The Iranian threat group MuddyWater is conducting a massive cyberespionage campaign targeting over 100 government organizations across the Middle East and North Africa. The campaign, discovered by Group-IB, began August 19 and uses phishing emails sent through a compromised mailbox accessed via NordVPN to appear legitimate.
Victims receive blurred Word documents that prompt them to enable macros, which then deploy the Phoenix backdoor version 4 through a FakeUpdate injector. The malware establishes persistence and connects to command-and-control servers for intelligence gathering. Targets include embassies, diplomatic missions, and foreign affairs ministries, supporting MuddyWater's geopolitical objectives and Iran's Ministry of Intelligence operations.
Source: Dark Reading