Cybersecurity researchers have uncovered a phishing campaign attributed to the Iran-linked threat group MuddyWater, targeting international organizations to gather intelligence. The attack used compromised email accounts and malware like Phoenix v4, alongside remote monitoring tools, to infiltrate high-value targets. #MuddyWater #PhoenixBackdoor
Keypoints
- The campaign exploited trusted channels by using compromised email accounts and legitimate services like NordVPN.
- Phishing emails contained malicious Word documents prompting victims to enable macros for malware deployment.
- Malware named Phoenix v4 included updated persistence features and connected to command-and-control servers for control.
- The attackers also used remote management tools like PDQ and Action1, as well as a browser credential stealer dubbed Chromium_Stealer.
- Organizations are advised to disable macros, deploy detection tools, and conduct security training to mitigate similar threats.
Read More: https://www.infosecurity-magazine.com/news/muddywater-compromised-mailboxes/