Group-IB Threat Intelligence uncovered a sophisticated phishing campaign orchestrated by the Advanced Persistent Threat (APT) MuddyWater, targeting international organizations worldwide to gather foreign intelligence.
MuddyWater accessed the compromised mailbox through NordVPN(a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence. By exploiting the trust and authority associated with such communications, the campaign significantly increased its chances of deceiving recipients into opening the malicious attachments.
Read more…
Source: Group-IB
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Internet collapses in Iran amid protests over economic crisis
January 8, 2026
Internet connectivity collapsed across Iran on Thursday amid nationwide protests, according to web monitoring firms. “I think we’re at a near-total disconnection from the outside world now,” Amir Rashidi, an Iranian cybersecurity researcher who works for the nonprofit Miaan Group, told TechCrunch. Doug Madory, the director of internet analysis at Kentik, a company that monitors internet ...
- Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructure
December 3, 2025
An Iranian-aligned hacking group tracked as ‘MuddyWater’ has dramatically shifted tactics in attacks against Israeli and Egyptian critical infrastructure. Previous campaigns by the group, observed by ESET Research, were characteristically noisy in their tactics, techniques, and procedures (TTPs) making them easily detectable. However, the group has begun employing a new backdoor deployed via the Fooder loader, ...
- Cyber Toufan leaks secret data on Iron Dome, Jericho missiles, and Australia’s Land 400 project
November 10, 2025
A hacking group believed to have ties to Iran has claimed responsibility for a massive cyberattack that exposed information linked to Australia’s $7 billion Land 400 defence program. The group, known as Cyber Toufan, says it accessed the data after breaching several Israeli defence companies. Cyber Toufan, a pro-Hamas group, shared the stolen material on Telegram. ...
- Threat Landscape of the Building and Construction Sector: IA, Supply Chain, and IoT
November 7, 2025
In 2025, the construction industry stands at the crossroads of digital transformation and evolving cybersecurity risks, making it a prime target for threat actors. Cyber adversaries, including ransomware operators, organized cybercriminal networks, and state-sponsored APT groups from countries such as China, Russia, Iran, and North Korea, are increasingly focusing their attacks on the building and construction ...
- Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage
October 22, 2025
Group-IB Threat Intelligence uncovered a sophisticated phishing campaign orchestrated by the Advanced Persistent Threat (APT) MuddyWater, targeting international organizations worldwide to gather foreign intelligence. MuddyWater accessed the compromised mailbox through NordVPN(a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence. By exploiting the trust and ...
- Israel: Dozens of actors fall victim to Iranian phishing attack
September 12, 2025
Dozens of Israeli actors have fallen victim to a phishing attack believed to originate from Iranian sources. According to a statement from the National Cyber Directorate, the actors were asked to submit filmed auditions and sensitive personal information—including photos of ID cards and passports—after receiving emails posing as a casting call for a new film by ...