Breach of Trust: Iranian Hackers Strike Government Organizations with Phoenix Backdoor

A state-sponsored Iranian hacker group known as MuddyWater has conducted cyberattacks on more than 100 government entities using the Phoenix backdoor version 4.

Referred to by aliases such as Static Kitten, Mercury, and Seedworm, this threat actor primarily focuses on government and private organizations within the Middle East region.

Commencing on August 19, the hackers initiated a phishing campaign through a compromised account accessed via NordVPN, targeting various government and international organizations across the Middle East and North Africa, as reported by cybersecurity company Group-IB.

Group-IB’s report reveals that the threat actor disabled the server and server-side command-and-control (C2) component on August 24, potentially signifying a shift to a new phase of the attack involving different tools and malware to extract information from compromised systems.

The majority of targets in MuddyWater’s campaign are embassies, diplomatic missions, foreign affairs ministries, and consulates.

Return of Macro Attacks

Group-IB’s research indicates that MuddyWater employed emails containing malicious Word documents with macro code that executed the FakeUpdate malware loader.

The malicious Word documents attached to the emails prompt recipients to enable content in Microsoft Office, triggering a VBA macro that writes the ‘FakeUpdate’ malware loader to the disk.

It remains unclear why MuddyWater reverted to delivering malware via macro code concealed in Office documents, considering that macros were previously popular years ago when they automatically ran upon opening a document.

As Microsoft disabled macros by default, threat actors shifted to alternative methods, with a recent one being ClickFix, also utilized by MuddyWater in previous campaigns.

According to Group-IB researchers, the loader employed in MuddyWater’s recent attacks decrypts the Phoenix backdoor, which contains an embedded, AES-encrypted payload.

The malware is written to ‘C:\ProgramData\sysprocupdate.exe’ and establishes persistence by altering the Windows Registry entry with configurations for the current user, specifying the app to run as the shell after logging into the system.

Phoenix and Chrome Stealer

The Phoenix backdoor, previously identified in MuddyWater attacks, features additional COM-based persistence mechanisms and functional variances in its version 4 used in this campaign.

The malware collects system information such as computer name, domain, Windows version, and username to profile the victim. It connects to its command-and-control (C2) via WinHTTP, initiating beaconing and command polling.

Group-IB confirms that Phoenix v4 supports commands including sleep, upload file, download file, start shell, and update sleep interval time.

Another tool employed by MuddyWater in these attacks is a customized infostealer designed to extract databases from Chrome, Opera, Brave, and Edge browsers, retrieve credentials, and capture the master key for decryption.

Within MuddyWater’s C2 infrastructure, researchers discovered the PDQ utility for software deployment and management, along with the Action1 RMM (Remote Monitoring and Management) tool, both utilized in attacks linked to Iranian hackers.

Group-IB attributes these attacks to MuddyWater with a high level of confidence, citing the use of malware families and macros seen in previous campaigns, common string decoding techniques on new malware akin to known families, and specific targeting patterns.

46% of environments had passwords cracked, nearly doubling from 25% last year.

Access the Picus Blue Report 2025 for comprehensive insights into prevention, detection, and data exfiltration trends.

See also  EU Slaps Massive $140 Million Fine on Companies for Misleading Blue Checkmarks

Get the Blue Report 2025