Iran-Linked MuddyWater Deploys Phoenix v4 Backdoor via Compromised Emails and NordVPN Exit Node

Researchers at Group-IB Threat Intelligence have uncovered a new global phishing and espionage campaign conducted by the Iran-linked threat actor MuddyWater, which continues to evolve its tactics and tools to target governmental and international organizations across the Middle East, Europe, Africa, and North America.

The campaign deploys version 4 of the Phoenix backdoor, a new FakeUpdate injector, and a custom credential stealer disguised as a calculator, leveraging compromised email accounts and legitimate VPN services to bypass detection and establish persistent access.

“MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor) and used it to send phishing emails that appeared to be authentic correspondence,” Group-IB explained, adding that this tactic “significantly increased the chances of deceiving recipients into opening malicious attachments.”

The campaign begins with phishing emails sent from compromised legitimate accounts, making them appear credible to recipients. These emails include Microsoft Word documents that display blurred content and prompt users to “enable content” to view the text. Once macros are enabled, malicious VBA code executes, dropping a loader file known as FakeUpdate, which decrypts and injects the Phoenix backdoor v4 into its own process.

“As soon as macros were activated, the Microsoft Word documents executed malicious Visual Basic for Application (VBA) code, ultimately leading to the deployment of version 4 of the Phoenix backdoor on the victim’s system,” Group-IB reported.

The backdoor registers the compromised host with a command-and-control (C2) server and begins continuous beaconing, command polling, and remote execution, effectively granting full control to the attacker.

Group-IB’s reverse engineering of Phoenix v4 revealed several enhancements, including new persistence mechanisms and COM-based DLL loading, previously observed in other MuddyWater-linked malware such as CannonRat.

The malware:

• Copies itself as C:\ProgramData\sysprocupdate.exe
• Creates a mutex named sysprocupdate.exe
• Modifies the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Establishes persistence through both registry manipulation and a COM Dynamic Link Library (DLL) designed to launch another payload (Mononoke.exe) on system startup.

“Artifacts indicate that this version of the backdoor includes an additional persistence mechanism via a Component Object Model (COM) object, and not just the Winlogon registry modification observed in this campaign,” the report detailed.

Investigators traced the phishing infrastructure to a NordVPN exit node in France, as revealed by email header analysis. The C2 domain screenai[.]online was registered on August 17, 2025, via NameCheap, and hosted on Cloudflare DNS.

Further SSL certificate and passive DNS analysis uncovered the real IP address 159.198.36.115, which was used to host the command server and several malicious tools.

“The C2 component initially ran on Uvicorn until MuddyWater replaced it with Apache,” Group-IB noted. “The domain ‘screenai[.]online’ was registered via NameCheap and remained active for about five days.”

An open directory on the same server exposed multiple Remote Monitoring and Management (RMM) tools and a custom browser credential stealer, suggesting the group’s intent to maintain long-term access and data collection capabilities even after the initial compromise.

Among the most notable tools discovered was Chromium_Stealer, a custom credential-stealing utility disguised as a calculator app (chromium_stealer_user.exe).

The stealer targeted Google Chrome, Microsoft Edge, Opera, and Brave, extracting browser-stored credentials and saving them to a local staging file C:\Users\Public\Downloads\cobe-notes.txt.

“The malware terminates active browser processes to remove file locks, decrypts credentials using the recovered master key, and writes the results to a local staging file before restarting the browser to minimize user suspicion,” the report explained.

Additionally, two legitimate RMM tools — PDQ RMM and Action1 — were identified on the C2 server, reinforcing Group-IB’s earlier findings that MuddyWater blends custom malware with commercial administration utilities to obscure its activity and prolong persistence.

The campaign’s targets include diplomatic, humanitarian, and international organizations, as well as energy-sector entities in the Middle East and North Africa. Group-IB noted the combination of official government and personal email addresses among victims, suggesting a deep understanding of each target’s operational ecosystem.

“The mix of official (.gov) and personal emails (Yahoo, Gmail, and Hotmail) indicates that MuddyWater possesses detailed knowledge of its targets,” the report stated.

“The campaign’s focus extended to influential global organizations engaged in international cooperation and humanitarian missions.”

Related Posts:

• WaterPlum’s OtterCookie Malware Upgrades to v4 with Credential Theft and Sandbox Detection Features
• MuddyWater APT Shifts Tactics to Custom Malware
• Phoenix Contact Industrial Switch Exposes High Risk Vulnerabilities
• DCHSpy Android Spyware Linked to Iran’s MuddyWater APT, Targets Geopolitical Foes with Starlink Lures