Regions Targeted: Middle East, North Africa
Related Families: Phoenix, FakeUpdate
Key Takeaways
What is Phoenix?
Group-IB Threat Intelligence has detailed a phishing-driven espionage effort linked to MuddyWater, an Iran-aligned advanced persistent threat, which distributed malicious Microsoft Word documents from a hijacked email account. The operation, observed targeting over 100 entities, initiates with emails that mimic legitimate correspondence, prompting recipients to enable macros for viewing blurred content. Upon activation, the embedded Visual Basic for Applications (VBA) code functions as a dropper, decoding and writing a loader to disk before execution.
The loader, tracked as FakeUpdate, operates as an injector that employs Advanced Encryption Standard (AES) decryption to extract an embedded payload, injecting it into its own process. This second-stage component is Phoenix backdoor version 4. The backdoor creates a mutex named sysprocupdate.exe, collects system details such as computer name, domain, Windows version, and username, then copies itself to C:\ProgramData\sysprocupdate.exe. Persistence is achieved by altering the Shell value in the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. It connects to the C2 server via WinHTTP for command polling, supporting functions including sleep, file upload and download, shell execution, and sleep interval updates.
Attribution relies on the exclusive use of FakeUpdate and Phoenix families in prior MuddyWater activities, code similarities in VBA macros, and shared string decoding in a custom browser credential stealer on the C2. The infrastructure at screenai[.]online, registered via NameCheap on August 17, 2025, resolved to an IP under the same provider and hosted PDQ RMM tools previously associated with the actor. An open directory on the server exposed additional utilities, including Action1 RMM and the Chromium_Stealer executable, disguised as a calculator application.
The stealer enumerates browser profiles, extracts encrypted keys from Local State files using OS crypto APIs, terminates processes to unlock databases, decrypts login data, and stages output encrypted in C:\Users\Public\Downloads\cobe-notes.txt before restarting browsers. It affects Google Chrome, Opera, Brave, and Microsoft Edge. An embedded COM DLL in Phoenix v4, not executed in this instance, references Mononoke.exe for alternative persistence and overlaps with CannonRat artifacts.
Victimology includes official .gov addresses alongside personal accounts from Yahoo, Gmail, and Hotmail, indicating detailed reconnaissance. The campaign aligns with MuddyWater's focus on geopolitical intelligence, with related documents impersonating seminars on regional tensions or targeting energy entities in the same timeframe, all communicating with screenai[.]online.
Who is MuddyWater?
MuddyWater, also known as Earth Vetala, Mercury, Static Kitten, Seedworm, TEMP.Zagros, TA450, Boggy Serpens, Cobalt Ulster, and Yellow Nix, is an Iranian state-sponsored advanced persistent threat group focused on cyber espionage. Active since at least 2017, the group operates under the auspices of Iran's Ministry of Intelligence and Security (MOIS), conducting operations to advance national political, economic, and security interests by stealing sensitive intelligence and intellectual property.
MuddyWater employs spear-phishing emails with malicious attachments, such as weaponized PDFs and Microsoft Office documents, to deliver initial payloads like obfuscated PowerShell scripts. These scripts often side-load dynamic link libraries for persistence and deploy backdoors including POWERSTATS, PowGoop, Small Sieve, Canopy, Mori, and the lightweight Phoenix implant. The group exploits known vulnerabilities in unpatched systems, leverages legitimate remote monitoring and management (RMM) tools like SimpleHelp, ScreenConnect, and N-able Advanced Monitoring Agent for C2, and uses tunneling tools such as Chisel for network evasion. Recent evolutions include custom C2 frameworks like DarkBeatC2, MuddyC2Go, and PhonyC2, alongside occasional ransomware deployment for extortion.
Primarily targeting government agencies, defense contractors, energy firms, telecommunications providers, financial institutions, and academic entities, MuddyWater's campaigns concentrate on the Middle East but extend to South Asia, Europe, North Africa, and North America. Affiliated with MOIS, MuddyWater functions as a persistent espionage arm, sharing stolen data with Iranian entities and collaborating with clusters like Storm-1084 for influence operations. Their adaptability and regional focus underscore Iran's growing cyber capabilities amid geopolitical tensions.
IOCs
PolySwarm has multiple samples of Phoenix.
1883db6de22d98ed00f8719b11de5bf1d02fc206b89fedd6dd0df0e8d40c4c56
3ac8283916547c50501eed8e7c3a77f0ae8b009c7b72275be8726a5b6ae255e3
76fa8dca768b64aefedd85f7d0a33c2693b94bdb55f40ced7830561e48e39c75
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f Phoenix
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.