Iranian hackers targeted over 100 govt orgs with Phoenix backdoor

Iranian hackers targeted over 100 govt orgs with Phoenix backdoor

State-sponsored Iranian hacker group MuddyWater has targeted more than 100 government entities in attacks that deployed version 4 of the Phoenix backdoor.

The threat actor is also known as Static Kitten, Mercury, andSeedworm, and ittypically targets government and private organizations in the Middle East region.

Starting August 19, the hackers launched a phishing campaign from a compromised account that they accessed through the NordVPN service.

The emails were sent to numerousgovernment and international organizations in the Middle East and North Africa, cybersecurity companyGroup-IB says in a report today.

According to the researchers, the threat actor took down the server and server-side command-and-control (C2) component on August 24, likely indicating a new stage of the attack that relied on other tools and malware to gather information from compromised systems.

Most of the targets of this MuddyWater campaign are embassies, diplomatic missions, foreign affairs ministries, and consulates.

Targets of latest MuddyWaters campaignresearch revealed that MuddyWater used emails with malicious Word documents with macro code that decoded and wrote to disk the FakeUpdate malware loader.

The emails attach malicious Word documents that instruct recipients to “enable content” on Microsoft Office. This action triggers a VBA macro that writes the ‘FakeUpdate’ malware loader on the disk.

It is unclear what prompted MuddyWater to deliver malware through macro code hidden in Office documents, since the technique was popular several years ago, when macros ran automatically upon opening a document.

Since Microsoft disabled macros by default, threat actors moved to other methods, a more recent one being ClickFix, also used by MuddyWater in past campaigns.

Group-IB researchers say that the loader in MuddyWater’s more recent attacks decrypts the Phoenix backdoor, which is an embedded, AES-encryptedpayload.

The malware is written to‘C:ProgramDatasysprocupdate.exe,’ and establishes persistence by modifying the Windows Registry entry with configurations for the current user, including the app that should run as theshell after logging into the system.

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

You may also like:

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.