What happened in this attack?

A sophisticated phishing campaign targeted high-level finance executives by tricking them into downloading malware through fake recruitment emails and deceptive phishing pages.

Who was behind the attack?

While not officially confirmed, the tactics, tools, and infrastructure strongly suggest the involvement of APT MuddyWater, an Iranian state-linked threat group.

What was the goal of the attackers?

Their objective was to gain long-term remote access to the victims' systems using legitimate IT tools. This access could be used for surveillance, data theft, or future operations.

How did the attack work?

Victims received emails pretending to be from Rothschild & Co recruiters. Clicking the links led to fake verification pages hosted on Firebase. After solving a CAPTCHA, victims unknowingly downloaded malware hidden in ZIP and VBS files.

Why were CFOs and finance leaders targeted?

These roles have access to sensitive financial systems and strategic business information, making them high-value targets for espionage or financial fraud.

What tools did the attackers use?

They used legitimate tools like NetBird and AteraAgent for remote access, along with VBS scripts and OpenSSH to maintain persistent control of infected machines.

How widespread is this threat?

It spans multiple continents, including Europe, North and South America, Africa, and Asia, indicating a global and highly targeted campaign.

What should organizations do to protect themselves?

Organizations should strengthen email defenses, block execution of scripts from email downloads, monitor for unauthorized use of remote tools, and regularly audit privileged user accounts.

Is this an ongoing or isolated incident?

This is part of a broader, ongoing campaign, with evolving infrastructure and overlapping tactics linked to earlier documented MuddyWater operations.

Threats Feed|MuddyWater|Last Updated 31/10/2025|AuthorCertfa Radar|Publish Date20/08/2025

MuddyWater Targets CFOs Worldwide with Multi-Stage Phishing and NetBird Abuse

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

APT MuddyWater has launched a multi-stage spear-phishing campaign targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia. Disguised as recruiters from Rothschild & Co, the attackers use Firebase-hosted phishing pages with CAPTCHA lures and malicious ZIP/VBS payloads to deploy legitimate remote-access tools like NetBird and OpenSSH for persistent control. The infection chain creates hidden admin accounts, enables RDP, and automates persistence via scheduled tasks. Infrastructure analysis reveals overlaps with earlier MuddyWater operations, confirming attribution and highlighting the group’s evolving phishing toolkit and adaptive use of trusted cloud services for global financial espionage.

Reference and Credit: Hunt.io - August 2025

APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs

Detected Targets

Type	Description	Confidence
Sector	Financial	Verified
Region	European Countries	Verified

Extracted IOCs

my1cloudlive[.]com
my2cloudlive[.]com
my-sharepoint-inc[.]com
web-16fe[.]app
cloud-233f9.firebaseapp[.]com
cloud-233f9.web[.]app
cloud-ed980.firebaseapp[.]com
cloud-ed980.web[.]app
googl-165a0.web[.]app
googl-6c11f.firebaseapp[.]com
googl-6c11f.web[.]app
0aa883cd659ef9957fded2516b70c341
23dda825f91be93f5de415886f17ad4a
2cddc7a31ea289e8c1e5469f094e975a
5325de5231458543349152f0ea1cc3df
7ddc947ce8999c8a4a36ac170dcd7505
f359f20dbd4b1cb578d521052a1b0e9f
192[.]3.95.152
198[.]46.178.135
hxxp://192[.]3.95.152/cloudshare/atr/pull[.]pdf
hxxp://192[.]3.95.152/cloudshare/atr/trm

download

Tip: 21 related IOCs (2 IP, 11 domain, 2 URL, 0 email, 6 file hash) to this threat have been found.

FAQs

: A sophisticated phishing campaign targeted high-level finance executives by tricking them into downloading malware through fake recruitment emails and deceptive phishing pages.
: While not officially confirmed, the tactics, tools, and infrastructure strongly suggest the involvement of APT MuddyWater, an Iranian state-linked threat group.
: Their objective was to gain long-term remote access to the victims' systems using legitimate IT tools. This access could be used for surveillance, data theft, or future operations.
: Victims received emails pretending to be from Rothschild & Co recruiters. Clicking the links led to fake verification pages hosted on Firebase. After solving a CAPTCHA, victims unknowingly downloaded malware hidden in ZIP and VBS files.
: These roles have access to sensitive financial systems and strategic business information, making them high-value targets for espionage or financial fraud.
: They used legitimate tools like NetBird and AteraAgent for remote access, along with VBS scripts and OpenSSH to maintain persistent control of infected machines.
: It spans multiple continents, including Europe, North and South America, Africa, and Asia, indicating a global and highly targeted campaign.
: Organizations should strengthen email defenses, block execution of scripts from email downloads, monitor for unauthorized use of remote tools, and regularly audit privileged user accounts.
: This is part of a broader, ongoing campaign, with evolving infrastructure and overlapping tactics linked to earlier documented MuddyWater operations.

About Affiliation

MuddyWater

Associate threats