Full Report
State-sponsored Iranian hacker group MuddyWater has targeted more than 100 government entities in attacks that deployed version 4 of the Phoenix backdoor. [...]
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
The threat actor is identified as the **state-sponsored Iranian hacker group MuddyWater**.
Known Aliases: Static Kitten, Mercury, Seedworm.
## Activity Summary
In a campaign starting August 19, MuddyWater targeted over 100 government entities using a phishing campaign launched from a compromised NordVPN account. The emails contained malicious Word documents designed to deploy the Phoenix backdoor (version 4). The threat actor disabled the initial server and C2 components on August 24, suggesting a shift to other tools. Targeting focused heavily on embassies, diplomatic missions, foreign affairs ministries, and consulates.
## Tactics, Techniques & Procedures
- Phishing campaigns utilizing emails with malicious Word documents.
- Exploitation of VBA macros to execute code (a technique popular several years ago, though declining recently).
- Deployment of the **FakeUpdate** malware loader via macros.
- FakeUpdate decrypts and writes the **Phoenix backdoor (v4)** to disk at `C:\ProgramData\sysprocupdate.exe`.
- Persistence established by modifying the Windows Registry entry for the current user's shell settings.
- Phoenix v4 includes a new COM-based persistence mechanism.
- C2 communication utilizes WinHTTP.
- Custom infostealer deployed to target browser data (Chrome, Opera, Brave, Edge) and master keys.
## Targeting
- Sectors: Government organizations, diplomatic missions, embassies, foreign affairs ministries, and consulates.
- Geography: Middle East and North Africa (MENA) region.
- Victims: Over 100 government entities.
## Tools & Infrastructure
- Malware families used: Phoenix backdoor (v4), FakeUpdate malware loader, custom infostealer.
- Infrastructure/Utilities observed on C2: PDQ utility for software deployment, Action1 RMM (Remote Monitoring and Management) tool.
- C2 communication: WinHTTP beaconing.
- Infrastructure (Defanged): Initial access via compromised **nordvpn** account.
## Implications
MuddyWater represents an active, state-sponsored threat leveraging outdated initial access techniques (macros) paired with updated custom malware (Phoenix v4). Their consistent targeting of diplomatic and governmental bodies in the Middle East suggests ongoing espionage and intelligence gathering objectives. The use of sophisticated stealth components like the AES-encrypted Phoenix payload and custom credential stealers indicates a mature operational capability.
## Mitigations
- Harden Microsoft Office configurations to disable or strictly limit the execution of VBA macros from untrusted sources.
- Monitor for the creation of new persistence mechanisms in the Windows Registry related to user shell modification.
- Deploy Endpoint Detection and Response (EDR) solutions capable of detecting the file writes and execution patterns associated with the FakeUpdate loader and Phoenix backdoor.
- Review network egress traffic for beaconing activity utilizing WinHTTP protocols.
- Review systems for the presence of the Phoenix backdoor executable at `C:\ProgramData\sysprocupdate.exe`.