Group-IB uncovers a sophisticated Iranian state-backed hacking campaign deploying advanced malware to infiltrate international and governmental networks across multiple regions.
A new investigation by cybersecurity firm Group-IB published on October 22, 2025, has revealed a large-scale cyber-espionage operation attributed to MuddyWater, an Iranian regime state-backed hacking group linked to the Ministry of Intelligence and Security (MOIS). The campaign targeted over 100 government and international organizations across the Middle East, North Africa, and Europe, marking one of the group’s most sophisticated cyber offensives to date.
According to Group-IB’s Threat Intelligence division, the operation relied on a compromised mailbox to distribute phishing emails carrying malicious attachments that deployed the Phoenix v4 backdoor — a new and more advanced version of MuddyWater’s signature malware. The phishing messages were sent through NordVPN, a legitimate virtual private network service, to mask the attacker’s identity and origin.
A Coordinated International Campaign
The phishing emails impersonated legitimate correspondence from trusted organizations, prompting victims to open attached Microsoft Word files. Once the recipient enabled content, the documents executed malicious macros that triggered a two-stage infection process — first deploying the FakeUpdate injector, which then installed the Phoenix backdoor.
This backdoor gave the attackers full remote access to infected systems, enabling them to steal data, monitor activity, and execute commands. The operation displayed a high degree of technical precision, combining custom-built malware with commercial Remote Monitoring and Management (RMM) tools such as PDQ and Action1, previously used in other MuddyWater intrusions.
Advanced Espionage Tools and Tactics
Group-IB analysts uncovered several new capabilities in MuddyWater’s toolkit. Among them was a custom browser credential stealer, dubbed Chromium_Stealer, disguised as a harmless calculator application. The program harvested login credentials from popular browsers, including Chrome, Edge, and Brave, and saved the stolen data locally before exfiltration.
The investigation also revealed that the attackers used multiple persistence techniques, including Windows registry modifications and a Component Object Model (COM)-based backdoor, to maintain long-term access. The malware infrastructure relied on the screenai[.]online domain, which was registered via NameCheap and hosted briefly on servers traced to France before being dismantled after a five-day active window.
Strategic Targeting Reflects Tehran’s Geopolitical Agenda
Analysis of the phishing campaign’s targets shows a deliberate focus on diplomatic, humanitarian, and international cooperation institutions, underscoring MuddyWater’s role in advancing Iran’s geopolitical intelligence objectives. By blending official (.gov) and personal email addresses in its target list, the group demonstrated detailed reconnaissance and a clear understanding of its victims’ networks.
Beyond its immediate targets, the campaign’s overlap with previous MuddyWater operations indicates a sustained strategy of espionage rather than opportunistic attacks. Additional samples connected to this operation were found targeting the energy sector across the Middle East and North Africa, suggesting multiple concurrent missions sharing the same command infrastructure.
Iranian State-Sponsored Cyber Operations Escalate
MuddyWater, also known as Seedworm, TA450, or Boggy Serpens, has operated since at least 2017 and is widely believed to act under the direction of Iran’s intelligence services. The group’s long record of attacks against foreign governments, energy companies, and telecommunications providers positions it as one of Tehran’s most active cyber units.
Group-IB’s findings suggest that MuddyWater’s latest activities mark a new phase in Iran’s offensive cyber doctrine, combining indigenous malware with commercial software tools to enhance stealth and persistence. This blend of state resources and criminal methodologies reflects the regime’s growing investment in cyberwarfare as a means of expanding influence and countering perceived adversaries.
A Continuing Threat to Global Cybersecurity
The latest MuddyWater campaign exemplifies how Iranian cyber units are evolving beyond traditional cybercrime, increasingly embracing espionage and long-term infiltration tactics against high-value international targets. By leveraging compromised communication channels and deploying custom malware variants, Tehran’s cyber apparatus continues to challenge global cybersecurity frameworks.
Group-IB warns that MuddyWater’s operational patterns suggest continued and expanding activity in the months ahead. “Given the group’s sustained focus on government institutions amid ongoing geopolitical tensions, further campaigns leveraging compromised accounts and new payloads are expected,” the firm concluded.
The discovery reinforces growing international concern that Iran’s cyber operations are now integral to its foreign policy strategy—serving as a covert arm of its intelligence apparatus to conduct surveillance, steal sensitive data, and disrupt adversarial states.
