Updated MuddyWater Analysis – MuddyWater Uses Compromised Mail Accounts for Global Phishing Campaigns

Cyber Threats

MUDDYWATER APT GROUP ANALYSIS

THREAT ACTOR: MuddyWater (TA450, Seedworm, Mango Sandstorm)
ATTRIBUTION: High Confidence (Associated with the Iranian Ministry of Intelligence and Security – MOIS)
THREAT LEVEL: HIGH
TARGETED REGIONS: Middle East, North Africa (MENA), Europe, North America
TARGETED SECTORS: Government, Diplomatic Missions, International Organizations, Energy Sector

Executive Summary

The Iran-backed MuddyWater (TA450) APT group has escalated its cyber espionage operations targeting government, diplomatic, and energy entities in the MENA region (including Turkey) using an advanced toolkit.

Attackers bypass security filters and gain the trust of their targets by using compromised corporate email accounts and legitimate services such as NordVPN.

At the heart of the operation are two new specialized tools: an advanced backdoor called “Phoenix v4” and a specialized credential stealer disguised as a calculator application called “Chromium_Stealer”. These tools are used alongside legitimate Remote Management (RMM) tools such as PDQ and Action1 to evade detection.
This campaign demonstrates that MuddyWater can conduct more covert and persistent operations by blending both private and legitimate tools (hybrid toolkit).

Campaign Analysis and Attack Chain

MuddyWater’s operation begins with a social engineering tactic based on “trust.”

(Pre-)Initial Access: Attackers gain access to a legitimate corporate email account they previously compromised using NordVPN. This hides the attackers’ real IP addresses and makes the email appear to come from a trusted source.

Lure: Phishing emails that appear to be “a continuation of a real correspondence” contain a malicious Microsoft Word document (.doc) that forces the victim to “enable content.”

Loader: When the macro is run, the VBA code writes and executes an injector/loader named “FakeUpdate” (C:\Users\Public\Documents\ManagerProc.log) to the disk. FakeUpdate decrypts the actual backdoor, which is encrypted with AES, and injects it into its own process.

Backdoor: The “Phoenix v4” backdoor installs itself on the system. It copies itself to the “C:\ProgramData\sysprocupdate.exe” address and creates a “mutex” named “sysprocupdate.exe” to prevent itself from running multiple times simultaneously on the system.

Persistence: Phoenix v4 ensures automatic startup every time the system starts by modifying the Shell value under the “HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” registry key.

Secondary Tools (Post-Exploitation): Attackers use commands received from the C2 server (screenai[.]online) to install legitimate RMM tools such as PDQ and Action1, as well as the custom Chromium_Stealer tool, onto the system.

Technical Insight: New Tools and Evidence

1. Tool: Phoenix v4 Backdoor

This is the main component of the operation. Its core TTPs are as follows:

File Path: C:\ProgramData\sysprocupdate.exe
Mutex Name: sysprocupdate.exe
Persistence Method: Manipulating the Shell value under HKCU\...\Winlogon.
C2 Communication: Receives commands by connecting to the C2 server via WinHTTP (Command 68: Upload File, 85: Download File, 67: Launch Shell).

Analyst Note (Evidence Link)
Within Phoenix v4, a COM persistence DLL that is not used in this operation but is embedded has been detected. This DLL shares code similarities with “CannonRat,” an older MuddyWater tool, and is designed to execute a file named “C:\Users\Public\Downloads\Mononoke.exe”. This PDB path (…phoenixV4\phoenixV3\phoenixV2…phoenix.pdb) and code remnants strongly confirm that this tool definitively belongs to MuddyWater.

2. Tool: Chromium_Stealer

This tool is specifically designed to steal data (browser passwords) that legitimate RMM tools cannot detect.

File Name: chromium_stealer_user.exe
Disguise: Appears as a legitimate Calculator application.
Targets: Google Chrome, Opera, Brave, Microsoft Edge.

