Researchers identified malicious Microsoft Word documents carrying embedded macros, which drop a backdoor script capable of executing remote commands when opened.

Who was behind the attack?

The activity has been attributed to MuddyWater, an Iranian state-sponsored group known for cyber-espionage operations.

What was the goal of the attackers?

The attackers aimed to gain remote access to victim machines, execute commands, and potentially exfiltrate data through command-and-control servers.

How was the attack carried out?

Victims received malicious Word documents. Once the user enabled macros, the document dropped and executed a VBScript backdoor that communicated with the attackers’ servers.

Who was targeted in this campaign?

The report does not specify industries or individuals, but MuddyWater typically targets government, telecommunications, and defense sectors.

Why would these targets be of interest?

Entities in these sectors often hold sensitive data and strategic information valuable for espionage and intelligence-gathering.

What should organizations do to protect themselves?

Organizations should block known malicious infrastructure, restrict macro usage, improve email filtering, and educate staff on phishing risks.

Is this attack widespread or targeted?

MuddyWater campaigns are generally targeted, focusing on entities of strategic interest to the group’s sponsors.

Threats Feed|MuddyWater|Last Updated 28/04/2025|AuthorCertfa Radar|Publish Date12/04/2025

MuddyWater Deploys Macro-Enabled Documents to Deliver VBScript Backdoor

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Dropper,Malicious Macro
Attack Complexity: Low
Threat Risk: Unknown

Threat Overview

The MuddyWater APT group has been observed using malicious macro-enabled Microsoft Word documents to compromise targets. Upon opening these documents and enabling macros, a VBScript backdoor is deployed, establishing communication with attacker-controlled command and control (C2) servers via HTTP. The VBScript backdoor receives and executes remote commands and sends results back to the C2 servers. Identified infrastructure includes domains and IP addresses employing HTTPS over port 443 for covert communication, aiding in firewall evasion.

Reference and Credit: IBM - April 2025

MuddyWater Analysis Report (IRIS-9627)

Extracted IOCs

oauth-services[.]live
107[.]175.196.104
185[.]117.73.52
185[.]141.26.81
87[.]236.212.81

download

Tip: 5 related IOCs (4 IP, 1 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

FAQs

Understanding the MuddyWater Attack

: Researchers identified malicious Microsoft Word documents carrying embedded macros, which drop a backdoor script capable of executing remote commands when opened.
: The activity has been attributed to MuddyWater, an Iranian state-sponsored group known for cyber-espionage operations.
: The attackers aimed to gain remote access to victim machines, execute commands, and potentially exfiltrate data through command-and-control servers.
: Victims received malicious Word documents. Once the user enabled macros, the document dropped and executed a VBScript backdoor that communicated with the attackers’ servers.
: The report does not specify industries or individuals, but MuddyWater typically targets government, telecommunications, and defense sectors.
: Entities in these sectors often hold sensitive data and strategic information valuable for espionage and intelligence-gathering.
: Organizations should block known malicious infrastructure, restrict macro usage, improve email filtering, and educate staff on phishing risks.
: MuddyWater campaigns are generally targeted, focusing on entities of strategic interest to the group’s sponsors.

About Affiliation

MuddyWater

Associate threats