A state-sponsored hacker group known as MuddyWater launched a phishing campaign using stolen email accounts to send infected Word documents to international organizations. These documents deployed malware to secretly take control of systems and steal data.

Who was behind the attack?

The campaign is attributed to MuddyWater, a cyber-espionage group linked to the Iranian Ministry of Intelligence. They have a long history of targeting governments and institutions in the Middle East and beyond.

What was the goal of the attack?

The attackers aimed to gather foreign intelligence by gaining long-term access to sensitive systems in diplomatic and humanitarian organizations, as well as critical infrastructure in the energy sector.

How was the attack carried out?

Attackers used a compromised email account and NordVPN to send phishing emails. Once victims opened the attached documents and enabled macros, malware was installed to allow remote control and data theft.

The campaign targeted both government (.gov) and personal email addresses of individuals working in international cooperation, humanitarian aid, and the energy sector, primarily in the Middle East, but also in Europe and North America.

Why are these targets attractive?

Diplomatic, humanitarian, and energy organizations often hold sensitive political and economic data, making them valuable sources of intelligence for state-backed actors.

What tools were used in the attack?

The group used several tools, including Phoenix backdoor v4, a credential-stealing app disguised as a calculator, and remote monitoring tools like PDQ and Action1.

How can organizations protect themselves?

Organizations should disable macros by default, monitor for unusual network traffic and registry changes, restrict the use of remote management software, and improve email security to detect compromised sender accounts.

Is this part of a larger trend?

Yes. MuddyWater has a history of cyber espionage campaigns, and this operation continues their pattern of evolving techniques and expanded targeting beyond the Middle East. Similar attacks are likely to continue.

Threats Feed|MuddyWater|Last Updated 30/10/2025|AuthorCertfa Radar|Publish Date22/10/2025

MuddyWater Unveils New Espionage Toolkit in Global Phishing Campaign

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Dropper,Malicious Macro,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

Group-IB uncovered a global phishing campaign by the Iran-linked APT MuddyWater, targeting international and humanitarian organizations across the Middle East, Europe, Africa, and North America. The group used a compromised mailbox accessed via NordVPN to send phishing emails with malicious Word documents containing VBA macros that deployed the Phoenix backdoor v4 through the FakeUpdate injector. The malware achieved persistence via Winlogon registry keys and COM hijacking, while a custom browser credential stealer and RMM tools (PDQ, Action1) facilitated remote access and credential harvesting. The campaign reflects MuddyWater’s evolving espionage capabilities and integration of custom and legitimate tools for stealth operations.

Reference and Credit: Group-IB - October 2025

Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Sector	Telecommunication	Verified
Region	Middle East Countries	Verified
Region	European Countries	High

Extracted IOCs

screenai[.]online
1883db6de22d98ed00f8719b11de5bf1d02fc206b89fedd6dd0df0e8d40c4c56
3ac8283916547c50501eed8e7c3a77f0ae8b009c7b72275be8726a5b6ae255e3
3d6f69cc0330b302ddf4701bbc956b8fca683d1c1b3146768dcbce4a1a3932ca
5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839
668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e
76fa8dca768b64aefedd85f7d0a33c2693b94bdb55f40ced7830561e48e39c75

download

Tip: 7 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.

FAQs

MuddyWater's Global Espionage Campaign

: A state-sponsored hacker group known as MuddyWater launched a phishing campaign using stolen email accounts to send infected Word documents to international organizations. These documents deployed malware to secretly take control of systems and steal data.
: The campaign is attributed to MuddyWater, a cyber-espionage group linked to the Iranian Ministry of Intelligence. They have a long history of targeting governments and institutions in the Middle East and beyond.
: The attackers aimed to gather foreign intelligence by gaining long-term access to sensitive systems in diplomatic and humanitarian organizations, as well as critical infrastructure in the energy sector.
: Attackers used a compromised email account and NordVPN to send phishing emails. Once victims opened the attached documents and enabled macros, malware was installed to allow remote control and data theft.
: The campaign targeted both government (.gov) and personal email addresses of individuals working in international cooperation, humanitarian aid, and the energy sector, primarily in the Middle East, but also in Europe and North America.
: Diplomatic, humanitarian, and energy organizations often hold sensitive political and economic data, making them valuable sources of intelligence for state-backed actors.
: The group used several tools, including Phoenix backdoor v4, a credential-stealing app disguised as a calculator, and remote monitoring tools like PDQ and Action1.
: Organizations should disable macros by default, monitor for unusual network traffic and registry changes, restrict the use of remote management software, and improve email security to detect compromised sender accounts.
: Yes. MuddyWater has a history of cyber espionage campaigns, and this operation continues their pattern of evolving techniques and expanded targeting beyond the Middle East. Similar attacks are likely to continue.

About Affiliation

MuddyWater

Associate threats