Threat Advisories:
CVE-2025-11001 Turns a Simple Unzip into a System-Level Ambush CVE-2025-55241: Critical Cross-Tenant Privilege Escalation in Microsoft Entra ID TamperedChef: A High-Severity Multi-Stage Infostealer Operation Eternidade Stealer: Brazil’s New WhatsApp-Driven Cybercrime Engine Gh0st RAT Multi-Campaign Delivery Surge Targets Chinese Speakers FortiWeb Flaw Exploited in the Wild: Patch Immediately Google Patches High-Risk V8 Zero-Day Hitting Chrome Users FortiWeb Hijack: The Hidden Vulnerability Fueling Admin Account Creation Lazarus Group’s New Comebacker Variant Targets Aerospace & Defense Threat Actors Turn RMM Tools into Backdoor Gateways CVE-2025-12480: Triofox Exploit Turns Trusted Access Into a Security Nightmare Microsoft’s November 2025 Patch Tuesday Roundup Telegram-Powered Credential Theft Campaign Sweeps Europe Critical Zero-Day Exposes Synology Devices to Remote Attacks APT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions I Paid Twice: Inside the Booking.com Phishing Fraud Return of Gootloader: Blending Technical Evasion with Operational Discipline Unmasking Airstalk’s Covert Supply Chain Intrusion WordPress Plugin Bug CVE-2025-11833 Hands Hackers the Admin Throne Silent Lynx APT: Espionage Operations Targeting Central Asia’s Critical Infrastructure
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

MuddyWater Deploys Phoenix Backdoor in Targeted Espionage Campaign

Red | Attack Report
Download PDF

MuddyWater Expands Espionage Campaign Across MENA with Phoenix Backdoor v4

Summary

The Iran-linked Advanced Persistent Threat (APT) group MuddyWater—also known as Seedworm, TEMP.Zagros, Mercury, TA450, and Mango Sandstorm—has launched a new cyber-espionage campaign targeting more than 100 government and critical infrastructure organizations across the Middle East and North Africa (MENA).

The operation leverages compromised email accounts and malicious Microsoft Word attachments to deploy custom malware, including the Phoenix Backdoor v4, FakeUpdate Loader, and Chromium_Stealer. This campaign primarily focuses on intelligence collection rather than disruption, aligning with Iran’s Ministry of Intelligence and Security (MOIS) espionage objectives.

By integrating legitimate Remote Monitoring and Management (RMM) tools such as PDQ RMM and Action1, MuddyWater blurs the line between legitimate and malicious activity, enhancing stealth, persistence, and operational control within compromised networks.

Attack Details

The campaign begins with highly convincing spear-phishing emails sent from compromised mailboxes accessed through NordVPN to mask the attacker’s origin. These emails typically contain Microsoft Word attachments that prompt recipients to enable macros, triggering the initial infection phase.

Infection Chain Overview

  1. Initial Compromise: The victim receives a phishing email containing a malicious Word document embedded with Visual Basic for Applications (VBA) macros.
  2. Execution of FakeUpdate Loader: Once macros are enabled, the FakeUpdate loader decrypts and injects the second-stage payload into memory.
  3. Deployment of Phoenix Backdoor v4: The loader installs Phoenix Backdoor, establishing persistence, connecting to command-and-control (C2) servers, and enabling continuous data exfiltration and remote execution.
  4. Credential Theft via Chromium_Stealer: A custom Chromium_Stealer tool, disguised as a benign utility, extracts credentials from browsers such as Chrome, Edge, Opera, and Brave.
  5. Use of Legitimate Tools: To evade detection, MuddyWater employs legitimate RMM tools like PDQ RMM and Action1, providing persistent access and complicating forensic analysis.

Objectives and Impact

  • Intelligence Collection: Exfiltration of sensitive government and diplomatic communications.
  • Credential Harvesting: Extraction of stored browser credentials and system tokens.
  • Persistence: Continuous remote access through dual-use software.
  • Stealth and Obfuscation: Leveraging encrypted payloads and VPN-based distribution.

This campaign showcases MuddyWater’s evolving tradecraft, including multi-stage payload delivery, macro-based infection, and blending legitimate tools with malware, maintaining long-term espionage operations within high-value geopolitical targets.

Recommendations

  1. Disable Macros by Default: Configure Microsoft Office applications to block all macros from the internet and only allow those from trusted, signed sources.
  2. Deploy Endpoint Detection and Response (EDR): Use EDR solutions to detect abnormal script activity, registry changes, and known malware behaviors associated with Phoenix Backdoor and Chromium_Stealer.
  3. Conduct Phishing Awareness Training: Educate employees to identify spear-phishing indicators, verify sender authenticity, and avoid enabling macros in unsolicited attachments.
  4. Enforce Multi-Factor Authentication (MFA): Require MFA for all critical access points—including VPNs, RMM utilities, and cloud services—to limit unauthorized lateral movement.
  5. Restrict Browser Credential Storage: Implement policies to prevent users from saving corporate credentials in web browsers, neutralizing the Chromium_Stealer attack vector.

Indicators of Compromise (IoCs)

SHA256 Hashes:

  • 668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e
  • 5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839
  • 1883db6de22d98ed00f8719b11de5bf1d02fc206b89fedd6dd0df0e8d40c4c56
  • 3ac8283916547c50501eed8e7c3a77f0ae8b009c7b72275be8726a5b6ae255e3
  • 76fa8dca768b64aefedd85f7d0a33c2693b94bdb55f40ced7830561e48e39c75
  • 3d6f69cc0330b302ddf4701bbc956b8fca683d1c1b3146768dcbce4a1a3932ca

IPv4 Address:

  • 159[.]198[.]36[.]115

Domain:

  • screenai[.]online

MITRE ATT&CK TTPs

TacticTechniqueTechnique ID
Initial AccessSpearphishing AttachmentT1566.001
ExecutionCommand and Scripting Interpreter – PowerShell, Visual BasicT1059.001, T1059.005
PersistenceWinlogon Helper DLL, Registry Run Keys / Startup FolderT1547.004, T1547.001
Privilege EscalationProcess Injection, Component Object Model HijackingT1055, T1546.015
Defense EvasionObfuscated Files / Information, Hide ArtifactsT1027, T1564
Credential AccessCredentials from Password Stores / Web BrowsersT1555, T1555.003
DiscoverySystem Information DiscoveryT1082
CollectionInput Capture (Keylogging), Screen CaptureT1056, T1113
ExfiltrationExfiltration Over C2 ChannelT1041
Command and ControlApplication Layer Protocol – Web ProtocolsT1071.001
ImpactData ManipulationT1565
Resource DevelopmentCompromise AccountsT1586

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox