Phoenix
Phoenix is a Windows backdoor associated primarily with the Iranian state-aligned threat group MuddyWater, also tracked as Seedworm and TA450, and assessed in the provided reporting as linked to Iran’s Ministry of Intelligence and Security (MOIS). It has been used in espionage campaigns against government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and other high-value targets across the Middle East and North Africa, with reporting also noting targeting of sectors such as energy, telecommunications, finance, maritime, and critical infrastructure.
Observed delivery has relied heavily on spear-phishing and malicious Microsoft Word documents containing VBA macros. In documented campaigns, victims were prompted to enable content, after which macro code wrote a loader to disk and installed the Phoenix backdoor. Group-IB reported malicious MuddyWater documents on VirusTotal with decoy content and embedded VBA macros designed to install Phoenix. One campaign used a compromised mailbox accessed via NordVPN to distribute the malware to more than 100 government entities and international organizations in MENA. Reporting also notes executable files disguised as PDFs and DOC files with macro code delivering Phoenix and UDPGangster.
Phoenix is described as Windows malware that enables remote control and data collection from infected systems. Reported functionality includes collection of system information such as computer name and Windows version, and in one report user credentials. Phoenix v4 communicates with command-and-control infrastructure via WinHTTP and supports commands for sleep control, file upload and download, and shell access. Group-IB reported that Phoenix v4 included an additional COM-based persistence mechanism and other functional differences from prior variants. In one documented chain, the FakeUpdate loader decrypted and installed Phoenix v4 as an AES-encrypted payload written to C:\ProgramData\sysprocupdate.exe, with persistence established through Windows Registry modifications.
Phoenix has also been referenced as part of MuddyWater’s broader malware ecosystem alongside BugSleep, StealthCache, Fooder loader, MuddyViper, RustyWater, CHAR, GhostFetch/HTTP_VIP, GhostBackDoor, and UDPGangster. Reporting states Phoenix has been used to deploy a stripped-down BugSleep variant, and a Phoenix injector was used to deploy BugSleep. Additional reporting places Phoenix in MuddyWater campaigns that also used PDQ and Action1 RMM tooling and a custom browser credential stealer targeting Chrome, Opera, Brave, and Edge.
The provided content also contains unrelated references to other malware using the same name, including a historical virus attributed to Dark Avenger and mentions of Phoenix as an Android malware codebase ancestor in reporting on Perseus. However, the dominant and high-confidence usage in the supplied material refers to the MuddyWater/Seedworm Windows backdoor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Group-IB said samples of MuddyWater malicious documents obtained from VirusTotal feature decoy content and embedded VBA macros designed to install the Phoenix backdoor.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniques
Reconnaissance
Victims are first prompted to enter their phone number to check reward status or update delivery details. After submission, they are taken through a series of pages that collect full credit card details, shipping addresses, and personally identifiable information.
Resource Development
3 techniques
Resource Development
Seedworm carried out a sophisticated spear-phishing attack that used a compromised mailbox to distribute a custom backdoor known as Phoenix
Initial Access
3 techniques
Initial Access
Dmitry “Paunch” Fedotov used his Blackhole exploit kit to spread multiple forms of malware internationally... The exploit kits Blackhole, Phoenix, and Nuclear have all come and gone, championed today by Rig, Magnitude, and Grandsoft.
Phishing-as-a-Service, or PhaaS, has become one of the fastest-growing threats in the cybercrime world. Instead of building tools from scratch, cybercriminals now rent ready-made phishing kits that come with pre-built templates, real-time dashboards, and automated victim tracking.
Execution
3 techniques
Execution
Group-IB said samples of MuddyWater malicious documents obtained from VirusTotal feature decoy content and embedded VBA macros designed to install the Phoenix backdoor.
The document repeatedly lists exploit kits alongside client-side CVEs such as CVE-2013-2551, CVE-2013-0634, CVE-2013-0422, CVE-2012-0507, CVE-2011-3544, CVE-2010-0188, and many others affecting Java, Flash, Internet Explorer, Adobe Reader, QuickTime, and Windows Media Player.
Persistence
1 technique
Persistence
Groups such as Seedworm have used custom backdoors—such as the Phoenix malware—to maintain long-term access even after initial vulnerabilities are patched. These tools are designed for persistent espionage, allowing attackers to return to compromised environments months or even years later.
Privilege Escalation
1 technique
Privilege Escalation
Groups such as Seedworm have used custom backdoors—such as the Phoenix malware—to maintain long-term access even after initial vulnerabilities are patched. These tools are designed for persistent espionage, allowing attackers to return to compromised environments months or even years later.
Stealth
2 techniques
Stealth
The phishing pages are crafted to closely mimic official websites of well-known brands with matching logos, layouts, and wording.
When a victim clicks the link inside the SMS, the phishing page first checks the visitor’s IP address and device type. Only users from the targeted country and on approved devices can see the fraudulent page. Everyone else is silently redirected to an error page or a default system redirect, effectively hiding the infrastructure from security researchers.
Discovery
1 technique
Discovery
When a victim clicks the link inside the SMS, the phishing page first checks the visitor’s IP address and device type. Only users from the targeted country and on approved devices can see the fraudulent page. Everyone else is silently redirected to an error page or a default system redirect, effectively hiding the infrastructure from security researchers.
Lateral Movement
1 technique
Lateral Movement
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a previous Android threat family that Perseus builds upon.
Referenced as a malware codebase directly used in the development of Perseus.
A custom backdoor used to maintain long-term persistent access in compromised environments for espionage purposes.
Custom backdoor used in Seedworm spear-phishing campaigns (malicious Office attachments) to enable persistent access and intelligence collection against government and international organizations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.