Executive Summary

A sophisticated Iranian state-sponsored threat actor, widely tracked as MuddyWater (also known as Static Kitten, Mercury, and Seedworm), has orchestrated a large-scale cyber-espionage campaign targeting over 100 government organizations across the Middle East, North Africa, and select international regions. The campaign, active since at least August 2025, leverages highly targeted phishing emails to deliver the latest iteration of the Phoenix backdoor (version 4), alongside custom infostealers and legitimate remote management tools. This operation demonstrates advanced persistence, credential theft, and data exfiltration capabilities, underscoring the evolving threat landscape facing government and diplomatic entities. The attackers’ use of social engineering, macro-enabled documents, and living-off-the-land techniques highlights the necessity for robust, multi-layered defense strategies and continuous monitoring.

Threat Actor Profile

The campaign is attributed with high confidence to the Iranian Advanced Persistent Threat (APT) group MuddyWater, which is also referenced in open-source intelligence as Static Kitten, Mercury, and Seedworm. This group has a well-documented history of targeting government, diplomatic, and critical infrastructure sectors, primarily in the Middle East and North Africa, but with a growing international footprint. MuddyWater is known for its adaptive tactics, including the use of custom malware, credential theft, and leveraging legitimate tools for lateral movement and persistence. The group’s operations are characterized by a focus on espionage, data exfiltration, and establishing long-term access within targeted networks. Their campaigns often employ spear-phishing as the initial access vector, followed by the deployment of modular malware frameworks and the abuse of trusted remote management utilities.

Technical Analysis of Malware/TTPs

The attack chain commences with spear-phishing emails sent from compromised accounts, often routed through anonymizing services such as NordVPN to obfuscate the true origin. These emails contain malicious Microsoft Word documents embedded with VBA macros. Victims are socially engineered to enable content, which triggers the execution of the macro. Upon activation, the macro writes a loader, identified as FakeUpdate, to disk. This loader decrypts and executes the Phoenix backdoor payload, which is AES-encrypted to evade detection.

Phoenix v4 introduces several technical enhancements over previous versions. Persistence is achieved through dual mechanisms: modification of Windows Registry run keys and a novel COM-based persistence technique, ensuring the malware survives system reboots and user logouts. The primary payload is typically written to C:\ProgramData\sysprocupdate.exe, a location chosen to blend in with legitimate system processes.

Once established, Phoenix profiles the infected system, collecting details such as computer name, domain, OS version, and username. It supports a comprehensive command set, including file upload and download, remote shell access, and configurable sleep intervals to evade behavioral detection. A custom infostealer module is deployed to extract credentials from Chromium-based browsers, including Chrome, Opera, Brave, and Edge. This module is capable of extracting browser master keys and decrypting stored credentials, which are then exfiltrated to the command-and-control (C2) infrastructure.

C2 communication is conducted over WinHTTP, utilizing encrypted channels to evade network-based detection. The attackers further leverage legitimate remote management tools, specifically PDQ deployment utility and Action1 RMM, to facilitate lateral movement, maintain persistence, and exfiltrate data. These tools are often whitelisted in enterprise environments, complicating detection efforts.

Exploitation in the Wild

The campaign has been observed targeting a diverse array of government and international organizations, with a particular focus on embassies, diplomatic missions, foreign affairs ministries, and consulates. The initial wave of attacks began on August 19, 2025, with the C2 infrastructure remaining active until at least August 24, 2025, after which it was rapidly dismantled—likely in response to public reporting and takedown efforts. The attackers demonstrated agility in their operations, shifting infrastructure and potentially adopting alternative tools as their activities were exposed.

Despite Microsoft’s default blocking of macros in downloaded documents, the attackers continue to rely on user interaction to bypass these controls, underscoring the persistent risk posed by social engineering. The use of macro-enabled documents as the initial infection vector remains effective, particularly in environments where user awareness and technical controls are insufficient.

Phoenix v4 represents a significant evolution in the group’s malware arsenal, introducing enhanced persistence mechanisms and improved credential theft capabilities. The campaign’s reliance on living-off-the-land techniques, such as the abuse of legitimate remote management tools, further complicates detection and response efforts.

Victimology and Targeting

The primary victims of this campaign are government organizations, including embassies, diplomatic missions, foreign affairs ministries, and consulates, predominantly located in the Middle East and North Africa. However, the targeting scope extends to international organizations and select entities in Asia, Africa, Europe, and North America. The attackers exhibit a clear preference for entities involved in diplomatic, governmental, and international affairs, likely motivated by intelligence collection and geopolitical objectives.

The campaign’s scale—impacting over 100 organizations—demonstrates both the operational capacity and strategic intent of MuddyWater. The use of compromised accounts for phishing, combined with the deployment of custom malware and legitimate tools, reflects a high degree of planning and technical sophistication. The attackers’ ability to rapidly adapt their infrastructure and techniques in response to detection further highlights the persistent and evolving nature of the threat.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risks associated with this campaign. Key recommendations include disabling macro execution in Microsoft Office documents from untrusted sources, thereby neutralizing the primary infection vector. Security teams should monitor for the creation of suspicious executables in system directories such as C:\ProgramData\, with particular attention to files named sysprocupdate.exe.

Regular auditing of Windows Registry changes is essential to detect unauthorized persistence mechanisms, including both run key modifications and COM hijacking attempts. Network monitoring should focus on outbound WinHTTP traffic, with alerts configured for anomalous patterns indicative of C2 communication. The use of remote management tools such as PDQ and Action1 RMM should be tightly controlled and monitored, especially in environments where these tools are not part of standard operations.

Endpoint detection and response (EDR) solutions should be configured to detect and block the execution of known malicious loaders, such as FakeUpdate, and to identify attempts to access or exfiltrate browser credential stores. User awareness training remains a critical component, emphasizing the risks associated with enabling macros and the importance of verifying the authenticity of email attachments.

Incident response plans should be updated to include procedures for identifying and remediating infections involving Phoenix backdoor and associated tools. Organizations are encouraged to leverage threat intelligence feeds to stay informed of emerging indicators of compromise (IOCs) and to collaborate with industry peers and government agencies for coordinated defense.

References

BleepingComputer: Iranian hackers targeted over 100 govt orgs with Phoenix backdoor https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-over-100-govt-orgs-with-phoenix-backdoor/

The Hacker News: Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign https://thehackernews.com/2025/10/iran-linked-muddywater-targets-100.html

Group-IB Report (via BleepingComputer) https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-over-100-govt-orgs-with-phoenix-backdoor/

DarkReading: MuddyWater Targets 100+ MEA Gov Entities With Backdoor https://www.darkreading.com/cyberattacks-data-breaches/muddywater-100-gov-entites-mea-phoenix-backdoor

MITRE ATT&CK: MuddyWater (G0069) https://attack.mitre.org/groups/G0069/

The Cyber Security Hub on X (Twitter) https://x.com/TheCyberSecHub/status/1981109371016007810

LinkedIn: Security Community Discussion https://www.linkedin.com/posts/dlross_iranian-hackers-targeted-over-100-govt-orgs-activity-7386920267253587968-C2Wh

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify emerging threats, streamline risk assessments, and enhance organizational resilience. For more information about how Rescana can help safeguard your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.