A new cyber espionage campaign has been launched by an Iranian state-sponsored hacking group known as MuddyWater, targeting more than 100 government and diplomatic organisations. The campaign was uncovered by cybersecurity firm Group-IB, which linked the attacks to the group with high confidence.
The operation was said to have begun on August 19, 2025, when spear-phishing emails were sent using a compromised account accessed through the VPN service NordVPN. The messages were directed at government ministries, embassies, and consulates across the Middle East and North Africa.
By August 24, the hackers’ command-and-control (C2) infrastructure was taken down, suggesting a shift to another phase of the intrusion. The campaign’s main objective appeared to be long-term espionage and data theft from high-value government systems.
Malicious Microsoft Word documents carrying VBA macros were used in the phishing emails. When recipients enabled the content, a malware loader called FakeUpdate was installed. This loader then deployed the Phoenix backdoor (version 4) on infected systems.
It was also revealed that this latest version of Phoenix included a new COM-based persistence mechanism, allowing it to remain active even after system reboots.
According to Group-IB, the Phoenix malware was designed to execute commands remotely, upload and download files, open a shell for direct access, and adjust its sleep interval to evade detection.
Alongside Phoenix, a custom infostealer was also used to collect browser data from Chrome, Opera, Brave, and Edge. Stored credentials and encryption keys were extracted and sent to the attackers’ remote servers. Tools such as PDQ for software deployment and Action1 for remote monitoring were also found in use, both previously linked to Iranian cyber operations.
The hacking activity showed clear similarities to previous MuddyWater campaigns. The use of identical code structures, malware families, and operational methods supported the attribution made by researchers.
Experts have warned that the campaign demonstrates how nation-state hackers continue to exploit phishing and remote tools to compromise sensitive networks. Organisations have been advised to disable macros by default, monitor Windows Registry changes, and review the use of remote management tools for suspicious behaviour.
Leave A Comment