More than 100 governmental and diplomatic institutions around the Middle East and North Africa (MENA) are the target of a sophisticated espionage effort by the Iranian state-affiliated threat group MuddyWater, also known as Seedworm or Mango Sandstorm. Utilizing a hacked email account and trustworthy services such as NordVPN, the team shared Microsoft Word documents that contained malicious macros that activated the Phoenix v4 backdoor. This campaign demonstrates MuddyWater’s developing strategies, which combine credential stealers, bespoke malware, and authentic remote monitoring tools (PDQ, Action1) to achieve intelligence collection, persistence, and stealth. In order to combat state-sponsored espionage that targets government and diplomatic networks, the operation emphasizes the critical need for improved email security measures, user awareness, and proactive threat hunting.

Technical Description

A traditional spear-phishing chain is used in the campaign, in order to send seemingly authentic emails with weaponized Microsoft Word documents, MuddyWater first uses a compromised mailbox (accessed through an abused NordVPN account). When recipients enable macros, the embedded VBA dropper decodes and writes a loader named “FakeUpdate” to disk, which then decrypts an AES-encrypted Phoenix v4 payload and opens the backdoor. While the attacker’s C2 infrastructure (located at 159.198.36[.]115) also houses commercial RMM tools (PDQ, Action1) and a custom browser credential stealer targeting Brave/Chrome/Edge/Opera, Phoenix (a lightweight offshoot of the Python-based BugSleep family; v3 and v4 variants observed) offers remote access and telemetry. This suggests a combination of using legitimate admin utilities and custom implants to enhance stealth, persistence, and credential harvesting. The details and technicalities of the attack campaign are discussed further:

‍

Delivery and Infection Chain:

MuddyWater begins the campaign by using a compromised mailbox, access gained through a NordVPN account to deliver plausible, authoritative emails containing weaponized Microsoft Word attachments; these entice recipients to enable macros, transforming trusted-appearing correspondence into a distribution vector that bypasses basic phishing filters and leverages social engineering anchored in diplomatic context. The Infection chain was identified as follows,

• The attacker gets access to a valid email account (using exploited NordVPN credentials) and sends messages that appear to be authentic.
• Crafted emails with weaponized Microsoft Word attachments are distributed to specific diplomatic and government targets.
• The receiver opens the document and is socially engineered into allowing macros, which activates the embedded VBA dropper.
• The VBA dropper decodes and writes the FakeUpdate loader to disk, decrypting an AES-encrypted payload.
• Phoenix v4 is started, establishes C2 connectivity, and supports persistence, credential theft, and remote operations.

‍

Technical Capabilities:

Targeted access acquisition, cautious OPSEC, and tool blending are characteristics of the threat actor’s mature operational capabilities. They gain legitimate mailbox access, use that trusted advantage to send spear-phishes that look real, and host both commercially available utilities and custom implants on the same infrastructure to make attribution and detection more difficult. In order to conceal administrative activity and allow remote command execution under the pretext of legitimate maintenance, MuddyWater’s operational playbook favors stealth and persistence. This includes encrypted payload delivery, social engineering customized for diplomatic settings, and the co-location of malicious services with Remote Monitoring & Management (RMM) tools (e.g., PDQ, Action1).

A VBA-based dropper writes a loader named FakeUpdate to disk, which decrypts and executes an AES-encrypted Phoenix v4 payload. Phoenix offers lightweight RAT-style capabilities (remote command execution, telemetry, filesystem/registry access, and probably data staging/exfiltration hooks) while staying small and undetectable. The malware stack is modular and focuses on reconnaissance, credential collection, and long-term remote access. In order to provide the adversary with credential access, remote administration, and covert channels for ongoing espionage, Phoenix is complemented by a custom browser credential stealer that targets Chromium-based browsers (Brave, Chrome, Edge, and Opera). This allows for the harvesting of saved credentials and session tokens as well as the use of legitimate RMM utilities for lateral movement or persistence.

‍

Attribution and Evolution:

‍

Security vendors attribute the operation to MuddyWater (aliases include Seedworm, Mango Sandstorm, and TA450), an actor linked to Iran’s Ministry of Intelligence and Security (MOIS) active since at least 2017; the emergence of Phoenix (a lightweight offshoot of the earlier BugSleep implant) and the observed migration from earlier remote-access techniques to AES-encrypted payloads, loader abstraction, and RMM integration indicate tactical maturation and toolkit diversification.

‍

Active Campaign and Geographic Spread:

In line with state-level intelligence collection priorities, the researchers found that this campaign actively targeted more than 100 organizations throughout the MENA region, with over 75% of the targets being embassies, diplomatic missions, foreign ministries, and consulates. The remaining targets included international organizations and telecom companies.

‍

Conclusion:

The combination of compromised mailboxes, macro-based droppers, encrypted loaders, credential theft, and RMM abuse increases the risk of long-term compromise in diplomatic networks and necessitates prioritized defensive measures across email hygiene, endpoint controls, and active hunting. The operation is a concentrated, high-skilled espionage effort that weaponizes trust in official correspondence and legitimate administrative tooling to deliver encrypted, persistent implants.

‍

Impact

Credential harvesting, prolonged access to private diplomatic communications, possible classified information leaks, deterioration of operational confidentiality, and other diplomatic and strategic repercussions are all made possible by successful compromises. These risks have the potential to cause a series of operational, reputational, and national security harms for the governments and international organizations that are impacted.

‍

IOC and Context Details

Recommended Actions

• Enforce Multi-Factor Authentication (MFA) on all email and VPN accounts to prevent unauthorized mailbox access, even if credentials are compromised.
• Implement strict email authentication protocols such as DMARC, DKIM, and SPF to detect and block spoofed or compromised email sources used in phishing campaigns.
• Disable or restrict macro execution in Microsoft Office documents from untrusted sources and enforce Group Policy settings that prevent users from enabling macros manually.
• Deploy advanced email security filters capable of detecting weaponized attachments, macro-laden documents, and suspicious sender behaviors associated with spear-phishing.
• Continuously monitor for legitimate tool abuse, including RMM utilities like PDQ and Action1, to detect unauthorized remote access or lateral movement within networks.
• Hunt for known IOCs and behavioral indicators, such as the C2 IP (159.198.36[.]115), FakeUpdate loader activity, and Phoenix v4 payload execution patterns, across endpoints and network logs.
• Strengthen endpoint detection and response (EDR) capabilities to identify AES-encrypted payload deployments, abnormal process chains (e.g., Word → cmd → encoded script), and credential-stealing activity.
• Conduct targeted phishing awareness training for diplomatic and government personnel to help identify deceptive emails, suspicious attachments, and social engineering tactics exploiting trusted correspondence.

‍

References

https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-over-100-govt-orgs-with-phoenix-backdoor/