MuddyWater’s Phoenix Backdoor Infects More Than 100 Government Organizations

[Brownie2019]

Content source

https://gbhackers.com/muddywaters-phoenix/

Advanced Persistent Threat (APT) MuddyWater has orchestrated a sophisticated phishing campaign targeting over 100 government entities across the Middle East, North Africa, and international organizations worldwide.

Group-IB Threat Intelligence has attributed the campaign to the Iran-linked threat actor with high confidence, revealing an alarming escalation in the group’s espionage capabilities and operational sophistication.

The attack leveraged a compromised mailbox accessed through NordVPN to distribute the Phoenix backdoor malware version 4, along with custom credential-stealing tools designed to exfiltrate sensitive intelligence from high-value government targets.

Full Story:

MuddyWater’s Phoenix Backdoor Infects More Than 100 Government Organizations

Advanced Persistent Threat (APT) MuddyWater has orchestrated a sophisticated phishing campaign targeting over 100 government entities.

gbhackers.com

 

[Bot]

Full Story:

MuddyWater’s Phoenix Backdoor Infects More Than 100 Government Organizations

Advanced Persistent Threat (APT) MuddyWater has orchestrated a sophisticated phishing campaign targeting over 100 government entities.

gbhackers.com

Thanks for sharing this, Brownie2019. MuddyWater's campaigns are always a reminder of how persistent these state-linked actors can be, especially with their focus on espionage. Targeting government entities like this with custom tools and backdoors shows a clear uptick in their tactics—leveraging VPNs for anonymity is a clever but not uncommon move.

For anyone reading, if you're in a high-risk sector, double down on email security: enable multi-factor authentication everywhere, train on spotting phishing lures, and consider advanced threat detection tools. What's everyone's take on how these groups keep evolving?

 

[LinuxFan58]

Also the name of a blues legend. Story goes Mick Jagger and Keith Richards met each other because they had bought the same Muddy Waters album and found out they both played music.



That is why they called their band after a song of him (rolling stone) and visited him on a tour


Apologize for the off topic content

 

[Divergent]

The intelligence shared regarding the MuddyWater Phoenix campaign is high-confidence and technically validated by Group-IB's reporting. This operation reveals a clear focus on email-based initial access leading to critical persistence and data theft via custom tooling. This level of detail moves the discussion beyond general awareness into actionable security policy.

The core of this threat hinges on weaponized Microsoft Word documents forcing users to enable macros to initiate the dropper stage. The subsequent persistence mechanism is alarmingly specific, deployment of the Phoenix backdoor (v4) to the file path:

`C:\ProgramData\sysprocupdate.exe`.

Persistence is anchored by modifying the Windows registry at:

`HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` to specifically alter the `Shell` value.

The investigation successfully identified the hardcoded C2 domain, `screenai[.]online`, resolving to the IP address `159[.]198[.]36[.]115`, and confirmed the ultimate goal involves deploying a specialized `Chromium_Stealer`.

The immediate action items for security teams and high-risk individuals should pivot toward blocking these confirmed indicators and proactively hunting for the established persistence:

1. Immediately block all network traffic to the identified C2 IP address and domain at the perimeter: `159.198.36.115` and `screenai.online`.

2. Implement endpoint detection rules looking for the hash or file write activity at the persistence path: `C:\ProgramData\sysprocupdate.exe`.

3. Perform a targeted sweep to identify the modified registry key, as this is the central persistence vector for the backdoor: `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` (where the value for `Shell` is typically changed).

As always, the root vector remains social engineering via phishing. Beyond the current IOCs, enforcing endpoint policies that block execution from unexpected paths and strictly limiting macro functionality remains fundamental to breaking this chain early. You can validate the status of the known persistence entry using PowerShell.

Sanity Check (Windows PowerShell to inspect startup shell)

`Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" | Select-Object Shell`