The Iranian-linked Advanced Persistent Threat (APT) group known as MuddyWater has recently intensified its cyber-espionage activities, targeting over 100 governmental and international organizations across the Middle East, North Africa, and other regions. This escalation, observed since mid-August 2025, showcases the group’s enhanced technical capabilities and strategic focus on geopolitical intelligence gathering.
Phishing Tactics and Initial Compromise
MuddyWater initiated its latest campaign by compromising a legitimate email account, accessed through NordVPN. Utilizing this account, the group disseminated phishing emails that appeared to originate from trusted sources. These emails contained Microsoft Word attachments, which, upon opening, prompted recipients to enable macros. This action triggered embedded Visual Basic for Applications (VBA) code, setting off a multi-stage infection process.
Deployment of Phoenix Backdoor v4
The VBA code executed a loader known as FakeUpdate, which decrypted and injected the Phoenix backdoor version 4 directly into the system memory. This method effectively bypassed traditional file-based detection mechanisms. Once active, Phoenix v4 established persistence by modifying the Windows registry, specifically altering the Winlogon shell value. It also created mutex objects to coordinate its operations. The backdoor then initiated communication with command-and-control (C2) servers via WinHTTP protocols, enabling remote command execution, data exfiltration, and other post-exploitation activities.
Advanced Persistence Mechanisms
Beyond registry modifications, Phoenix v4 employed sophisticated persistence techniques. Analysis revealed the use of Component Object Model (COM) Dynamic Link Library (DLL) artifacts designed to launch additional malware, such as Mononoke.exe, through alternative execution pathways. The malware systematically gathered comprehensive system information—including computer names, domain configurations, Windows versions, and user credentials—before initiating communication with C2 servers.
Infrastructure and Additional Tools
Investigations uncovered that the C2 domain screenai[.]online was registered on August 17, 2025, and remained operational for approximately five days. The associated server hosted additional tools, including a custom Chromium browser credential stealer and legitimate Remote Monitoring and Management (RMM) utilities like PDQ and Action1. The credential stealer targeted stored passwords from browsers such as Chrome, Opera, Brave, and Microsoft Edge by extracting encrypted master keys and writing harvested credentials to staging files for exfiltration.
Implications and Recommendations
MuddyWater’s deployment of this integrated toolkit—combining custom malware with legitimate RMM solutions—demonstrates a sophisticated understanding of operational security and persistence mechanisms. This campaign underscores the persistent threat posed by Iran-aligned actors and highlights the need for organizations to strengthen their defense controls. Recommended measures include tuning Endpoint Detection and Response (EDR) systems, restricting macro execution, and vigilantly monitoring the use of RMM tools within enterprise networks.
