Researchers at Group-IB Threat Intelligence have uncovered a new phishing and espionage campaign by Iran-linked MuddyWater targeting global organizations. The attack uses sophisticated malware like Phoenix v4, FakeUpdate injectors, and credential stealers disguised as legitimate applications. #MuddyWater #PhoenixBackdoor
Keypoints
- The campaign involves spear-phishing emails sent from compromised legitimate accounts to deceive victims.
- MuddyWater uses advanced malware tools, including Phoenix v4 backdoor, FakeUpdate injectors, and COM-based persistence mechanisms.
- The malware communicates with command-and-control servers hosted on Cloudflare infrastructure, utilizing a domain registered on NameCheap.
- Embedded tools like Chromium_Stealer and legitimate RMM utilities help the group maintain long-term access and extract sensitive data.
- Targets include diplomatic, humanitarian, and energy organizations across the Middle East, Europe, Africa, and North America.