MuddyWater’s Phoenix Backdoor Infects More Than 100 Government Organizations

Advanced Persistent Threat (APT) MuddyWater has orchestrated a sophisticated phishing campaign targeting over 100 government entities across the Middle East, North Africa, and international organizations worldwide.

Group-IB Threat Intelligence has attributed the campaign to the Iran-linked threat actor with high confidence, revealing an alarming escalation in the group’s espionage capabilities and operational sophistication.

The attack leveraged a compromised mailbox accessed through NordVPN to distribute the Phoenix backdoor malware version 4, along with custom credential-stealing tools designed to exfiltrate sensitive intelligence from high-value government targets.

The campaign demonstrates MuddyWater’s evolving tradecraft and their continued focus on state-sponsored cyber espionage operations across geopolitically sensitive regions.

By exploiting trusted communication channels and abusing legitimate services, the threat actor successfully bypassed conventional security defenses to infiltrate critical government infrastructure and international organizations engaged in diplomatic and humanitarian missions.

Phishing to Backdoor Deployment

MuddyWater initiated the operation by sending malicious ...