Phishing campaign across Mideast, North Africa is attributed to Iranian group

Steven

Phishing campaign across Mideast, North Africa is attributed to Iranian group

Summary

Cybersecurity firm Group-IB attributes a wide-ranging phishing campaign to Iran-linked actor MuddyWater (aka TA450/Seedworm). The operation targeted more than 100 government bodies and international organisations across the Middle East and North Africa, using a compromised email account to distribute malicious Microsoft Word attachments that deployed an updated Phoenix backdoor when recipients enabled macros.

Active since at least April, the Phoenix backdoor harvests system information (computer names, Windows versions) and credentials, giving persistent remote access for espionage. Researchers say the attackers mixed official government addresses with personal accounts (Yahoo, Gmail), and also targeted organisations involved in humanitarian and international cooperation — suggesting broader geopolitical objectives and careful target research.

Key Points

  • Group-IB links the campaign to MuddyWater, a group believed to operate under Iran’s intelligence agencies.
  • Over 100 government and international organisation email accounts across the Middle East and North Africa were targeted.
  • Initial access came via a compromised mailbox and abuse of NordVPN; phishing emails carried malicious Word docs that prompted users to “enable content” and run macros.
  • The Phoenix backdoor provides credential and system data collection and persistent remote control suited to long-term espionage.
  • Attackers combined official and personal email addresses in their targeting, indicating detailed reconnaissance and wider geopolitical aims.
  • MuddyWater has a long history (active since at least 2017) of targeting government, energy, telecoms and other critical infrastructure sectors.
  • Group-IB warns the group’s tradecraft is evolving and further activity is likely amid regional tensions.

Why should I read this?

Quick version: if you run email, IT or security in the region (or work with partners there), this is the sort of targeted phishing that will hit you. It shows attackers exploiting third-party services and macros to drop a persistent backdoor — basic hygiene won’t cut it if adversaries are patient and well resourced. Read it to know what to patch, watch for, and who’s doing it.

Context and relevance

This campaign underscores two trends: (1) nation-state actors favour sustained intelligence collection over quick financial gains, and (2) attackers increasingly mix official and personal addresses to bypass simple defences. The use of a VPN provider account for mailbox compromise and macro-enabled documents is a reminder that endpoint and email controls (macro blocking, robust MFA, monitoring for unusual mailbox access) remain critical. For defenders, the report is a timely indicator to review access logs, tighten VPN and email security, and prioritise detection of Phoenix-like backdoors.

Source

Source: https://therecord.media/iran-muddywater-phishing-campaign-north-africa-middle-east