A large-scale cyberespionage campaign targeting over 100 government entities and international organizations across the Middle East and North Africa (MENA) has been attributed to the Iranian state-sponsored hacking group known as MuddyWater. The sophisticated phishing operation, uncovered by cybersecurity firm Group-IB, has seen the threat actors distribute an updated piece of Windows malware called the Phoenix backdoor since at least August. This campaign, which also targeted embassies, diplomatic missions, foreign affairs ministries, and telecommunications firms, underscores the group’s evolving capabilities and broader geopolitical intelligence-gathering objectives.
MuddyWater, which is believed to operate under the purview of Iran’s Ministry of Intelligence and Security (MOIS), launched the attacks using a compromised email account to send malicious Microsoft Word attachments. To enhance the authenticity of the correspondence, researchers noted that the hackers accessed the compromised mailbox by abusing the legitimate virtual private network (VPN) service, NordVPN, adding a layer of obfuscation to their origin. The weaponized Word documents employed a classic tactic, displaying blurred content and prompting unsuspecting recipients to “enable content,” thereby activating malicious macros. This action initiated a complex infection chain, ultimately leading to the deployment of the Phoenix backdoor, which is version 4 of the malware, via a loader dubbed FakeUpdate.
Once installed, the Phoenix backdoor provides the attackers with persistent remote access, enabling them to collect sensitive system information, user credentials, and facilitate long-term intelligence gathering. Analysts pointed out that the targets were carefully researched, with the phishing emails mixing official government email addresses with personal accounts from services like Yahoo and Gmail. The targeting of influential global organizations involved in international cooperation and humanitarian work, alongside government entities, highlights the campaign’s alignment with MuddyWater’s focus on long-term, non-financial espionage. Cybersecurity experts warn that this campaign demonstrates the Iranian group’s enhanced operational maturity and integration of custom code with commercial tools for improved stealth, signaling a likely continuation of such activities amid escalating regional tensions.
