MuddyWater Hackers Launch Phishing Campaign with Phoenix Backdoor

The state-sponsored hacker group MuddyWater has targeted over 100 government entities in a recent phishing campaign. Starting August 19, the group used a compromised email account accessed via NordVPN to send malicious Word documents with macro code. The campaign deployed version 4 of the Phoenix backdoor, which gathers system information and connects to a command-and-control server. Most targets were embassies and diplomatic missions, with the attack likely aiming to gather intelligence from compromised systems.

Latest mentioned: 10-22

Earliest mentioned: 10-22

Sources

thehackernews.com bleepingcomputer.com infosecurity-magazine.com group-ib.com darkreading.com

Also Read

PhantomRaven Supply-Chain Attack Infects npm Ecosystem

Koi Security has discovered a massive supply-chain attack called PhantomRaven, which has infected the npm ecosystem with 126 malicious packages downloaded over 86,000 times. The campaign, active since August 2025, steals npm authentication tokens, GitHub credentials, and CI/CD secrets by concealing malicious code in dependencies. The attackers used Remote Dynamic Dependencies (RDD) to bypass security scanners, making the packages appear harmless. The malware executed automatically during installation, performing aggressive reconnaissance and exfiltration. Koi Security noted the use of AI-driven slopsquatting to create plausible-sounding package names, tricking developers into trusting malicious packages.

10-31Read more →