Insights, news, education and announcements from PolySwarm | cyber espionage

MuddyWater's UDPGangster Backdoor

Dec 15, 2025 2:04:50 PM / by The Hivemind posted in Threat Bulletin, anti-analysis techniques, Phishing Campaigns, cyber espionage, VBA macros, UDPGangster, UDP backdoor

Verticals Targeted: Not specified
Regions Targeted: Turkey, Israel, Azerbaijan
Related Families: Phoenix

Read More

MuddyWater Targets MENA Governments With Phoenix Backdoor

Nov 3, 2025 2:09:14 PM / by The Hivemind posted in Threat Bulletin, MuddyWater, Phishing Campaign, credential stealers, cyber espionage, Middle East targeting, VBA macros, FakeUpdate injector, Iran APT, Phoenix Backdoor, RMM tools

Verticals Targeted: Government
Regions Targeted: Middle East, North Africa
Related Families: Phoenix, FakeUpdate

Executive Summary

A sophisticated phishing operation has been attributed to the Iran-linked APT MuddyWater, deploying an updated Phoenix backdoor to conduct espionage against government and international entities. The campaign leverages compromised mailboxes and macro-enabled Word documents to deliver custom injectors and persistence mechanisms, highlighting the group's reliance on trusted channels for initial access.

Read More

Salt Typhoon Targets European Telecom

Oct 28, 2025 12:48:06 PM / by The Hivemind posted in Threat Bulletin, Telecommunications, Salt Typhoon, DLL sideloading, zero-day exploits, SNAPPYBEE, Citrix NetScaler, cyber espionage

Verticals Targeted: Telecommunications
Regions Targeted: Europe
Related Families: SNAPPYBEE (Deed RAT)

Executive Summary

Salt Typhoon, a China-linked advanced persistent threat (APT) group, has been targeting global critical infrastructure using sophisticated tactics like DLL sideloading and zero-day exploits. Recent activity targeted a European telecommunications entity.

Read More