MuddyWater, an Iranian state-affiliated threat group active since at least 2017, has initiated a new espionage campaign targeting over 100 organizations mainly in the Middle East and North Africa, including embassies, diplomatic missions, foreign affairs ministries, international organizations, and telecom firms. The attackers compromised an email account accessed through NordVPN, a legitimate VPN service abused to mask their activity, to send phishing emails with weaponized Microsoft Word documents. These documents prompt recipients to enable macros, which execute malicious VBA code that drops and runs the FakeUpdate loader. This loader decrypts and deploys the Phoenix backdoor version 4, a lightweight implant related to the previously documented BugSleep malware. The Phoenix backdoor facilitates persistent remote access, data exfiltration, and command execution. The attackers also use custom web browser credential stealers targeting popular browsers (Brave, Chrome, Edge, Opera) and legitimate remote monitoring and management (RMM) tools such as PDQ and Action1 to blend malicious activity with normal network operations. This integration of custom malware with commercial tools enhances stealth and persistence, complicating detection. The campaign exploits the inherent trust in email communications from compromised legitimate accounts, increasing the likelihood of successful phishing. While the primary targets are in the MENA region, the use of common software and phishing vectors means European organizations with diplomatic, governmental, or telecom links to the region could be at risk. No known exploits have been reported in the wild beyond this campaign, but the sophistication and targeting indicate a well-resourced espionage operation aligned with Iranian intelligence objectives.

For European organizations, especially those with diplomatic missions, foreign affairs departments, international organizations, or telecommunications firms engaged with or operating in the MENA region, this campaign poses significant risks. Successful compromise can lead to unauthorized access to sensitive communications, intellectual property theft, and long-term espionage. The use of legitimate VPN services and commercial RMM tools by the attackers complicates detection and response, increasing the likelihood of prolonged undetected presence. The compromise of email accounts and deployment of backdoors can undermine confidentiality and integrity of critical information, potentially impacting national security and international relations. Additionally, the targeting of diplomatic and governmental entities could disrupt operations and erode trust in communication channels. The campaign's reliance on social engineering and macro-enabled documents means that user awareness and endpoint security are critical factors in preventing infection. The espionage nature of the threat means that data exfiltration and surveillance could continue unnoticed for extended periods, amplifying damage.

European organizations should implement strict email security controls, including advanced phishing detection, attachment sandboxing, and blocking of macro-enabled documents from untrusted sources. Enforce group policies to disable macros by default and only allow digitally signed macros from trusted publishers. Monitor network traffic for connections to known MuddyWater command-and-control servers and unusual use of legitimate RMM tools like PDQ and Action1. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious VBA macro execution and the presence of the Phoenix backdoor or FakeUpdate loader. Conduct regular threat hunting exercises focusing on credential theft indicators and lateral movement patterns consistent with MuddyWater TTPs. Enhance user training to recognize spear-phishing attempts, especially those leveraging compromised legitimate email accounts. Implement multi-factor authentication (MFA) on all email and VPN accounts to reduce the risk of credential compromise. Collaborate with national cybersecurity agencies for threat intelligence sharing and incident response support. Finally, maintain up-to-date inventories of software and monitor for unauthorized installations or unusual behavior of remote management tools.