Iran’s MuddyWater wades into 100+ government networks in latest spying spree

Steven

Iran’s MuddyWater wades into 100+ government networks in latest spying spree

Summary

Researchers at Group-IB say Iran-linked MuddyWater (aka Seedworm / APT34 / OilRig / TA450) ran a broad espionage campaign from August that breached more than 100 government, diplomatic and telecom networks across the Middle East and North Africa. The attackers abused a compromised enterprise mailbox accessed via NordVPN to send convincing phishing e-mails carrying weaponised Word attachments that asked recipients to “Enable Content.” Triggering the macro deployed a loader dubbed “FakeUpdate,” which then installed an updated custom backdoor called “Phoenix.”

Phoenix gave operators persistent access to infected systems: credential theft, file upload/download, and remote reconnaissance. Group-IB notes the attackers also stole stored browser passwords (Chrome, Edge, Opera, Brave) and used legitimate admin tools such as PDQ and Action1 to blend with normal admin traffic. The scale suggests either improved capability or an expanded collection requirement from Iranian handlers. MuddyWater remains focused on long-term information gathering rather than rapid disruptive operations.

Key Points

  • Campaign began in August and affected over 100 government, diplomatic and telecom targets in the MENA region.
  • Attackers used a hijacked enterprise mailbox accessed via NordVPN to send highly believable phishing e-mails.
  • Malicious Word attachments prompted users to “Enable Content”, running a macro that dropped a loader called “FakeUpdate”.
  • FakeUpdate installed the Phoenix backdoor, enabling credential theft, file exfiltration and persistence.
  • Stored browser passwords (Chrome, Edge, Opera, Brave) were harvested by the toolkit.
  • Operators used off-the-shelf admin tools (PDQ, Action1) to hide malicious activity within legitimate traffic.
  • Group-IB links MuddyWater to Iran’s Ministry of Intelligence and Security; the group’s focus is espionage, not ransomware.

Context and Relevance

This campaign is important because it demonstrates an increase in scale and sophistication of Iranian state-linked cyberespionage during a period of regional tension. Governments, embassies and telcos remain prime targets for long-term access operations that prioritise stealth and credential harvesting. The use of legitimate VPNs and trusted mailboxes highlights a growing challenge for defenders: attacks that exploit trust and routine tools to bypass detection.

Organisations in government, diplomacy, critical communications and supply chains should review mail hygiene, macro policies and privileged access controls. Defenders should assume spear-phishing plus trusted infrastructure will be used again and ensure robust multi-factor authentication, EDR coverage, anomaly detection for admin tooling and rapid credential rotation capabilities.

Author style

Punchy — this is a clear, high-stakes example of state-level espionage. If you look after security for government, diplomatic missions or telcos, the operational details matter: how the mailbox was abused, how macros led to a loader and how off-the-shelf admin tools masked the activity. Read the technical bits and mitigation advice — they’re directly applicable.

Why should I read this?

Short version: MuddyWater just pulled off a big, quiet spying run across the region using a trusted mailbox and everyday admin tools. If your organisation deals with government or international partners, this is the sort of playbook you need to know about — and quickly patch the holes it exploits.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/10/24/iran_muddywater_campaign/