Tactics

  • First, it terminates active browser processes so the user doesn’t suspect anything.
  • It steals the encryption key (os_crypt.encrypted_key) from the Local State file.
  • Decrypts the passwords in the Login Data database.
  • Writes the stolen (but still encrypted) data to the “C:\Users\Public\Downloads\cobe-notes.txt” file.
  • Restarts the browser from the last session so the user doesn’t notice.

Infrastructure and Strategic Assessment

The infrastructure selection in this campaign highlights the importance attackers place on operational security:

  • Fast Infrastructure: The C2 domain screenai[.]online (registered via NameCheap on August 17, 2025) remained active for only 5 days (August 19-24, 2025).
  • Hiding: The domain name is hidden behind Cloudflare. The real IP (159[.]198[.]36[.]115) was revealed through SSL certificate analysis.
  • Server TTP: The actual C2 server initially ran on Uvicorn (Python web server) for the first 5 days, and was subsequently replaced with an Apache server that returned a “503 service unavailable” error after the operation.
  • Open Directory: The real IP address hosted an open directory containing tools (chromium_stealer_user.exe) on port 4444 using Python/3.10.12 (SimpleHTTPServer).
  • Strategic Implication: MuddyWater gained initial access using a “smash-and-grab” tactic within a short 5-day window, then transitioned to legitimate RMM tools (PDQ, Action1) that are difficult to detect, achieving long-term persistence. This is a “signal-in-the-noise” tactic; it makes it difficult for security teams to distinguish malicious traffic from legitimate RMM traffic.

Actionable Intelligence (IOCs)

The following indicators should be immediately scanned and blocked in EDR, SIEM, and Firewall systems.

Indicator TypeValueNote
Domain Namescreenai[.]onlineC2 and behind Cloudflare
IP Address159[.]198[.]36[.]115NameCheap ASN, Real C2
Port4444Python server (tool hosting) for C2
File PathC:\Users\Public\Documents\ManagerProc.logFakeUpdate Installer
File PathC:\ProgramData\sysprocupdate.exePhoenix v4 Rear Door
File PathC:\Users\Public\Downloads\cobe-notes.txtChromium_Stealer Data File
File Namechromium_stealer_user.exeChromium_Stealer
File NameMononoke.exeCannonRat ile ilişkili artık (artifact)
Mutexsysprocupdate.exeUsed by Phoenix v4
Registry KeyHKCU\Software\Microsoft…\Winlogon\ShellPhoenix v4 Persistence Point
Hash (SHA1)6de859a27ccc784689e8748cef536e32780e498aPhoenix v4 (from the PDB path)
Hash (SHA1)bed6506f8f5281888f89781cf6fbc750545292fcPhoenix v4 (from the PDB path)
Hash (SHA256)40dead1e1d83107698ff96bce9ea52236803b15b63fb0002e0b55af71a9b5e05Macro code matching past MuddyWater macros

Defense and Mitigation Recommendations

  • Network Level: Immediately block the “screenai[.]online” domain name and the “159[.]198[.]36[.]115” IP address.
  • Endpoint (EDR/SIEM): Create alarm rules for the above File Paths, Mutex, and Registry Key. A process named “sysprocupdate.exe” modifying the Winlogon key is a high priority alarm.
  • Macro Policy: If possible, disable all Office macros from the internet by default via Group Policy (GPO).
  • RMM Tools (Critical): Add legitimate RMM tools such as PDQ, Action1, and ScreenConnect to the “allow-list.” Any use of these tools by unexpected systems (e.g., HR, Finance) or at unexpected times should be investigated immediately.
  • Awareness: Train staff to be skeptical of documents containing “Enable Macros” prompts, even if they appear to come from a trusted person/organization.
  • VPN Traffic: Monitor access to corporate mailboxes from legitimate VPN exit points (NordVPN, ExpressVPN, etc.) and restrict if suspicious.

Note: By using a cyber threat intelligence solution, you will have prior knowledge of actionable IoC information used by threat actors. This allows you to integrate the intelligence product with your security products used within the organization, enabling proactive security in such matters.

Author

Cyberthint

Leave a comment

Your email address will not be published. Required fields are marked *