Find notable cyber news and cases, enriched with sources, timelines, and signals.

MuddyWater global phishing campaign using compromised email accounts

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

A newly uncovered MuddyWater phishing campaign abused compromised email accounts to target international organizations across multiple regions, increasing the risk of espionage and malware delivery. The operation used trusted-looking emails and malicious Microsoft Word attachments to push recipients into enabling macros. Those macros launched Phoenix v4 and related tooling, giving the actor remote control over infected systems.

Related Happenings

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
H score51 First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

About this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
H score33 First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
H score53 First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Phantom Stealer Europe phishing campaign

Campaign
H score33 First: 31.03.2026 17:00 Last: 31.03.2026 17:00 Sources 1

About this happening: A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...

Timeline

  1. 22.10.2025 18:00 2 articles · 8mo ago

    MuddyWater phishing campaign disclosure against international organizations

    Initial Disclosure

    Group-IB disclosed a phishing campaign attributed with high confidence to the Iran-linked threat actor MuddyWater, which targeted international organizations across multiple regions by abusing compromised email accounts and a mailbox accessed via NordVPN to send trusted-looking emails. The malicious Microsoft Word attachments urged recipients to enable macros; once activated, the macros launched Phoenix v4, while investigators also identified PDQ, Action1, ScreenConnect, Chromium_Stealer, and screenai[.]online infrastructure.

    Show sources