Full Report
Group-IB says Tehran-linked crew used hijacked mailbox and VPN to sling phishing emails across Middle East Iran's favorite muddy-footed cyberespionage crew is at it again, this time breaching more than 100 government entities across the Middle East and North Africa, according to researchers at Group-IB.…
Analysis Summary
# Threat Actor: MuddyWater (Seedworm/APT34/OilRig/TA450)
## Attribution & Identity
Attributed to Iran, specifically linked to Iran's Ministry of Intelligence and Security. Frequently referred to as Iran's "muddy-footed cyberespionage crew."
## Activity Summary
The latest campaign, starting in August 2025, involved breaching over 100 government entities across the Middle East and North Africa (MENA). The goal appears to be long-term access and information gathering, fitting a broader pattern of Iranian cyberespionage activity amidst regional tensions. This specific operation saw the actor send convincing phishing emails from a hijacked, legitimate enterprise mailbox accessed via the NordVPN service.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing campaigns utilizing weaponized Microsoft Word attachments.
- **Execution:** Used macros within attachments to deploy a loader nicknamed "FakeUpdate."
- **Persistence/Command and Control:** Installed an updated version of their custom backdoor, "Phoenix."
- **Defense Evasion:** Used legitimate, off-the-shelf remote management tools (PDQ and Action1) to blend in with authorized administrative traffic.
- **Credential Access:** Pilfered stored browser passwords from Chrome, Edge, Opera, and Brave.
- **Lateral Movement/Action on Objectives:** Allowed operators to poke around infected systems, upload/download files, and maintain persistence.
- **Note:** The use of a legitimate VPN service (NordVPN) and a compromised but trusted mailbox made detection particularly difficult.
## Targeting
- **Sectors:** Diplomatic entities, government entities, international organizations, and telecom providers.
- **Geography:** Middle East and North Africa (MENA) region.
- **Victims:** Over 100 government entities, including embassies and ministries. Specific names were not disclosed.
## Tools & Infrastructure
- **Malware Families:**
- Phoenix (custom backdoor)
- FakeUpdate (loader)
- **Infrastructure:**
- Hijacked/compromised enterprise mailbox.
- NordVPN service used for connectivity while operating the campaign.
- **Other Tools:** PDQ and Action1 (Remote Management Tools).
## Implications
MuddyWater remains a persistent and sophisticated Iranian espionage threat, primarily focusing on state-linked high-value targets in the MENA region. The scale of this recent campaign suggests a significant ramp-up in operational capacity or a broad intelligence requirement from its sponsors. Their focus on blending administrative traffic highlights a mature awareness of modern enterprise security defenses.
## Mitigations
- Strong vigilance against phishing, especially emails originating from seemingly legitimate/trusted accounts.
- Scrutiny of requests to "Enable Content" in Microsoft Office documents, as this is a common vector for macro-based malware delivery.
- Increased monitoring for the deployment and execution of known backdoors like Phoenix.
- Network traffic analysis should pay attention to the use of legitimate remote management tools (PDQ, Action1) originating from unusual or compromised network segments.
- Ensure robust credential hygiene, especially defending against password scraping from major web browsers.