Singapore-based cybersecurity company Group-IB says hackers tied to Iran carried out a sophisticated global phishing campaign to steal sensitive data from international organizations.
In a detailed report released Wednesday, the firm accused MuddyWater of using compromised email accounts and legitimate internet tools to make its messages appear authentic.
“The incident underscores how state-backed threat actors continue to exploit trusted channels of communication to evade defenses and infiltrate high-value targets,” Group-IB said in a statement.
The attackers reportedly gained access to a corporate email account through NordVPN, a popular virtual private network service, and used it to send fake messages to multiple targets worldwide.
These emails contained malicious Microsoft Word attachments disguised as genuine correspondence.
When recipients opened the files, they were prompted to “enable content” — a step that secretly triggered harmful code. The code then installed malware known as the Phoenix backdoor, allowing the hackers to remotely control infected computers, collect data, and conduct further spying activities.
“By exploiting the trust and authority associated with legitimate correspondence, the campaign significantly increased its chances of deceiving recipients,” the firm added.
Group-IB said it linked the attack to MuddyWater with “high confidence,” based on the technical tools and methods used.
The Phoenix backdoor identified in this operation was version 4 of the malware, suggesting continued development by the group.
MuddyWater has been active since at least 2017 and is believed to operate under Iran’s Ministry of Intelligence and Security.
The group has previously targeted government agencies, energy firms, and telecommunications companies across the Middle East, Europe and North America.
