All news with #muddywater tag

Iranian APTs Used Cyber Espionage to Guide Missile Strikes

🎯 Amazon’s threat intelligence linked Iran-associated APT activity to missile strikes in the Red Sea and Israel, concluding cyber espionage provided direct targeting intelligence. The group known as Imperial Kitten queried AIS ship-tracking data days before a Houthi missile attempt, while MuddyWater gained access to compromised CCTV streams ahead of strikes on Jerusalem. Amazon terms this trend cyber-enabled kinetic targeting and urges maritime, surveillance, and critical infrastructure operators to expand threat models and harden systems that could be repurposed for physical attacks.

Amazon: Nation-State Cyber-Enabled Kinetic Targeting

🔎 Amazon Threat Intelligence reports a rising trend in which nation-state actors use cyber operations to collect real-time intelligence that directly supports physical attacks. The team calls this behavior cyber-enabled kinetic targeting, documenting campaigns that compromised AIS platforms, CCTV feeds, and enterprise systems. Amazon highlights multi-source telemetry and partner collaboration, urging defenders to expand threat models to address digital activities that enable kinetic outcomes.

Iranian MuddyWater Targets 100+ Governments with Phoenix

⚠ State-sponsored Iranian group MuddyWater deployed version 4 of the Phoenix backdoor against more than 100 government and diplomatic entities across the Middle East and North Africa. The campaign began on August 19 with phishing sent from a NordVPN-compromised account and used malicious Word macros to drop a FakeUpdate loader that writes C:\ProgramData\sysprocupdate.exe. Researchers observed Phoenix v4 using AES-encrypted embedded payloads, COM-based persistence, WinHTTP C2 communications and an accompanying Chrome infostealer, while server-side C2 was taken offline on August 24, suggesting a shift in operational tooling.

Iran-Linked MuddyWater Targets 100+ Organisations Globally

🔒 Group-IB links a broad espionage campaign to Iran-aligned MuddyWater that leveraged a compromised email account accessed via NordVPN to send convincing phishing messages. The actor distributed weaponized Microsoft Word documents that coax recipients to enable macros, which execute VBA droppers that write and decode a FakeUpdate loader. FakeUpdate installs an AES-encrypted payload that launches the Phoenix v4 backdoor. Targets exceeded 100 organisations across the MENA region, predominantly diplomatic and government entities.

MuddyWater Exploits Compromised Mailboxes in Global Phishing

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.