MuddyWater phishing campaign targeting government organizations in the Middle East and North Africa
Campaign
Summary
Hide ▲
Show ▼
MuddyWater ran a phishing campaign that reached more than 100 government entities across the Middle East and North Africa, raising the risk of credential theft and follow-on compromise. The operation started on August 19 and used a compromised account accessed through the NordVPN service. It also deployed Phoenix backdoor v4, showing a multi-stage intrusion chain beyond simple email lures. The server-side C2 component was taken down on August 24, suggesting a shift to other tools for post-compromise activity.
Related Happenings
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Interpol Operation Ramz cybercrime crackdown in MENA
Law Enforcement
First: 18.05.2026 17:00
Last: 18.05.2026 17:00
Sources 1
About this happening:
**INTERPOL**'s **Operation Ramz** led to **more than 200 arrests** across the **Middle East and North Africa**, with law enforcement also identifying **382 additional suspects** i...
Interpol Operation Ramz cybercrime crackdown in MENA
Law EnforcementAbout this happening: **INTERPOL**'s **Operation Ramz** led to **more than 200 arrests** across the **Middle East and North Africa**, with law enforcement also identifying **382 additional suspects** i...
FBI-led takedown of W3LL phishing network
Law Enforcement
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Tycoon2FA phishing campaign resumes after takedown
Campaign
First: 23.03.2026 18:05
Last: 23.03.2026 18:05
Sources 1
About this happening:
**Tycoon2FA** has resumed a **broad phishing campaign** after a **major takedown**, and it is again **compromising email accounts** while **bypassing MFA**. The operation uses **a...
Tycoon2FA phishing campaign resumes after takedown
CampaignAbout this happening: **Tycoon2FA** has resumed a **broad phishing campaign** after a **major takedown**, and it is again **compromising email accounts** while **bypassing MFA**. The operation uses **a...
Timeline
-
23.10.2025 00:19 2 articles · 7mo ago
MuddyWater launches phishing campaign with FakeUpdate and Phoenix v4
Technical Analysis UpdateMuddyWater launched a phishing campaign from a compromised account accessed through the NordVPN service, sending malicious Word documents with VBA macros to government and international organizations in the Middle East and North Africa, including embassies, diplomatic missions, foreign affairs ministries, and consulates. The macro code wrote the FakeUpdate malware loader to disk and decrypted Phoenix backdoor version 4, which persisted through a Windows Registry change.
Show sources
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19
-
23.10.2025 00:19 1 articles · 7mo ago
MuddyWater takes down server-side C2 on August 24
Campaign Scope UpdateOn August 24, the server and server-side command-and-control component were taken down, suggesting MuddyWater shifted to other tools and malware to collect information from compromised systems.
Show sources
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19
-
23.10.2025 00:19 1 articles · 7mo ago
Group-IB attributes the campaign to MuddyWater
Attribution UpdateGroup-IB attributed the activity to MuddyWater with high confidence, citing reused malware families, macro use, common string-decoding techniques, and targeting patterns, and reported that the campaign reached more than 100 government entities in the Middle East and North Africa.
Show sources
- Iranian hackers targeted over 100 govt orgs with Phoenix backdoor — www.bleepingcomputer.com — 23.10.2025 00:19