Iranian hackers Phoenix backdoor campaign has struck more than 100 government institutions, revealing a renewed cyber offensive by the state-backed group MuddyWater. This notorious collective, also known as Static Kitten, Mercury, and Seedworm, continues to focus on high-value entities across the Middle East and North Africa.
Renewed Attacks Across the Region
Starting on August 19, MuddyWater launched a sophisticated phishing operation using a compromised email account accessed through the NordVPN service. The campaign delivered malicious documents to embassies, consulates, and ministries of foreign affairs, posing as legitimate correspondence.
By August 24, the hackers shut down the server and its command-and-control (C2) component, likely signaling a new attack phase. Investigators believe the group deployed additional tools to collect intelligence from already breached systems.
Old Techniques, New Targets
Researchers found that the attackers relied on malicious Word documents embedded with macro code — a dated yet still effective approach. Once recipients clicked “Enable Content,” the macro executed and deployed the FakeUpdate malware loader.
This loader decrypted and installed the Phoenix backdoor, which embedded itself deeply within the infected system. The malware was written to C:\ProgramData\sysprocupdate.exe and achieved persistence by altering Windows Registry settings to ensure automatic execution after each reboot.
Phoenix v4: A Smarter and Stealthier Variant
The updated Phoenix v4 introduces new persistence mechanisms and refined data collection capabilities. It gathers vital system information such as the computer name, Windows version, and user credentials to profile its victims.
The malware communicates with its C2 server through WinHTTP and supports various commands, including file upload and download, shell initiation, and sleep interval adjustments. These functions allow precise control over infected devices while avoiding detection.
Additional Tools in the Campaign
Alongside Phoenix, MuddyWater deployed a custom infostealer targeting browser databases from Chrome, Edge, Brave, and Opera. This tool extracted stored credentials and decryption keys.
Researchers also discovered legitimate remote management tools like PDQ and Action1 RMM on the attackers’ infrastructure, commonly abused in Iranian state-linked operations for large-scale system control and software deployment.
Conclusion
The Iranian hackers Phoenix backdoor campaign highlights MuddyWater’s evolving strategy and persistence in espionage-driven attacks. By reviving old techniques like malicious macros and combining them with updated backdoor technology, the group continues to pose a serious threat to government networks across the Middle East and beyond.
0 responses to “Iranian Hackers Phoenix Backdoor Targets 100 Government Entities”