TZUTC: -0500
MSGID: 1622.consprcy@1:2320/105 2d60cd9f
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Iranian MuddyWater hackers use compromised mailboxes for global phishing scams

Date:
Thu, 23 Oct 2025 14:25:00 +0000

Description:
Hackers are still trying to infect victims via Word macros, despite the
technique dying years ago.

FULL STORY

Its October 2025, yet some cybercriminals are still trying to deliver malware
via Microsoft Word macros, experts have warned. 

Recently, security researchers Group-IB discovered a new cyber-espionage
campaign which begins with compromised email accounts, which the threat 
actors used to distribute phishing emails. These messages were targeting
international organizations in different regions of the world, mimicking
authentic correspondence to increase the chances of the victims actually
opening up the emails. 

The messages also carried malicious attachments - Microsoft Word documents
which, if opened, urged the victims to enable macros. If they do so, macros
would execute embedded Visual Basic code which, in turn, deployed the Phoenix
v4 backdoor. Macros are dead, long live macros! 

As is usual for backdoors, Phoenix v4 provides attackers with remote control,
and comes with advanced persistence mechanisms. The attackers also dropped
different remote monitoring and management (RMM) tools PDQ, Action1 and
ScreenConnect) as well as an infostealer named Chromium_Stealer, capable of
grabbing browser data from Chrome, Edge, Opera, and Brave. 

Until mid-2022, macro-enabled Office documents were the most popular attack
methods for phishing hackers around the world. 

However, mid-2022, Word (along with Excel, PowerPoint, Access, and Visio)
began blocking macros by default for downloaded or email-delivered files
marked as coming from the internet (i.e., with the Mark of the Web), forcing
threat actors to pivot to other formats. 

Macro-enabled Office files as phishing lures practically died that day. 

Group-IB attributed this campaign to MuddyWater, an Iranian state-sponsored
threat actor. Ironically enough, this campaign proves once again that
government agencies tend to use outdated technologies and techniques, and it
seems that even hackers are not immune to that. 

The researchers said that the code they found in previous MuddyWater attacks
overlaps with this one. Domain infrastructure, as well as malware samples, 
are all pointing to MuddyWater, as well as targeting patterns. 

 Via Infosecurity Magazine 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/iranian-muddywater-hackers-use-compromi
sed-mailboxes-for-global-phishing-scams

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426