Close Menu
TechurzTechurz
    What's Hot

    Builders Stage agenda revealed for Disrupt 2026

    July 1, 2026

    Startup Battlefield Australia application closes in days: Apply before July 6

    June 30, 2026

    Acti puts AI agents directly into your smartphone keyboard

    June 30, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • Builders Stage agenda revealed for Disrupt 2026
    • Startup Battlefield Australia application closes in days: Apply before July 6
    • Acti puts AI agents directly into your smartphone keyboard
    • The DeepMind trio who built a poker AI are now making money for quant hedge funds
    • Nvidia competitor Etched hits $5B valuation, $1B in sales for AI chip
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign
    Cyber Reality

    Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign

    TechurzBy TechurzOctober 22, 2025Updated:May 10, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Oct 22, 2025Ravie LakshmananMalware / Cyber Espionage

    The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities.

    The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering, Singaporean cybersecurity company Group-IB said in a technical report published today.

    More than three-fourths of the campaign’s targets include embassies, diplomatic missions, foreign affairs ministries, and consulates, followed by international organizations and telecommunications firms.

    “MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence,” said security researchers Mahmoud Zohdy and Mansour Alhmoud.

    “By exploiting the trust and authority associated with such communications, the campaign significantly increased its chances of deceiving recipients into opening the malicious attachments.”

    The attack chain essentially involves the threat actor distributing weaponized Microsoft Word documents that, when opened, prompt the email recipients to enable macros in order to view the content. Once the unsuspecting user enables the feature, the document proceeds to execute malicious Visual Basic for Application (VBA) code, resulting in the deployment of version 4 of the Phoenix backdoor.

    The backdoor is launched by means of a loader called FakeUpdate that’s decoded and written to disk by the VBA dropper. The loader contains the Advanced Encryption Standard (AES)-encrypted Phoenix payload.

    MuddyWater, also called Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, TEMP.Zagros, and Yellow Nix, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It’s known to be active since at least 2017.

    The threat actor’s use of Phoenix was first documented by Group-IB last month, describing it as a lightweight version of BugSleep, a Python-based implant linked to MuddyWater. Two different variants of Phoenix (Version 3 and Version 4) have been detected in the wild.

    The cybersecurity vendor said the attacker’s command-and-control (C2) server (“159.198.36[.]115”) has also been found hosting remote monitoring and management (RMM) utilities and a custom web browser credential stealer that targets Brave, Google Chrome, Microsoft Edge, and Opera, suggesting their likely use in the operation. It’s worth noting that MuddyWater has a history of distributing remote access software via phishing campaigns over the years.

    “By deploying updated malware variants such as the Phoenix v4 backdoor, the FakeUpdate injector, and custom credential-stealing tools alongside legitimate RMM utilities like PDQ and Action1, MuddyWater demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence,” the researchers said.

    campaign espionage global IranLinked MuddyWater organisations targets
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleDavid Sacks’ Craft leads $42M Series A in govtech startup Starbridge
    Next Article Casio’s new G-Shock Nano fits on your finger – here’s how and when you can buy one
    Techurz
    • Website

    Related Posts

    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Cyber Reality

    How AI Changing Cyber Crime: 7 Critical Shifts to Watch

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622

    Future of Digital Privacy and Security: 7 Truths Nobody Tells You

    May 25, 202619
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.