CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MuddyWater Phishing Campaign Using Compromised Mailboxes

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

Timeline

  1. 22.10.2025 18:00 3 articles · 1d ago

    MuddyWater Phishing Campaign Using Compromised Mailboxes

    The campaign started on August 19, 2025. The threat actor is also known as Static Kitten, Mercury, and Seedworm. The emails contained malicious Word documents with macro code that decoded and wrote the FakeUpdate malware loader to disk. The FakeUpdate malware loader decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload. The Phoenix backdoor establishes persistence by modifying the Windows Registry entry. The Phoenix backdoor version 4 includes an additional COM-based persistence mechanism and several functional differences. The Phoenix backdoor gathers information about the system to profile the victim. The Phoenix backdoor connects to its command-and-control (C2) via WinHTTP and starts to beacon and poll for commands. The supported commands in Phoenix v4 include Sleep, Upload file, Download file, Start shell, and Update sleep interval time. The custom infostealer attempts to exfiltrate the database from Chrome, Opera, Brave, and Edge browsers, extract credentials, and snatch the master key to decrypt them. The C2 infrastructure included the PDQ utility for software deployment and management, and the Action1 RMM tool. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. The attacks exploit user behavior and technical gaps in detection to evade security measures and compromise systems. They are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab

WordPress Sites Exploited for ClickFix Phishing Attacks

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Open in new tab

Fileless Phishing Campaign Targets Ukrainian Government Entities

A fileless phishing campaign impersonating the Ukrainian police targets government entities in Ukraine. The attack uses malicious SVG files in emails to deliver Amatera Stealer and PureMiner malware. The campaign harvests credentials, system data, and mines cryptocurrency from compromised systems. The phishing emails, disguised as official notices from the National Police of Ukraine, contain an SVG attachment named 'elektronni_zapit_NPU.svg'. This file includes an embedded HTML <iframe> element that redirects victims to download malicious payloads. The attack chain involves multiple stages, including the use of a Compiled HTML Help (CHM) file and an HTML Application (HTA) CountLoader, to deploy the final payloads. The malware targets various browsers, chat applications, and system information, and can take remote control of victim devices.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Open in new tab

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been identified deploying a new backdoor malware named NotDoor through Microsoft Outlook. This malware exploits Outlook to facilitate covert communication, data exfiltration, and malware delivery. The backdoor is triggered by specific words in incoming emails, allowing attackers to execute commands on the victim's computer. NotDoor is distributed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The malware uses PowerShell commands encoded in Base64 to perform various functions, including disabling macro security defenses and enabling macro execution. The backdoor maintains persistent access to the targeted system and can initiate data exfiltration through email attachments or upload malicious files. The malware has been used to target multiple companies from different sectors in NATO member countries. It creates a staging folder at %TEMP%\Temp to store and exfiltrate files, and supports commands for executing commands, exfiltrating files, and uploading files to the victim's computer.

Open in new tab