Group-IB research reveals Tehran-linked MuddyWater adopting old tactics with modern tools, targeting global systems.
A new report has revealed that an Iranian state-backed hacking group, known as MuddyWater, is reviving one of the oldest cyberattack methods—malicious Microsoft Office macros—while simultaneously adopting new tools and infrastructures to disguise its operations.
According to Group-IB’s September 17 report, the hacking team, tied to Iran’s Ministry of Intelligence and Security (MOIS), is once again deploying Office documents embedded with Visual Basic for Applications (VBA) macros to infect systems with malware. The technique, though long considered outdated, still works when users override Microsoft’s security warnings.
Old Tactics, New Strategies
MuddyWater, also known as Earth Vetala, Static Kitten, and Mango Sandstorm, has been active since at least 2017. The group has a history of cyberespionage, intelligence theft, and destructive attacks. U.S. intelligence agencies formally linked the group to the regime’s MOIS in 2022, describing it as part of Tehran’s cyberwarfare apparatus.
Researchers say the group has significantly updated its broader tactics. These changes include:
- Shift from RMM tools: Previously, MuddyWater relied heavily on remote monitoring and management (RMM) software such as Atera, N-Able, and ScreenConnect, tricking victims into installing legitimate tools for spying and data theft. Group-IB found that the group has now reduced its use of such software.
- Adoption of bulletproof hosting: Attackers increasingly use hosting services that ignore Western takedown requests, including providers like Stark Industries. They also leverage major platforms such as Amazon Web Services, Cloudflare, OVH, and DigitalOcean to disguise operations.
- Custom malware deployment: MuddyWater is using advanced malicious programs, including the Phoenix backdoor, BugSleep, Stealth Cache, and Fooder loader, to maintain persistence and move stolen data.
One notable tactic is limiting command-and-control (C2) server activity to just a few days, making it harder for defenders to trace or block operations.
Evolution of the Threat
Microsoft’s decision in July 2022 to block macros by default had forced many hackers to abandon this infection method. But MuddyWater’s recent campaigns prove that the technique remains effective, especially against users who bypass security prompts.
The new malicious documents examined by Group-IB contained decoy content while embedding VBA macros designed to install the Phoenix backdoor. This shift suggests a return to simplicity after years of experimenting with RMM-based infiltration.
In addition to macro attacks, MuddyWater continues to maintain a vast arsenal of tools, including DarkBeatC2, PhonyC2, MuddyC2Go, PowerStats, and MoriAgent. Such capabilities point to both significant financial resources and institutional backing.
Broader Cyber Threat from Tehran
Security experts warn that MuddyWater is not a standalone entity but part of a network of Iranian advanced persistent threat (APT) groups that often share tools and resources. A Cisco Talos report in 2022 described it as “a conglomerate of smaller teams,” sometimes staffed by contractors working across groups linked to MOIS and the Islamic Revolutionary Guard Corps (IRGC).
This crossover complicates attribution but highlights Tehran’s growing investment in cyber operations. The U.S. government recently warned of Iranian cyber threats to critical infrastructure, particularly amid heightened tensions following attacks on Iran’s nuclear facilities and the ongoing conflict with Israel.
Defensive Recommendations
Group-IB recommends that organizations restrict macro use across corporate networks, only permitting digitally signed macros when essential. The report underscores the importance of stronger phishing defenses, as MuddyWater primarily relies on social engineering to deliver its malicious payloads.
With Iran’s cyber units demonstrating both adaptability and persistence, experts caution that malicious macro attacks—once thought to be obsolete—are again a serious global threat.
