High-Value Targets: MuddyWater APT Used Compromised VPN Mailbox in Stealth Campaign

Group-IB’s Threat Intelligence team has published a detailed analysis of a new cyber-espionage campaign very likely attributable to the MuddyWater APT. The intrusion began with a compromised mailbox that the attackers accessed via a legitimate NordVPN endpoint. From that account they distributed highly convincing spear-phishing messages containing malicious Microsoft Word documents that were virtually indistinguishable from genuine correspondence. Targets included international organizations and more than a hundred government entities across the Middle East and North Africa; recipients ranged from .gov addresses to personal Gmail, Yahoo and Hotmail accounts, indicating thorough reconnaissance of organizational structures and individual contacts. Group-IB assesses the campaign’s primary objective as intelligence collection from strategically significant victims, including diplomatic and humanitarian institutions.

The weaponized attachments were .doc files with obfuscated content prompting users to “Enable content.” Once macros were enabled, a VBA loader executed and dropped a helper component to disk. That dropper—identified as FakeUpdate—acted as an injector: it decrypted an embedded second stage using AES and mapped it into its own process. The second stage was Phoenix v4, a backdoor that persisted as sysProcUpdate, created a mutex of the same name, harvested host telemetry (computer name, domain or workgroup, Windows version, username), copied itself to C:\ProgramData\sysprocupdate.exe, and established persistence by altering the Shell registry value under
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. The implant then registered with its C2 and polled for commands. Observed capabilities included: code 65 — sleep mode; 68 — exfiltrate a file to the C2; 85 — download data to the host; 67 — spawn a remote shell; 83 — modify polling interval.

Artifact analysis revealed Phoenix v4 also implements an additional autorun vector via a COM object. The main build contains an embedded PE (DLL) that launches C:\Users\Public\Downloads\Mononoke.exe — a technique previously seen with the CannonRat malware family (notably coreglobconfig.dll), which has links to MuddyWater. String-decoding routines match earlier MuddyWater samples. A search for Mononoke.exe uncovered two more builds whose PDB debug path is C:\Users\win10\Desktop\phoenixV4\phoenixV3\phoenixV2\x64\Debug\phoenix.pdb (hashes: 6de859a27ccc784689e8748cef536e32780e498a and bed6506f8f5281888f89781cf6fbc750545292fc), corroborating that multiple Phoenix generations derive from the same codebase and employ several persistence mechanisms beyond the Winlogon modification.

The attackers’ C2 infrastructure centered on the domain screenai[.]online, registered 17 August 2025 at 16:41:01 UTC via NameCheap and delegated to Cloudflare DNS. The domain remained active only for a short window after the initial mailings. SSL certificate data and banner analysis indicate the server’s IP was 159[.]198[.]36[.]115 (an address within NameCheap’s AS); the service was provisioned on 19 August and decommissioned on 24 August 2025. Initially the control panel ran on Uvicorn, later replaced by Apache, which returned 503 Service Unavailable. The site presented itself as “ScreenAI | Your On-Screen Content Genius.” On the same host researchers found an exposed directory served via SimpleHTTP/0.6 (Python 3.10.12) containing post-exploit utilities and remote administration tools (RMM).

Alongside PDQ RMM—already observed in previous MuddyWater campaigns—the infrastructure hosted Action1 and a bespoke stealer Chromium_Stealer, masquerading as a “calculator” (hxxp://159.198.36[.]115:4444/chromium_stealer_user.exe). The stealer’s behavior is typical of Chromium-focused malware: enumerate profile folders, extract os_crypt.encrypted_key from Local State, decrypt the master key via system crypto APIs, terminate browser processes to unlock files, open Login Data SQLite stores, dump saved credentials, decrypt them and write the results to C:\Users\Public\Downloads\cobe-notes.txt (stored in encrypted form), then restart browsers to minimize suspicion. Affected browsers included Chrome, Edge, Opera, and Brave. Another stealer on the same infrastructure used string-decoding methods characteristic of MuddyWater and consistent with previously documented samples.

Taken together, multiple indicators strongly support attribution to MuddyWater: the use of proprietary families FakeUpdate and Phoenix, VBA macro logic and code identical to earlier samples (macro hash 40dead1e1d83107698ff96bce9ea52236803b15b63fb0002e0b55af71a9b5e05), the coexistence of PDQ RMM and an in-house stealer with matching decoding techniques, the campaign’s target profile and geographic focus on the Middle East, and reuse of central infrastructure and lures. Group-IB also notes overlapping incidents: a lure replicating an invitation to a government seminar, bearing the same macro code and C2, and a separate file targeting regional energy firms that distributed Phoenix v4 via FakeUpdate from the same C2—interpreted as parallel operations leveraging shared infrastructure.

The campaign reflects heightened maturity in MuddyWater’s toolset and tradecraft. Operators moved from ephemeral spoofed senders to compromised mailboxes, shortened C2 lifespans, blended proprietary malware with legitimate administrative platforms, and employed multiple persistence vectors (registry and COM). The brief five-day active window for the C2 and its subsequent takedown suggest the possibility of other implanted tooling left on victim hosts for ongoing monitoring—consistent with the presence of exposed RMM utilities and post-exploit artifacts on the hosting IP. Group-IB forecasts further waves as MuddyWater refines lures and updates target lists.

Mitigation and detection recommendations flow directly from the attack chain. Organizations should ingest reputable Threat Intelligence feeds with current IOCs and TTPs for MuddyWater and conduct continuous threat hunting for Phoenix/FakeUpdate artifacts (for example, screenai[.]online, sysprocupdate.exe). Deploy YARA rules and signatures in EDR/XDR stacks to detect suspicious PowerShell use, process injection, and changes to autorun configurations. Mail gateways should sandbox and automatically analyze Office attachments with macros, and user awareness training must emphasize the danger of clicking “Enable Content.” At the enterprise level, disable macros by default via Group Policy and allow them only for signed, vetted sources.

Additionally, enforce multifactor authentication (MFA) and strictly govern remote administration tools (Action1, PDQ, ScreenConnect) by restricting access to the minimum necessary. Monitor outbound traffic for repetitive HTTP(S) patterns associated with MuddyWater, maintain an accurate asset inventory, apply least-privilege principles, and scrutinize account and email activity originating from unexpected regions or VPN endpoints. Regularly update incident response playbooks for phishing and credential-exfiltration scenarios. Group-IB stresses that the published technical details and indicators are intended solely for defensive research and protection; any offensive use of this intelligence would be unlawful.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy