"Each message carried a weaponized Word attachment that asked users to "Enable Content." Anyone who did set off a macro that unpacked a loader nicknamed "FakeUpdate," which then installed an updated version of the crew's custom backdoor, "Phoenix." Once installed, the malware allowed the operators to poke around infected systems, lift credentials, upload or download files, and maintain persistence. Group-IB says the toolkit also pilfered stored browser passwords from Chrome, Edge, Opera, and Brave,"
"More than three-quarters of the victims were diplomatic or government entities, with the rest made up of international organizations and telecom providers, according to Group-IB, which didn't name any specific targets. While MuddyWater's tradecraft has long leaned heavily on phishing and social engineering, the scale of this latest campaign suggests either a ramp-up in capability or an unusually broad collection requirement from Tehran's spymasters."
The campaign began in August and used a compromised enterprise mailbox accessed through NordVPN to send convincing phishing emails to embassies, ministries, and telecom providers across the Middle East and North Africa. Each message included a weaponized Word attachment that prompted users to enable macros, triggering a FakeUpdate loader that installed an updated Phoenix backdoor. The malware enabled credential theft, file upload/download, persistence, and browser password extraction from Chrome, Edge, Opera, and Brave. Operators also used legitimate remote-management tools like PDQ and Action1 to blend with admin traffic. Most victims were diplomatic or government entities, indicating expanded collection or capability.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]