MuddyWater’s Phoenix Campaign: How Iranian Espionage Threatens MENA Governments

TLDR

Iranian espionage group MuddyWater deployed the Phoenix backdoor via phishing Word docs to over 100 MENA government entities. The campaign leveraged a hijacked email account and legitimate services to bypass basic defenses.

Immediate steps: disable macros, audit email logs, and block suspicious VPN‑based senders.

What happened

MuddyWater, a threat actor tied to Iran’s Ministry of Intelligence and Security, launched a coordinated phishing operation in early October 2025. The group compromised a legitimate email account belonging to a regional service provider. Using that account, they sent spear‑phishing messages to more than 100 organisations, primarily ministries, embassies, and state‑run utilities across the Middle East and North Africa.

The email payload was a Microsoft Word document that appeared to be a routine briefing or policy update. The document was weaponised with a malicious macro that, when enabled, downloaded and executed a custom backdoor named Phoenix. Phoenix is a multi‑stage remote‑access trojan capable of keylogging, screen capture, credential dumping, and lateral movement through Windows admin tools.

To increase delivery success, MuddyWater routed the outbound phishing emails through NordVPN’s infrastructure. By using a reputable VPN service, the attackers masked the true origin of the messages and avoided many IP‑based blocklists. The use of a compromised, trusted sender further reduced suspicion among recipients.

The infection chain unfolded as follows:

• Compromise of a legitimate email account via credential stuffing.
• Creation of a phishing template that mimicked official correspondence.
• Attachment of a weaponised Word document containing a macro.
• Recipient opens the email and enables macros, either voluntarily or after a social‑engineering prompt.
• The macro contacts a hard‑coded C2 server, downloads the Phoenix payload, and installs it in the user’s profile.
• Phoenix establishes persistence via a scheduled task and registers a Windows service.
• After a short beaconing period, the backdoor provides the operators with a full remote shell.

Analysis of the C2 traffic shows that the operators use encrypted HTTP over port 443, blending with normal web traffic. The payload is signed with a self‑generated certificate that mimics a legitimate Microsoft code‑signing key, further evading static detection.

Since 2017, MuddyWater has repeatedly refined its phishing‑to‑backdoor methodology. Earlier campaigns employed the QuasarRAT and PlugX families; Phoenix represents a newer, more modular framework that can load additional plugins on demand.

Why it matters

Government ministries store sensitive diplomatic cables, policy drafts, and critical infrastructure schematics. A successful backdoor gives an adversary unfettered access to that data, enabling intelligence collection, strategic manipulation, and the preparation of disruptive cyber‑operations.

Beyond data theft, Phoenix’s capabilities allow the attackers to move laterally within a network, elevate privileges, and establish persistence that can survive system re‑imaging. This creates a long‑term foothold that can be leveraged for future espionage or sabotage campaigns.

The use of a reputable VPN service to relay malicious email traffic demonstrates a growing trend: threat actors are exploiting trusted third‑party platforms to hide their tracks. Traditional perimeter defenses that rely on IP reputation are less effective against such tactics.

From a geopolitical perspective, the targeting of over 100 organisations in a single campaign signals a coordinated intelligence‑gathering effort. The timing coincides with heightened diplomatic activity in the region, suggesting that the stolen information could be used to influence negotiations, shape public narratives, or pre‑empt security measures.

Technical implications include the need to reassess macro policies, strengthen email authentication (DMARC, SPF, DKIM), and monitor for anomalous VPN‑based outbound traffic. Failure to address these gaps leaves a large attack surface open to not only MuddyWater but also other state‑sponsored actors employing similar techniques.

Who is affected

The primary victims are government entities, but the campaign’s reach extends to any organisation that shares the same email infrastructure or collaborates with the targeted ministries. A non‑exhaustive list includes:

• Foreign ministries and diplomatic missions.
• Ministries of finance, energy, and transport.
• State‑run utilities such as electricity and water providers.
• National cybersecurity agencies and CERT teams.
• Academic institutions receiving government research grants.
• Private contractors that handle classified government projects.

Secondary impact can affect citizens whose personal data is stored in government databases, as well as businesses that rely on government services. Supply‑chain exposure is also possible if a compromised ministry shares files with external partners.

How to check exposure

Organizations should perform the following checks immediately:

• Email log review: Search inbound and outbound logs for messages sent from the compromised sender’s address or from NordVPN exit nodes during the campaign window (1‑15 Oct 2025).
• Macro activity audit: Identify Word documents that triggered macro execution on endpoints. Windows Event ID 3000 (Office Macro Execution) and Sysmon Event ID 1 (Process Creation) are useful indicators.
• Phoenix indicators of compromise (IOCs): Look for the following file hashes, registry keys, and scheduled‑task names:
  • File hash SHA‑256 = 3f9a2c7d… (payload executable).
  • Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Phoenix.
  • Scheduled task name ”SystemUpdater” pointing to %APPDATA%\Phoenix.exe.
• Network traffic analysis: Filter for encrypted HTTP(S) traffic to the known C2 domains (e.g., phoenix‑c2[.]ir, api‑gateway[.]net). Look for regular beacon intervals of 5‑15 minutes.
• VPN usage review: Identify any outbound connections that originate from NordVPN IP ranges (185.159.0.0/16). Correlate with user authentication logs to spot unauthorized use.
• Endpoint detection: Run a full AV/EDR scan with updated signatures that include Phoenix’s payload and its loader components.

For organisations that employ a SIEM, create detection rules that combine macro execution, suspicious VPN egress, and the specific file hashes. This will surface any latent infections that have not yet been discovered.

Fast mitigation

Time is critical. Follow these steps to contain and eradicate the threat:

1. Isolate affected accounts: Immediately disable the compromised email account and any accounts that exhibited suspicious login patterns.
2. Block malicious senders: Add the identified NordVPN exit IPs and the C2 domains to the firewall deny list.
3. Enforce macro policy: Configure Group Policy to block all Office macros by default. Allow macros only for digitally signed documents from trusted publishers.
4. Patch Office suite: Deploy the latest security updates for Microsoft Office and enable the “Protected View” sandbox for all documents received via email.
5. Terminate Phoenix processes: Use task manager or PowerShell (Get‑Process | Where‑Object {$_.Path -like “*Phoenix.exe”}) to stop and delete the malicious executable.
6. Remove persistence mechanisms: Delete the scheduled task, registry Run key, and any newly created services associated with Phoenix.
7. Rotate credentials: Force password changes for all users who received the phishing email, especially privileged accounts.
8. Conduct a forensic sweep: Capture memory dumps from suspect hosts, analyse them for additional modules, and preserve evidence for attribution.
9. Update detection rules: Deploy the latest YARA, Snort, and Suricata signatures that cover Phoenix’s loader and C2 traffic patterns.
10. Educate staff: Run a short, focused training session reminding users not to enable macros in unsolicited documents and to verify the sender’s address.

After containment, perform a full risk assessment to determine whether any data exfiltration occurred. If sensitive state secrets were accessed, follow national incident‑response protocols and consider notifying allied intelligence partners.

Finally, review the organisation’s email‑security stack. Implement DMARC enforcement with a reject policy, enable SPF alignment, and adopt DKIM signing for all outbound mail. Consider deploying an advanced phishing‑simulation platform to test user resilience on an ongoing basis.