Table of Contents
A new phishing campaign leveraging compromised email accounts to distribute malware has been uncovered by cybersecurity researchers.
The espionage operation, attributed by Group-IB with high confidence to the Iran-linked threat actor MuddyWater, targeted international organizations across multiple regions to gather foreign intelligence.
Phishing Through Trusted Channels
The campaign used a compromised mailbox accessed via NordVPN, a legitimate service misused to disguise the attacker’s identity. MuddyWater then sent phishing emails that mimicked authentic correspondence, exploiting trust to increase the likelihood of victims opening attachments.
The attachments, malicious Microsoft Word documents, urged recipients to enable macros. Once activated, the macros executed embedded Visual Basic code that dropped and launched version 4 of the Phoenix backdoor, providing attackers with remote control over infected systems.
“The incident underscores how state-backed Threat Actors continue to exploit trusted channels of communication to evade defenses and infiltrate high-value targets,” Group-IB wrote in their advisory, published today.
Advanced Malware and Toolset
Phoenix v4 introduced an updated persistence mechanism, allowing MuddyWater to maintain control even after reboots. The malware gathers system details, modifies registry keys and connects to a command-and-control (C2) server for instructions.
Investigators also found three remote monitoring and management (RMM) tools, PDQ, Action1 and ScreenConnect, alongside a custom browser credential stealer dubbed Chromium_Stealer. This tool masqueraded as a calculator app while harvesting login data from browsers, including Chrome, Edge, Opera and Brave.
Read more on cyber-espionage trends targeting international organizations: Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds
The C2 infrastructure used in the operation was registered under the domain screenai[.]online, hosted via CloudFlare and briefly active in August 2025.
Analysis revealed the real IP address (159[.]198[.]36[.]115) was linked to NameCheap’s servers and used a temporary Python-based HTTP service to host malware and RMM utilities.
Group-IB connected this campaign to MuddyWater based on overlapping code, domain infrastructure and malware samples previously associated with the group. The targeting patterns, particularly those involving humanitarian and governmental institutions, reflect the actor’s geopolitical objectives.
Defensive Recommendations
Organizations can reduce exposure to similar threats by adopting the following measures:
-
Disable Office macros by default and allow execution only from trusted sources
-
Deploy endpoint detection and response (EDR) tools to identify abnormal registry and process behavior
-
Conduct regular phishing simulations and staff awareness training
-
Monitor for indicators linked to Phoenix, FakeUpdate and related domains like screenai[.]online
“Given MuddyWater’s sustained focus on governmental targets especially amid the ongoing geopolitical tension in the region, [we] expect similar campaigns will continue to emerge, leveraging newly compromised accounts and evolving payloads,” Group-IB warned.
“Organizations, particularly those operating within government and critical infrastructure sectors, [should] strengthen their defenses against MuddyWater and similar state-aligned actors.”
