![The cyber espionage group MuddyWater is a part of Iran's Ministry of Intelligence and Security (MOIS). [1,] MuddyWater has been targeting government and corporate entities in the Middle East, Asia, Africa, Europe, and North America since at least 2017.](https://www.humanitynewsworld.com/wp-content/uploads/2025/10/Photo_1761267402775_copy_1000x625.png)
![The cyber espionage group MuddyWater is a part of Iran's Ministry of Intelligence and Security (MOIS). [1,] MuddyWater has been targeting government and corporate entities in the Middle East, Asia, Africa, Europe, and North America since at least 2017.](https://www.humanitynewsworld.com/wp-content/uploads/2025/10/fotor_1757131325871_copy_1000x625_copy_500x323-1_copy_1000x625.jpg)
The cyber espionage group MuddyWater is a part of Iran’s Ministry of Intelligence and Security (MOIS). [1,] MuddyWater has been targeting government and corporate entities in the Middle East, Asia, Africa, Europe, and North America since at least 2017. These entities are from a variety of industries, including telecommunication, local government, defense, and oil and natural gas.
Custom malware, credential theft, and the use of genuine technologies for persistence and lateral movement are just a few of MuddyWater’s adaptive strategies. Data exfiltration, espionage, and gaining permanent access within targeted networks are the main focuses of the group’s operations. The fact that their
In order to obtain foreign intelligence, Group-IB Threat Intelligence recently uncovered a sophisticated phishing campaign that was planned by the Advanced Persistent Threat (APT) MuddyWater and targeted multinational organizations all over the world.
The threat actor used NordVPN, a legitimate service, to gain access to the hacked mailbox. MuddyWater then used it to send phishing emails that looked like real correspondence. By taking advantage of the authority and confidence that come with these kinds of communications, the campaign improved its chances of tricking recipients into opening the malicious attachments.
According to Group-IB Threat Intelligence,the victims were urged to activate macros in order to access the Microsoft Word documents that were included in the phishing emails. Version 4 of the Phoenix backdoor was eventually installed on the victim’s machine upon the activation of macros, which caused the Microsoft Word documents to run malicious Visual Basic for Application (VBA) code.
Nozomi Networks Labs has seen a 133% rise in cyberattacks from well-known Iranian threat actor organizations in May and June due to the most recent Iranian war.
The Transportation and Manufacturing sectors were the targets of MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice, according to Nozomi Networks Labs.
