has been active since August 19. Cybersecurity firm Group-IB attributed it to the MuddyWater threat group, also known as Static Kitten, Mercury, TA450, and Seedworm.
“This campaign highlights MuddyWater’s evolving tradecraft and operational maturity,” Group-IB stated.
Iranian hackers target government entities with malware backdoor
The attackers conducted phishing via a compromised email account that they compromised via the NordVPN privacy service.
“MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence,” the researchers explained.
They used the email account to send numerous malicious emails to numerous organizations and government entities across the Middle East and North Africa.
The emails contained macro-enabled Microsoft Office documents that loaded a Visual Basic for Applications (VBA) macro that dropped a FakeUpdate malware loader. The Iranian hackers used a mix of official government email addresses and private ones from Gmail and Yahoo to target government entities, demonstrating a higher degree of versatility.
Meanwhile, the FakeUpdate loader contained an embedded Phoenix malware backdoor as an AES-encrypted payload, which it decrypted before execution. It also contains a COM-based mechanism for persistence. According to Group-IB’s previous assessment, the Phoenix malware backdoor is a stripped-down version of the BugSleep malicious software. Previous versions of the malware backdoor have been used in past cyberespionage campaigns.
Nevertheless, users had to enable the macros for successful deployment since Microsoft had disabled the functionality by default and required user consent to execute. Subsequently, the malicious emails explicitly instructed recipients to “enable content” so that the document could be properly displayed.
“The phishing emails contain Microsoft Word documents that prompted recipients (victims) to enable macros in order to view the content,” the researchers explained.
When executed, the malware backdoor modified the Windows Registry under the current user and set the default app to run it to establish persistence. It collected system information, including computer name, domain, Windows version, and username, and used the WinHTTP command to connect to the command-and-control center and wait for commands.
The malware backdoor had numerous commands, including 65 to sleep, 68 to upload a file, 85 for file download, 67 to start the shell, and 83 to update the sleep interval.
The Iranian hackers also used an info stealer malware, Chromium_Stealer, to exfiltrate login credentials from Chrome, Opera, Brave, and Edge browsers and master keys to decrypt them. The hacking campaign also deployed the PDQ software utility and the Action1 Remote Monitoring and Management (RMM) tools, typically used by Iranian hackers to target government entities.
“By deploying updated malware variants such as the Phoenix v4 backdoor, the FakeUpdate injector, and custom credential-stealing tools alongside legitimate RMM utilities like PDQ and Action1, MuddyWater demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence,” the researchers stated.
On August 24, the Iranian hackers took down the command-and-control server, suggesting that they had shifted from centralized operations.
MuddyWater operational history
Active since 2017, MuddyWater operates under the Iranian Ministry of Intelligence and Security to target high-value organizations and government entities.
The group of Iranian hackers targets embassies, diplomatic missions, foreign affairs ministries, and consulates, suggesting an aggressive state-sponsored cyberespionage campaign. It has also targeted telecommunications firms, energy companies, and other critical infrastructure organizations in the Middle East and Asia. However, government entities seem to be MuddyWater’s priority in achieving the Islamic Republic of Iran’s geopolitical objectives.

