The Singapore-based cybersecurity company Group-IB announced that a hacking group affiliated with the Iranian regime, known as “MuddyWater,” has targeted more than 100 organizations across the Middle East and North Africa in a sophisticated phishing campaign.
In a report published on Wednesday, October 22, Group-IB wrote that the attackers used a compromised email account to distribute malware among various organizations, including government institutions.
The main objective of the operation was identified as gathering political and security intelligence from international organizations.
Iran-Linked Hackers Intensify Attacks on U.S. Financial and Military Infrastructure
In this campaign, the hackers used NorthVPN to access victims’ email inboxes and sent emails containing malicious attachments. These emails included Word documents that, once “macros” were enabled, executed harmful code and installed version four of the Phoenix backdoor malware on victims’ systems.
According to the company’s findings, the malware was executed using an injection tool known as “FakeUpdate,” after which it connected to a command-and-control (C2) server to collect target data and receive new commands.
Experts from the company stated that the code structure, control servers, and tools used in this operation match previous MuddyWater campaigns, identifying the group with “high confidence” as the main actor behind the recent attacks.
The report added that the group’s control infrastructure includes remote management tools and a password-stealing software designed to extract stored credentials from browsers such as Chrome, Brave, and Opera. The malware was disguised as a calculator application to avoid suspicion.
On October 22, Israel’s National Cyber Directorate also reported detecting a wave of cyberattacks against Israeli IT service companies, which are believed to be linked to the Iranian regime.
The agency stated that a failed cyberattack on Shamir Medical Center during Yom Kippur, which led to the exposure of emails containing sensitive patient information, was an attempt by Iran to disrupt the hospital’s operations. However, the attack was contained before the hospital’s central medical record system was affected.
Group-IB emphasized that MuddyWater, attributed to the Iranian regime, remains one of the most active cyber-espionage actors in the region, with its operations expanding beyond the Middle East to Europe, Africa, and North America.
The report stated: “MuddyWater demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence.”
Experts warned that given the group’s focus on government targets and the ongoing geopolitical tensions in the region; similar operations are expected to continue in the future.
