1. Forum
  2. Fidonet
  3. CONSPRCY

  • MuddyWater hackers use co

    From Mike Powell@1:2320/105 to All on Fri Oct 24 09:46:33 2025
    Iranian MuddyWater hackers use compromised mailboxes for global phishing scams

    Date:
    Thu, 23 Oct 2025 14:25:00 +0000

    Description:
    Hackers are still trying to infect victims via Word macros, despite the technique dying years ago.

    FULL STORY

    Its October 2025, yet some cybercriminals are still trying to deliver malware via Microsoft Word macros, experts have warned.

    Recently, security researchers Group-IB discovered a new cyber-espionage campaign which begins with compromised email accounts, which the threat
    actors used to distribute phishing emails. These messages were targeting international organizations in different regions of the world, mimicking authentic correspondence to increase the chances of the victims actually opening up the emails.

    The messages also carried malicious attachments - Microsoft Word documents which, if opened, urged the victims to enable macros. If they do so, macros would execute embedded Visual Basic code which, in turn, deployed the Phoenix v4 backdoor. Macros are dead, long live macros!

    As is usual for backdoors, Phoenix v4 provides attackers with remote control, and comes with advanced persistence mechanisms. The attackers also dropped different remote monitoring and management (RMM) tools PDQ, Action1 and ScreenConnect) as well as an infostealer named Chromium_Stealer, capable of grabbing browser data from Chrome, Edge, Opera, and Brave.

    Until mid-2022, macro-enabled Office documents were the most popular attack methods for phishing hackers around the world.

    However, mid-2022, Word (along with Excel, PowerPoint, Access, and Visio)
    began blocking macros by default for downloaded or email-delivered files
    marked as coming from the internet (i.e., with the Mark of the Web), forcing threat actors to pivot to other formats.

    Macro-enabled Office files as phishing lures practically died that day.

    Group-IB attributed this campaign to MuddyWater, an Iranian state-sponsored threat actor. Ironically enough, this campaign proves once again that government agencies tend to use outdated technologies and techniques, and it seems that even hackers are not immune to that.

    The researchers said that the code they found in previous MuddyWater attacks overlaps with this one. Domain infrastructure, as well as malware samples,
    are all pointing to MuddyWater, as well as targeting patterns.

    Via Infosecurity Magazine

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/iranian-muddywater-hackers-use-compromi sed-mailboxes-for-global-phishing-scams

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)