Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

MuddyWater Phoenix phishing campaign targeting MENA government entities

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A newly attributed MuddyWater campaign used a compromised email account to deliver the Phoenix backdoor across MENA, putting over 100 government entities and diplomatic organizations at risk of espionage. The operation matters because it relied on convincing phishing emails to gain access to high-value targets and support intelligence gathering.

Related Happenings

FBI-led takedown of W3LL phishing network

Law Enforcement
First: 13.04.2026 13:35 Last: 13.04.2026 13:35 Sources 1

About this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...

Open Happening

Fake shipment tracking SMS phishing campaign

Campaign
First: 16.03.2026 16:45 Last: 16.03.2026 16:45 Sources 1

About this happening: A **global surge** in **fake shipment tracking phishing campaigns** is stealing **funds and credentials** at scale, with activity rising from almost none in 2024 to **over 100 cam...

Open Happening

Operation ForumTroll phishing and Chrome zero-day campaign against Russian organizations

Campaign
First: 27.10.2025 18:37 Last: 27.10.2025 18:37 Sources 1

About this happening: **Operation ForumTroll** was exposed as a **targeted phishing campaign** that used a **Google Chrome zero-day** to compromise selected **Russian organizations**. The operation mat...

Latest development: 17.12.2025 16:54

Kaspersky reported on December 17, 2025 that it detected a new Operation ForumTroll phishing wave in October 2025 targeting Russian scholars and researchers in political science, international relations, and global economics at major Russian universities and research institutions. The attackers used fake eLibrary emails from support@e-library[.]wiki, hosted a copy of elibrary[.]ru on e-library[.]wiki, and personalized ZIP archives named <LastName>_<FirstName>_<Patronymic>.zip for the targeted individuals.

Open Happening

MuddyWater phishing campaign targeting government organizations in the Middle East and North Africa

Campaign
First: 23.10.2025 00:19 Last: 23.10.2025 00:19 Sources 1

About this happening: MuddyWater ran a **phishing campaign** that reached **more than 100 government entities** across the **Middle East and North Africa**, raising the risk of credential theft and fol...

Open Happening

MuddyWater global phishing campaign using compromised email accounts

Campaign
First: 22.10.2025 18:00 Last: 22.10.2025 18:00 Sources 1

About this happening: A newly uncovered **MuddyWater** phishing campaign abused **compromised email accounts** to target **international organizations** across multiple regions, increasing the risk of...

Open Happening

Timeline

  1. 22.10.2025 20:21 2 articles · 7mo ago

    MuddyWater campaign disclosed targeting MENA government entities

    Initial Disclosure

    Group-IB attributed a MENA-focused MuddyWater espionage campaign to a compromised email account used to send phishing messages and distribute the Phoenix v4 backdoor to more than 100 government entities, with the operation aimed at infiltrating high-value targets for intelligence gathering and with heavier targeting of embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms. The same reporting also linked the operation to NordVPN-abused mailbox access, weaponized Microsoft Word documents, macro-triggered VBA execution, a FakeUpdate loader, an AES-encrypted Phoenix payload, and a C2 server at 159.198.36[.]115 that hosted RMM utilities and a browser credential stealer.

    Show sources
    Open in new tab