In one of the most extensive espionage operations linked to Tehran in recent months, cybersecurity firm Group-IB has uncovered that the Iranian state-sponsored hacker group MuddyWater—also known as Static Kitten, Mercury, or Seedworm—has attacked more than 100 government organizations using an updated version of the Phoenix backdoor.
Beginning on August 19, the campaign leveraged phishing emails sent from a compromised account accessed via NordVPN. The messages, disguised as official correspondence, were aimed at embassies, consulates, and foreign affairs ministries throughout the Middle East and North Africa.
Within days, the group dismantled parts of its command-and-control (C2) infrastructure—an indication, analysts say, that it may have moved to secondary payloads or alternate persistence mechanisms to evade detection.
A Return to Old Tricks: Macros and Malware Loaders
In a notable tactical throwback, MuddyWater’s attackers reverted to malicious Microsoft Word macros, a method once considered outdated after Microsoft disabled macros by default.
The phishing emails carried infected Word files that urged recipients to “enable content.” When triggered, embedded VBA code executed the FakeUpdate loader, which decrypted and installed the Phoenix v4 payload on targeted machines.
The loader wrote the malware to C:\ProgramData\sysprocupdate.exe and altered Windows Registry entries to ensure persistence after reboot. Group-IB noted that this variant showed “unusual discipline,” combining legacy macro-based delivery with modern encryption and obfuscation techniques.
Inside Phoenix v4: A Backdoor With New Tricks
Phoenix v4 builds on earlier iterations of the malware documented in prior MuddyWater campaigns. The latest version introduces an additional COM-based persistence mechanism and expanded capabilities for remote access and data exfiltration.
According to Group-IB’s technical analysis, the backdoor collects device metadata — including computer name, domain, Windows version, and username — before connecting to its C2 servers using WinHTTP. Once operational, it can receive commands to upload or download files, initiate shell access, and alter its sleep intervals to control beacon timing.
Researchers also discovered a custom infostealer designed to extract browser data from Chrome, Edge, Opera, and Brave. The tool specifically targeted credential databases and master encryption keys to decrypt stored passwords.
On the same C2 servers, investigators found deployment utilities such as PDQ Deploy and Action1 RMM, suggesting that the attackers used legitimate IT management tools to maintain control and move laterally within compromised networks.
A Persistent Adversary With Strategic Intent
Group-IB attributes the operation to MuddyWater with “high confidence,” citing its consistent malware coding patterns, string-decoding techniques, and long-standing focus on regional government targets.
MuddyWater, active since at least 2017, operates under Iran’s Ministry of Intelligence and Security (MOIS). It has a documented history of espionage and disruptive attacks against critical infrastructure and diplomatic institutions across the Middle East, Central Asia, and Europe.
The use of Phoenix v4 reflects the group’s adaptive evolution — blending outdated delivery channels with advanced payload engineering to exploit institutional complacency.
As one analyst summarized, “MuddyWater isn’t innovating for novelty; it’s innovating for stealth.”
With the campaign’s infrastructure now partially dismantled, cybersecurity experts warn that its tools will almost certainly resurface in modified form — part of an ongoing cycle of espionage in which detection only signals reinvention.
