Threat Advisories:
Lazarus Targets Europe’s UAV Innovation October 2025 Linux Patch Roundup MuddyWater Deploys Phoenix Backdoor in Targeted Espionage Campaign Critical Cloud Threat: Azure Blob Storage Under Active Attack Operation Silk Lure Scam: When Job Hunts Leads to Malware Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws Microsoft’s October 2025 Patch Tuesday TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild Stealit’s New Trick: Packing Malware Inside Node.js Single Executables Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed UTA0388: AI-Powered Targeted Operations Leveraging GOVERSHELL Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military Service Finder Plugin Flaw Opens Door to Full Site Compromise Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild Water Saci: Brazil’s WhatsApp-Borne Malware Storm Confucius Hackers Spy on Critical Sectors Using AnonDoor
Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
0:00
0:00
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

MuddyWater Deploys Phoenix Backdoor in Targeted Espionage Campaign

Red | Attack Report
Download PDF

MuddyWater Expands Espionage Campaign Across MENA with Phoenix Backdoor v4

Summary

The Iran-linked Advanced Persistent Threat (APT) group MuddyWater—also known as Seedworm, TEMP.Zagros, Mercury, TA450, and Mango Sandstorm—has launched a new cyber-espionage campaign targeting more than 100 government and critical infrastructure organizations across the Middle East and North Africa (MENA).

The operation leverages compromised email accounts and malicious Microsoft Word attachments to deploy custom malware, including the Phoenix Backdoor v4, FakeUpdate Loader, and Chromium_Stealer. This campaign primarily focuses on intelligence collection rather than disruption, aligning with Iran’s Ministry of Intelligence and Security (MOIS) espionage objectives.

By integrating legitimate Remote Monitoring and Management (RMM) tools such as PDQ RMM and Action1, MuddyWater blurs the line between legitimate and malicious activity, enhancing stealth, persistence, and operational control within compromised networks.

Attack Details

The campaign begins with highly convincing spear-phishing emails sent from compromised mailboxes accessed through NordVPN to mask the attacker’s origin. These emails typically contain Microsoft Word attachments that prompt recipients to enable macros, triggering the initial infection phase.

Infection Chain Overview

  1. Initial Compromise: The victim receives a phishing email containing a malicious Word document embedded with Visual Basic for Applications (VBA) macros.
  2. Execution of FakeUpdate Loader: Once macros are enabled, the FakeUpdate loader decrypts and injects the second-stage payload into memory.
  3. Deployment of Phoenix Backdoor v4: The loader installs Phoenix Backdoor, establishing persistence, connecting to command-and-control (C2) servers, and enabling continuous data exfiltration and remote execution.
  4. Credential Theft via Chromium_Stealer: A custom Chromium_Stealer tool, disguised as a benign utility, extracts credentials from browsers such as Chrome, Edge, Opera, and Brave.
  5. Use of Legitimate Tools: To evade detection, MuddyWater employs legitimate RMM tools like PDQ RMM and Action1, providing persistent access and complicating forensic analysis.

Objectives and Impact

  • Intelligence Collection: Exfiltration of sensitive government and diplomatic communications.
  • Credential Harvesting: Extraction of stored browser credentials and system tokens.
  • Persistence: Continuous remote access through dual-use software.
  • Stealth and Obfuscation: Leveraging encrypted payloads and VPN-based distribution.

This campaign showcases MuddyWater’s evolving tradecraft, including multi-stage payload delivery, macro-based infection, and blending legitimate tools with malware, maintaining long-term espionage operations within high-value geopolitical targets.

Recommendations

  1. Disable Macros by Default: Configure Microsoft Office applications to block all macros from the internet and only allow those from trusted, signed sources.
  2. Deploy Endpoint Detection and Response (EDR): Use EDR solutions to detect abnormal script activity, registry changes, and known malware behaviors associated with Phoenix Backdoor and Chromium_Stealer.
  3. Conduct Phishing Awareness Training: Educate employees to identify spear-phishing indicators, verify sender authenticity, and avoid enabling macros in unsolicited attachments.
  4. Enforce Multi-Factor Authentication (MFA): Require MFA for all critical access points—including VPNs, RMM utilities, and cloud services—to limit unauthorized lateral movement.
  5. Restrict Browser Credential Storage: Implement policies to prevent users from saving corporate credentials in web browsers, neutralizing the Chromium_Stealer attack vector.

Indicators of Compromise (IoCs)

SHA256 Hashes:

  • 668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e
  • 5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839
  • 1883db6de22d98ed00f8719b11de5bf1d02fc206b89fedd6dd0df0e8d40c4c56
  • 3ac8283916547c50501eed8e7c3a77f0ae8b009c7b72275be8726a5b6ae255e3
  • 76fa8dca768b64aefedd85f7d0a33c2693b94bdb55f40ced7830561e48e39c75
  • 3d6f69cc0330b302ddf4701bbc956b8fca683d1c1b3146768dcbce4a1a3932ca

IPv4 Address:

  • 159[.]198[.]36[.]115

Domain:

  • screenai[.]online

MITRE ATT&CK TTPs

TacticTechniqueTechnique ID
Initial AccessSpearphishing AttachmentT1566.001
ExecutionCommand and Scripting Interpreter – PowerShell, Visual BasicT1059.001, T1059.005
PersistenceWinlogon Helper DLL, Registry Run Keys / Startup FolderT1547.004, T1547.001
Privilege EscalationProcess Injection, Component Object Model HijackingT1055, T1546.015
Defense EvasionObfuscated Files / Information, Hide ArtifactsT1027, T1564
Credential AccessCredentials from Password Stores / Web BrowsersT1555, T1555.003
DiscoverySystem Information DiscoveryT1082
CollectionInput Capture (Keylogging), Screen CaptureT1056, T1113
ExfiltrationExfiltration Over C2 ChannelT1041
Command and ControlApplication Layer Protocol – Web ProtocolsT1071.001
ImpactData ManipulationT1565
Resource DevelopmentCompromise AccountsT1586

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox