Iranian Hackers Target 100+ Gov’t Org’s with Phoenix Backdoor
- This report summarizes a recent espionage campaign conducted by the state-sponsored Iranian hacker group MuddyWater (also known as Static Kitten, Mercury, and Seedworm).
- * Targeted Entities: Over 100 government entities, primarily embassies, diplomatic missions, foreign affairs ministries, and consulates in the Middle East and north Africa.
- Threat Actor Information: AttributeDetailsNameMuddyWater (Static Kitten, Mercury, Seedworm)SponsorshipIranian State-SponsoredRegion of FocusMiddle East, North AfricaTypical Targetsgovernment and private organizations2.
MuddyWater Campaign Analysis – October 2025
Signed – lisapark
This report summarizes a recent espionage campaign conducted by the state-sponsored Iranian hacker group MuddyWater (also known as Static Kitten, Mercury, and Seedworm).
Key Findings:
* Targeted Entities: Over 100 government entities, primarily embassies, diplomatic missions, foreign affairs ministries, and consulates in the Middle East and north Africa.
* Malware: Version 4 of the Phoenix backdoor, delivered via malicious Word documents containing macro code.
* Initial access: Phishing campaign launched from a compromised NordVPN account starting August 19th.
* C2 Infrastructure: Server-side command-and-control (C2) component taken down on August 24th, indicating a shift in tactics.
* Persistence: Established through modification of the Windows Registry.
1. Threat Actor Information:
| Attribute | Details |
|---|---|
| Name | MuddyWater (Static Kitten, Mercury, Seedworm) |
| Sponsorship | Iranian State-Sponsored |
| Region of Focus | Middle East, North Africa |
| Typical Targets | government and private organizations |
2. Campaign Details:
* Timeline: Campaign initiated August 19th, C2 takedown August 24th.
* Delivery Method: Phishing emails with malicious Word documents.
* malware Delivery: VBA macros within Word documents decode and write the ‘fakeupdate’ malware loader to disk.
* Malware Payload: Phoenix backdoor (AES-encrypted).
* Persistence Mechanism: modification of Windows Registry to configure shell execution on login.
* File Path: C:ProgramDatasysprocupdate.exe
3.Attack Chain:
The observed attack chain is as follows:
Source: Group-IB
4. Targeted Regions:
The following image illustrates the geographic distribution of targets:
Source: Group-IB
5. Technical Details:
* Macro Usage: MuddyWater has reverted to using macro-based attacks, despite Microsoft disabling automatic macro execution years ago. This suggests a reliance on social engineering to trick users into enabling content.
* ClickFix: The group previously employed the ClickFix social engineering tactic.
* Phoenix Backdoor: The Phoenix backdoor is a key component of the campaign, decrypting an embedded, AES-encrypted payload.
6. References:
HARD STOP – END OF REPORT