Iran-linked threat actor MuddyWater has used a compromised email account to distribute a backdoor known as Phoenix to organisations across the Middle East and North Africa, including more than 100 government entities, Group-IB researchers Mahmoud Zohdy and Mansour Alhmoud said in a technical report.
Group-IB reported that more than three-quarters of the campaign’s targets were embassies, diplomatic missions, foreign affairs ministries and consulates, with the remainder including international organisations and telecommunications firms.
Investigators found the actor accessed a compromised mailbox via NordVPN and used it to send phishing emails that appeared to be authentic, increasing the likelihood recipients would open malicious attachments. The phishing messages carried weaponised Microsoft Word documents that prompted users to enable macros; enabling them executed Visual Basic for Applications code that dropped a FakeUpdate loader and deployed Phoenix version 4 after decrypting an AES-encrypted payload.
Group-IB said it first documented the actor’s use of Phoenix last month and described the implant as a lightweight version of a Python-based tool known as BugSleep. The vendor has observed two variants of Phoenix, labelled version 3 and version 4.
The report identified a command-and-control server at 159.198.36[.]115 that also hosted remote monitoring and management utilities and a custom web-browser credential stealer targeting Brave, Google Chrome, Microsoft Edge and Opera. Group-IB noted the operation combined custom credential-stealing tools with legitimate RMM utilities such as PDQ and Action1, suggesting an effort to blend commercial and bespoke tooling for stealth and persistence.
MuddyWater – also tracked under names including Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm, Seedworm, Static Kitten, TA450, TEMP.Zagros and Yellow Nix – is assessed to be affiliated with Iran’s Ministry of Intelligence and Security and has been active since at least 2017.