MuddyWater global phishing campaign using compromised email accounts
Campaign
Summary
Hide ▲
Show ▼
A newly uncovered MuddyWater phishing campaign abused compromised email accounts to target international organizations across multiple regions, increasing the risk of espionage and malware delivery. The operation used trusted-looking emails and malicious Microsoft Word attachments to push recipients into enabling macros. Those macros launched Phoenix v4 and related tooling, giving the actor remote control over infected systems.
Related Happenings
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
H score51
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
About this happening:
An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignAbout this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
H score33
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
H score53
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
H score43
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Phantom Stealer Europe phishing campaign
Campaign
H score33
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
About this happening:
A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...
Phantom Stealer Europe phishing campaign
CampaignAbout this happening: A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...
Timeline
-
22.10.2025 18:00 2 articles · 8mo ago
MuddyWater phishing campaign disclosure against international organizations
Initial DisclosureGroup-IB disclosed a phishing campaign attributed with high confidence to the Iran-linked threat actor MuddyWater, which targeted international organizations across multiple regions by abusing compromised email accounts and a mailbox accessed via NordVPN to send trusted-looking emails. The malicious Microsoft Word attachments urged recipients to enable macros; once activated, the macros launched Phoenix v4, while investigators also identified PDQ, Action1, ScreenConnect, Chromium_Stealer, and screenai[.]online infrastructure.
Show sources
- MuddyWater Uses Compromised Mailboxes in Global Phishing Campaign — www.infosecurity-magazine.com — 22.10.2025 18:00
- MuddyWater Uses Compromised Mailboxes in Global Phishing Campaign — www.infosecurity-magazine.com — 22.10.2025 18:00