Iran-Linked MuddyWater Behind Phishing Campaign in MENA

In existence since 2017, MuddyWater, also tracked as TA450 and Seedworm, is believed to operate under Iran’s Ministry of Intelligence and Security.

MITSloan ME Editorial

Topics

  • News

    1. Qatar’s Snapchat Users Among Region’s Most Digitally Active, Study Shows

    2. Iran-Linked MuddyWater Behind Phishing Campaign in MENA

    3. 66% of UAE Organisations Flag AI’s Speed of Growth as a Security Challenge

    4. Google’s 'Quantum Echoes' Marks First Verifiable Leap Beyond Supercomputers

    5. Commercial Bank of Dubai Q3 Profit Hits Record AED 2.83B, Up 15.6%

    6. Dubai Hospital Performs 145 Robotic Surgeries, Slashing Blood Loss by 90%

    • [Image source: Chetan Jha/MITSMR Middle East]

    The Iranian nation-state group MuddyWater was reported to be behind the large-scale phishing campaign that targeted over 100 government entities and international organizations across the Middle East and North Africa.

    The link has been established by cybersecurity firm Group-IB.

    MuddyWater allegedly orchestrated the attack by abusing the NordVPN service to compromise a victim’s email account. They subsequently leveraged this account to send phishing emails containing malicious Word attachments that prompted recipients to enable content, triggering Windows macros that installed the Phoenix backdoor, a piece of malware used for remote control and data collection.

    Active since April, Phoenix collects system information such as computer names, Windows versions, and user credentials, giving attackers persistent access for espionage.

    “MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence,” said security researchers Mahmoud Zohdy and Mansour Alhmoud in the official Group-IB blog.

    “By exploiting the trust and authority associated with such communications, the campaign significantly increased its chances of deceiving recipients into opening the malicious attachments.”

    “This campaign highlights MuddyWater’s evolving tradecraft and operational maturity,” Group-IB said.

    Having come into existence since 2017, MuddyWater, also tracked as TA450 and Seedworm, is believed to operate under Iran’s Ministry of Intelligence and Security. Its primary tactic is using phishing to compromise government, energy, and telecommunications organizations in the Middle East, South Asia, and NATO countries.

    The Middle East is currently experiencing a highly concentrated and aggressive cyber threat landscape, with CybelAngel reporting approximately 3,000 cyberattacks across the region in 2024.

    In the first half of 2025, Saudi Arabia stood out as a major target, accounting for a significant 63% of all cyber incidents in the Middle East. Simultaneously, Microsoft data showed the UAE ranked 9th globally and 2nd in the Middle East and Africa for the frequency of affected customers. Adding to the geopolitical complexity, 64% of cyberattacks targeting Israel were specifically attributed to Iran.

    Topics

    About the Author


    View More

    Tags:

    More Like This

    You must to post a comment.

    First time here? : Comment on articles and get access to many more articles.