MuddyWater Used FakeUpdate and Phoenix Backdoor in Global Phishing Espionage
Group-IB reported that the Iran-linked MuddyWater threat actor ran a phishing campaign against international organizations and government targets by abusing a compromised mailbox accessed through NordVPN. The emails carried malicious Microsoft Word documents that prompted victims to enable macros; embedded VBA then dropped the FakeUpdate injector, which decrypted and launched Phoenix backdoor v4. The malware provided persistence, command execution, and communication with the command-and-control domain screenai[.]online, enabling continued access after initial compromise.
Researchers attributed the activity to MuddyWater with high confidence based on malware overlaps, matching macro logic, shared infrastructure, and targeting patterns aligned with the group’s prior operations. The infrastructure also hosted a custom Chromium credential stealer and remote management tools including PDQ and Action1, indicating likely credential theft and follow-on access. Additional related samples pointed to concurrent or linked MuddyWater activity, including operations targeting the energy sector in the Middle East and North Africa, while prior reporting has described MuddyWater as an Iranian-linked umbrella of regionally focused subgroups.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Group-IB attributes new malware toolkit and related activity to MuddyWater
Group-IB attributed the campaign to the Iran-linked APT MuddyWater with high confidence based on malware overlaps, matching macro logic, shared infrastructure, and targeting patterns. The report also identified a custom Chromium credential stealer, PDQ, and Action1 on attacker infrastructure, and noted overlapping activity including an energy-sector targeting cluster in the Middle East and North Africa.
FakeUpdate injector deploys Phoenix backdoor v4 in MuddyWater intrusions
According to Group-IB, when victims enabled macros, embedded VBA code dropped the FakeUpdate injector, which decrypted and launched Phoenix backdoor version 4. The malware provided persistence, command execution, and communication with the command-and-control domain screenai[.]online.
MuddyWater runs phishing campaign using compromised mailbox and NordVPN
Group-IB reported that MuddyWater used a compromised mailbox accessed via NordVPN to send phishing emails with malicious Microsoft Word attachments to international organizations and government targets worldwide. The lures delivered macro-enabled documents that initiated the infection chain.
Cisco Talos profiles MuddyWater as an Iranian-linked conglomerate
Cisco Talos published research describing MuddyWater as an Iranian-linked threat conglomerate made up of regionally focused subgroups. This established background attribution context for later MuddyWater-linked operations.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage | Group-IB Blog
group-ib.com
Open sourceIranian linked conglomerate MuddyWater comprised of regionally focused subgroups
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MuddyWater Deploys Phoenix v4 Backdoor via Phishing and VPN Infrastructure
The Iranian state-sponsored threat group MuddyWater has conducted a widespread cyber espionage campaign targeting over 100 government and international organizations, primarily in the Middle East and North Africa. The attackers leveraged compromised email accounts accessed through NordVPN exit nodes to distribute phishing emails containing malicious Word documents. These documents, when opened and macros enabled, deployed the FakeUpdate malware loader, which subsequently decrypted and installed the Phoenix v4 backdoor on victim systems. The campaign focused on diplomatic entities such as embassies, consulates, and ministries of foreign affairs, with the attackers adapting their techniques to bypass modern security controls, including the use of macro-based payloads despite Microsoft's default macro restrictions. Researchers observed that after an initial phase using a command-and-control server, MuddyWater shifted tactics, likely employing additional tools and malware to further their espionage objectives. The Phoenix v4 backdoor, central to this operation, enabled persistent access and data exfiltration from compromised networks. The campaign highlights MuddyWater's continued evolution in attack methods and its focus on high-value government targets through sophisticated phishing and malware deployment strategies.
Mar 21, 2026
MuddyWater Phishing Campaign Targets Middle East and North Africa Government Networks
Iranian state-sponsored threat actor MuddyWater has conducted a large-scale cyberespionage campaign breaching over 100 government entities and international organizations across the Middle East and North Africa. The attackers leveraged a compromised enterprise mailbox, accessed via NordVPN, to send convincing phishing emails from legitimate addresses to embassies, ministries, and telecom providers. These emails contained weaponized Microsoft Word attachments that, when opened and macros enabled, deployed the updated "Phoenix" backdoor, granting persistent remote access, credential theft, and file exfiltration capabilities. The campaign also utilized off-the-shelf remote management tools such as PDQ and Action1 to blend in with legitimate administrative traffic and pilfered browser passwords from Chrome, Edge, Opera, and Brave. Researchers at Group-IB highlighted that MuddyWater, also known as Seedworm, APT34, OilRig, and TA450, has demonstrated evolving tradecraft and operational maturity in this operation, mixing official government and personal email addresses to increase the likelihood of successful compromise. The campaign's scale and targeting suggest either a significant increase in capability or a broader intelligence collection mandate from Iranian authorities. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has a history of targeting government, energy, telecom, and defense sectors, focusing on long-term espionage rather than destructive attacks. Analysts warn that further activity is likely amid ongoing regional tensions.
Mar 21, 2026
MuddyWater Used DLL Side-Loading and PowerShell Tooling in Multi-Country Espionage Campaign
Iran-linked **MuddyWater** (also tracked as **Seedworm**) was tied to an espionage campaign that compromised at least nine organizations across nine countries and four continents, hitting sectors including manufacturing, education, government, financial services, professional services, telecommunications, and an international airport. Researchers said the group used **DLL side-loading** with legitimate signed binaries such as `fmapp.exe` from Fortemedia and `sentinelmemoryscanner.exe` from SentinelOne to launch malicious DLLs, including the open-source **ChromElevator** tool for browser-data theft. One confirmed victim was a major South Korean electronics manufacturer, where the attackers reportedly maintained access for about a week, while earlier activity also targeted telecom providers in Egypt, Sudan, and Tanzania. The operators combined stealthy execution with a broad post-compromise toolkit, using **Node.js** to launch PowerShell payloads for reconnaissance, screenshot capture, privilege escalation, credential theft, and SOCKS5 reverse-proxy tunneling. Symantec also linked MuddyWater to the **MuddyC2Go** PowerShell framework, use of legitimate remote-management software **SimpleHelp**, and the publicly available **Venom Proxy** to maintain access and move through victim networks. Persistence was established through registry modifications, credentials were harvested through fake login prompts and registry hive dumping, and stolen data was exfiltrated via the public file-transfer service `sendit[.]sh`, indicating a sustained intelligence-collection effort aligned with Iranian state interests.
May 27, 2026