New Malware Toolkit from MuddyWater Distributes Phoenix Backdoor to Global Targets

Iran-linked advanced persistent threat (APT) group MuddyWater has launched a sophisticated cyber-espionage operation that uses a refreshed malware toolkit to infiltrate international organizations across the Middle East, North Africa, and beyond.

Group-IB Threat Intelligence attributes the campaign to MuddyWater with high confidence following the discovery of new phishing activity involving the Phoenix backdoor version 4, custom tools, and legitimate remote monitoring software.

Phishing to Phoenix Backdoor Deployment

According to Group-IB, the attack began through a compromised mailbox accessed via NordVPN, allowing MuddyWater to distribute malicious emails that appeared as legitimate correspondence.

The phishing messages carried Microsoft Word attachments, which, when macros were enabled, executed embedded Visual Basic for Applications (VBA) code. This script dropped a loader known as FakeUpdate, which decrypted and injected the Phoenix backdoor v4 into the system memory.

Once executed, Phoenix v4 established persistence, gathering system data, and maintaining remote command-and-control (C2) communication through WinHTTP.

The backdoor created a registry key under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, modifying the Shell value to ensure execution upon startup.

Supported commands allowed attackers to execute shells, transfer files, and adjust sleep intervals, enabling stealthy long-term espionage.

The C2 infrastructure revealed deeper operational clues. The domain screenai[.]online, registered on August 17, 2025, via NameCheap and fronted by Cloudflare, resolved to the real IP 159[.]198[.]36[.]115.

The server operated for five days before being decommissioned, hosting additional tools including remote monitoring utilities Action1 and PDQ RMM, both previously linked to MuddyWater activity.

Custom Credential Stealer and COM Persistence

Group-IB analysis also uncovered a custom browser credential stealer, disguised as a calculator application, designed to harvest login data from browsers such as Chrome, Edge, Opera, and Brave.

The tool decrypted stored credentials using recovered OS encryption keys, saving them to C:\Users\Public\Downloads\cobe-notes.txt.

Phoenix v4 featured an additional persistence mechanism using a Component Object Model (COM) DLL that triggered Mononoke.exe. This overlaps with previously observed CannonRat malware components, further reinforcing the attribution to MuddyWater.

Expanding Espionage Reach

Group-IB reported that over 100 governmental and international organizations were targeted in this campaign, including those involved in diplomacy, humanitarian operations, and the energy sector.

The espionage operation showcases MuddyWater’s integration of custom implants with legitimate tools, signaling increasing technical maturity and a continued focus on geopolitical intelligence gathering.

The campaign’s discovery highlights the persistent threat posed by Iran-aligned actors, emphasizing the need for strengthened defense controls such as EDR tuning, macro restrictions, and vigilant monitoring of RMM tool usage within enterprise networks.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates