Friday, October 24, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Iran’s MuddyWater wades into 100+ government networks in latest spying spree

TH Author

Iran’s favorite muddy-footed cyberespionage crew is at it again, this time breaching more than 100 government entities across the Middle East and North Africa, according to researchers at Group-IB.

The campaign, which began in August, used a compromised enterprise mailbox to sling convincing phishing emails at embassies, ministries, and telecom outfits. The attackers, tracked as MuddyWater (also known as Seedworm, APT34, OilRig, and TA450), were able to send malicious messages from a legitimate address accessed through the NordVPN service.

Each message carried a weaponized Word attachment that asked users to “Enable Content.” Anyone who did set off a macro that unpacked a loader nicknamed “FakeUpdate,” which then installed an updated version of the crew’s custom backdoor, “Phoenix.” Once installed, the malware allowed the operators to poke around infected systems, lift credentials, upload or download files, and maintain persistence. 

Group-IB says the toolkit also pilfered stored browser passwords from Chrome, Edge, Opera, and Brave, while leaning on off-the-shelf remote management tools like PDQ and Action1 to blend in with legitimate admin traffic.

More than three-quarters of the victims were diplomatic or government entities, with the rest made up of international organizations and telecom providers, according to Group-IB, which didn’t name any specific targets. While MuddyWater’s tradecraft has long leaned heavily on phishing and social engineering, the scale of this latest campaign suggests either a ramp-up in capability or an unusually broad collection requirement from Tehran’s spymasters.

MuddyWater, linked to Iran’s Ministry of Intelligence and Security, has been active since at least 2017, prowling government, energy, telecoms, and defense networks in the Middle East, Africa, and Central Asia. It typically focuses on long-term access and information gathering rather than smash-and-grab ransomware work, though the tools and infrastructure occasionally overlap with those of other Iranian outfits such as APT35.

In its report, Group-IB said the use of a legitimate VPN service and an already trusted mailbox made detection especially tricky. “By exploiting the trust and authority associated with such communications, the campaign significantly increased its chances of deceiving recipients into opening the malicious attachments,” Group-IB noted. 

The operation fits a broader pattern of Iranian intelligence ramping up cyberespionage activity amid regional tension and sanctions pressure. MuddyWater was previously linked to attacks on Israeli organizations last year, using a separate backdoor named BugSleep. That campaign was smaller in scope but similarly relied on social engineering to breach corporate email systems.

Group-IB warned that MuddyWater “continues to evolve its tactics and tooling” while maintaining the same espionage focus it’s shown for years. The researchers emphasize that this campaign “demonstrates MuddyWater’s sustained focus on government and diplomatic entities in the MENA region,” underscoring how the group continues to center its efforts on state-linked networks and high-value targets, suggesting that when it comes to espionage, Iran’s playbook is clear – even if the waters aren’t. ®

READ MORE HERE