The MuddyWater government hacking group (also known as Static Kitten, Mercury, or Seedworm) has launched a massive cyberattack on over 100 government agencies in the Middle East and North Africa region. The hackers used an updated version of the Phoenix backdoor (v4) to spy on infected systems, which allows them to take full control of infected systems.
According to Group-IB, the attacks began on August 19, 2025, when the attackers used a compromised account through the NordVPN VPN service to send phishing emails to government agencies.
The attachments contained Word documents with macros that, when activated by the user, deployed the FakeUpdate malware. This is a loader that unpacked the AES-encrypted Phoenix payload to the disk at C:\ProgramData\sysprocupdate.exe and added it to the Windows registry, ensuring auto-start after login.
Phoenix v4 has advanced capabilities for collecting system information – from the user name and domain to the Windows version.
The malware communicates with the command-and-control server (C2) via WinHTTP and supports the following commands:
upload/download files;
launch an interactive shell;
change the timeout between sessions;
update configurations.
In addition, MuddyWater used an info-stealer that steals the databases of Chrome, Brave, Opera and Edge browsers, extracting saved passwords and decryption keys. On the control infrastructure, researchers also found PDQ utilities for mass software deployment and Action1 RMM, which are often used by Iranian groups to maintain access.
MuddyWater is an APT group that has been operating under the auspices of the Iranian government since 2017, conducting cyberespionage campaigns against diplomatic and military facilities. Previously, the hackers used POWERSTATS, Small Sieve, ClickFix tools, and this time they returned to the old technique of macros in Office documents, despite the fact that Microsoft disabled them by default. According to Group-IB, the shutdown of the initial C2 server on August 24 indicates a transition to the second phase of the operation using additional tools for intelligence gathering.
The Phoenix v4 campaign demonstrates that state-owned APT groups are actively reviving even outdated infection methods, combining them with new methods of concealment. Experts urge government organizations to restrict macros, check system logs for signs of Phoenix, and strengthen access control through VPN services. Any carelessness can cost the full compromise of internal networks and diplomatic channels.
