An Iranian-backed hacking group known as MuddyWater has launched a major cyberespionage campaign across the Middle East and Africa. Using phishing emails sent from a compromised mailbox accessed through NordVPN, the attackers targeted over 100 government organizations and diplomatic missions. The operation delivered version 4 of the group’s custom Phoenix backdoor, which enabled remote access and long-term intelligence gathering.
Large-Scale Espionage Campaign
According to Group-IB, the campaign started on August 19, 2025, and focused on embassies, ministries, and international institutions. Instead of spoofing domains, the attackers used a legitimate mailbox, giving their emails a convincing appearance. Each message included a blurred Microsoft Word document urging recipients to enable macros. Once activated, the macros executed malicious code that began the infection chain leading to full compromise.
Deployment of Phoenix v4
The infection process relied on a tool called FakeUpdate, which decrypted and ran the next payload using AES encryption. That payload installed Phoenix v4, a backdoor used exclusively by MuddyWater. Once deployed, it gathered system information, created persistence through Windows Registry changes, and established communication with command-and-control servers. This allowed the hackers to execute commands and exfiltrate data silently.
Tools and Techniques
Group-IB also discovered several secondary tools used to maintain access. These included Chromium_Stealer, disguised as a calculator app, for stealing credentials, and remote monitoring utilities like PDQ RMM and Action1 for system control. The use of both custom malware and legitimate tools reflects MuddyWater’s strategic evolution and focus on stealth.
Targets and Motivation
MuddyWater, also known as APT34 and Seedworm, has been active since 2017 and is linked to Iran’s Ministry of Intelligence and Security. The group primarily targets diplomatic, governmental, and humanitarian organizations to advance Iranian geopolitical interests. The latest campaign follows this pattern, seeking to gather intelligence and disrupt regional operations through persistent access.
Why the Campaign Was Effective
The attackers used a real mailbox accessed through NordVPN, making their phishing messages look authentic. This tactic, combined with the blurred-document trick, increased the likelihood that recipients would enable macros. Once that happened, the payload chain executed automatically, deploying Phoenix v4 without raising immediate suspicion.
Defensive Recommendations
To defend against such operations, experts recommend disabling Office macros by default and allowing execution only from verified sources. Organizations should strengthen email defenses through attachment sandboxing and macro scanning, while deploying EDR or XDR tools to detect registry changes and injection behavior. Enforcing multifactor authentication across accounts and monitoring for indicators related to Phoenix and FakeUpdate are also key steps.
Broader Implications
MuddyWater’s latest campaign highlights the growing sophistication of state-aligned threat actors. The group’s combination of social engineering, legitimate software abuse, and custom malware demonstrates a refined espionage strategy. Analysts warn that similar techniques could soon be used against critical infrastructure or private organizations beyond the current region.
Final Thoughts
The Phoenix backdoor campaign shows how a trusted mailbox and a single click can compromise entire government networks. By blending authenticity with technical precision, MuddyWater achieved wide-scale infiltration across multiple nations. The incident reinforces the urgent need for stronger email controls, threat intelligence sharing, and consistent cybersecurity awareness to counter future attacks.
