MuddyWater Targets 100+ MEA Gov Entites with Backdoor TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsFlawed Vendor Guidance Exposes Enterprises to Avoidable RiskFlawed Vendor Guidance Exposes Enterprises to Avoidable RiskbyDan AndrewOct 20, 20253 Min ReadApplication SecuritySelf-Propagating GlassWorm Attacks VS Code Supply ChainSelf-Propagating GlassWorm Attacks VS Code Supply ChainbyElizabeth Montalbano, Contributing WriterOct 20, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyberattacks & Data BreachesEndpoint SecurityThreat IntelligenceRemote WorkforceNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificMuddyWater Targets 100+ Gov Entities in MEA with Phoenix BackdoorMuddyWater Targets 100+ Gov Entities in MEA with Phoenix BackdoorMuddyWater Targets 100+ Gov Entities in MEA with Phoenix BackdoorThe Iranian threat group is using a compromised mailbox accessed through NordVPN to send phishing emails that prompt recipients to enable macros.Elizabeth Montalbano, Contributing WriterOctober 22, 20254 Min ReadSource: Xcages via ShutterstockThe Iran-backed threat group known as MuddyWater is targeting more than 100 government-related organizations and other entities across the Middle East and North Africa in a cyberespionage campaign that delivers a custom backdoor through phishing emails.Cybersecurity vendor Group-IB discovered the campaign, which began on Aug. 19 and uses a compromised mailbox that attackers accessed through the legitimate VPN service NordVPN, giving its malicious emails an appearance of authenticity, researchers revealed in a blog post published today."By exploiting the trust and authority associated with such communications, the campaign significantly increased its chances of deceiving recipients into opening the malicious attachments," Group IB Malware Analyst Mahmoud Zohdy and Cyber Intelligence Analyst Mansour Alhmoud wrote in the post.The ultimate payload of the campaign is version 4 of the Phoenix backdoor, which is exclusively used by MuddyWater and was dropped via another custom malware, a FakeUpdate injector, the analysts said. The goal of the campaign is to establish persistence and connect with MuddyWater's command-and-control (C2) infrastructure for intelligence gathering and remote monitoring, according to Group-IB.Macros Required for ExecutionRelated:China-Nexus Actors Weaponize 'Nezha' Open Source ToolMuddyWater — also known as APT34, Helix Kitten, Seedworm, TA450, and OilRig, among others — is an Iranian threat group active since at least 2017 that has been linked to Iran’s Ministry of Intelligence and Security (MOIS). The group is aimed at cyberespionage and geopolitical disruption, and has made a significant resurgence in the last couple of years, armed with custom malware and stealth tactics that allowed it to lurk undetected on the system of an unnamed Middle Eastern government in 2023.In the newest campaign tracked by Group-IB, MuddyWater is targeting mainly government entities such as embassies, diplomatic missions, foreign affairs ministries, and consulates both in the Middle East and Africa. "Several targeted recipients are part of well-known global institutions that focus on international cooperation and humanitarian work," the researchers wrote. "This supports the group’s larger geopolitical goals and the purposeful nature of its targeting."Victims receive phishing emails that contain intentionally blurred Microsoft Word documents and prompts them to enable macros in order to view the content. As soon as macros are activated, the documents execute malicious Visual Basic for Application (VBA) code, functioning as a dropper that decodes and writes a loader to disk before executing it. Related:Android Spyware in the UAE Masquerades as ... SpywareThe loader used in the process is FakeUpdate, an injector-style tool that decrypts an embedded second-stage payload using Advanced Encryption Standard (AES) and injects it into its own process. This activity ultinately leads to the deployment the Phoenix backdoor on victim machines.Custom Malware Points to PerpetratorGroup-IB identified the perpetrator of the campaign as MuddyWater because both the FakeUpdate loader and Phoenix backdoor are used exclusively by the threat group, the analysts noted in the post.Once executed, version 4 of the Phoenix backdoor creates a mutex (sysprocupdate.exe) to set up a unique process and then gathers host and system information. It then copies itself to C:\ProgramData\sysprocupdate.exe and establishes persistence by modifying the Windows Registry. The backdoor ultimately communicates with C2 over WinHTTP to receive and execute commands from MuddyWater.Other malware used in the campaign include Chromium_Stealer, a custom credential stealer disguised as a calculator app, and the remote monitoring and management tools PDQ RMM and Action1, which MuddyWater is using for remote control and persistence.Strengthen Defenses Against State-Sponsored ActorsRelated:North Korean Group Targets South With Military ID DeepfakesMuddyWater and similar state-aligned actors are consistently targeting government entities and critical infrastructure providers in their attempts to gather intelligence and create disruption, respectively. For this reason, Group-IB is urging organizations to strengthen defenses against these actors in a number of ways. These measures include subscribing to trusted threat intelligence feeds to receive up-to-date indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) related to MuddyWater, as the group consistently changes its tactics and malware. Defenders also as should conduct continuous threat hunting for indicators associated with Phoenix, FakeUpdate, and other malicious infrastructure and tools related to the group.Organizations also can enhance email and phishing defenses by deploying sandboxing and attachment scanning for Office documents, flagging those with embedded macros or suspicious VBA code given its use in MuddyWater's latest campaign, the analysts said. They also should as a general rule conduct regular phishing simulations and awareness training for personnel, emphasizing "enable content" macro lures like the ones employed in this campaign.Another way organizations can shore up their defensive posture is to implement endpoint and access controls such as disabling Office macros by default through Group Policy and allowing execution only from signed or trusted sources. They also should deploy and tune EDR/XDR solutions to detect PowerShell misuse, process injection, and abnormal auto registry modifications, as well as enforce multi-factor authentication (MFA) across all accounts to prevent unauthorized mailbox access, according to Group-IB.Read more about:DR Global Middle East & AfricaAbout the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsQualys Named a Market & Product Leader in CNAPPDimensional Research Report: AI agents: The new attack surfaceESG Research: Organizations seek modern, continuous and integrated pentestingAccess More ResearchWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsEffectively Incorporating API Security into the Overall Security WorkflowCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTEffectively Incorporating API Security into the Overall Security WorkflowWed, Nov. 19, 2025 at 11am ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationSecuring Unmanaged Devices: Extending Visibility, Trust, & Control Beyond Corporate PerimetersEliminating Identity-Based Attacks: A Device-Bound Approach to Making Account Takeovers ImpossibleFrom Breached to Bound: A CISO's Guide to Identity Defense in a Credential-Driven Threat WorldExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The article, written by Elizabeth Montalbano, Contributing Writer, details a cyber‑espionage campaign launched by the Iranian threat group known as MuddyWater (also called APT34, Helix Kitten, Seedworm, TA450, and OilRig) that began on August 19 and is presently targeting more than 100 government‑related organizations across the Middle East and North Africa. The attackers compromised a mailbox accessed via the legitimate VPN service NordVPN, leveraging the trust associated with VPN‑issued credentials to send phishing emails that appear authentic. Each attachment, a blurred Microsoft Word document, prompts recipients to enable macros; when macros are activated, embedded VBA code is executed, acting as a dropper that writes a loader to disk before running it. The loader, named FakeUpdate, decrypts a secondary payload with AES and injects it into its own process, ultimately deploying version 4 of MuddyWater’s custom Phoenix backdoor on the victim machine. This backdoor creates a mutex (sysprocupdate.exe), collects host and system information, copies itself to C:\ProgramData\sysprocupdate.exe, and persists via registry modification, communicating with command‑and‑control over WinHTTP to receive and execute commands. Additional malware in the campaign includes Chromium_Stealer, a calculator‑shaped credential stealer, and remote management tools PDQ RMM and Action1, which aid in remote control and persistence. MuddyWater’s focus lies on government entities such as embassies, diplomatic missions, foreign affairs ministries, and consulates, including well‑known global institutions involved in international cooperation and humanitarian work, underscoring the group’s geopolitical objectives. Group‑IB, the cybersecurity vendor that uncovered the campaign, attributes the operation to MuddyWater because the FakeUpdate loader and Phoenix backdoor are exclusive to the group. To mitigate such attacks, the article recommends subscribing to trusted threat intelligence feeds to remain current on indicators of compromise, tactics, techniques, and procedures that MuddyWater employs. Continuous threat hunting for signs of Phoenix, FakeUpdate, and related infrastructure is advised, along with enhanced email and phishing defenses that include sandboxing and attachment scanning for Office documents, especially those containing macros or suspicious VBA code. Organizations are also urged to deploy regular phishing simulations and awareness training, emphasizing macro‑enable prompts used in this campaign, as well as to disable macros by default through Group Policy, permitting execution only from signed or trusted sources. Endpoint detection and response solutions should be tuned to detect PowerShell misuse, process injection, and abnormal registry changes, and multi‑factor authentication should be enforced across all accounts to prevent unauthorized mailbox access, thereby reducing the likelihood of compromised mailboxes and the consequent delivery of malicious payloads. The detailed overview underscores MuddyWater’s sustained capability to conduct sophisticated, state‑sponsored espionage campaigns that exploit legitimate tools and social engineering to infiltrate critical governmental targets.