Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

MuddyWater global phishing campaign using compromised email accounts

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A newly uncovered MuddyWater phishing campaign abused compromised email accounts to target international organizations across multiple regions, increasing the risk of espionage and malware delivery. The operation used trusted-looking emails and malicious Microsoft Word attachments to push recipients into enabling macros. Those macros launched Phoenix v4 and related tooling, giving the actor remote control over infected systems.

Related Happenings

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Phantom Stealer Europe phishing campaign

Campaign
First: 31.03.2026 17:00 Last: 31.03.2026 17:00 Sources 1

About this happening: A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Timeline

  1. 22.10.2025 18:00 2 articles · 7mo ago

    MuddyWater phishing campaign disclosure against international organizations

    Initial Disclosure

    Group-IB disclosed a phishing campaign attributed with high confidence to the Iran-linked threat actor MuddyWater, which targeted international organizations across multiple regions by abusing compromised email accounts and a mailbox accessed via NordVPN to send trusted-looking emails. The malicious Microsoft Word attachments urged recipients to enable macros; once activated, the macros launched Phoenix v4, while investigators also identified PDQ, Action1, ScreenConnect, Chromium_Stealer, and screenai[.]online infrastructure.

    Show sources
    Open in new tab