TZUTC: -0500   
   MSGID: 1622.consprcy@1:2320/105 2d60cd9f   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Iranian MuddyWater hackers use compromised mailboxes for global phishing scams   
      
   Date:   
   Thu, 23 Oct 2025 14:25:00 +0000   
      
   Description:   
   Hackers are still trying to infect victims via Word macros, despite the   
   technique dying years ago.   
      
   FULL STORY   
      
   Its October 2025, yet some cybercriminals are still trying to deliver malware   
   via Microsoft Word macros, experts have warned.    
      
   Recently, security researchers Group-IB discovered a new cyber-espionage   
   campaign which begins with compromised email accounts, which the threat    
   actors used to distribute phishing emails. These messages were targeting   
   international organizations in different regions of the world, mimicking   
   authentic correspondence to increase the chances of the victims actually   
   opening up the emails.    
      
   The messages also carried malicious attachments - Microsoft Word documents   
   which, if opened, urged the victims to enable macros. If they do so, macros   
   would execute embedded Visual Basic code which, in turn, deployed the Phoenix   
   v4 backdoor. Macros are dead, long live macros!    
      
   As is usual for backdoors, Phoenix v4 provides attackers with remote control,   
   and comes with advanced persistence mechanisms. The attackers also dropped   
   different remote monitoring and management (RMM) tools PDQ, Action1 and   
   ScreenConnect) as well as an infostealer named Chromium_Stealer, capable of   
   grabbing browser data from Chrome, Edge, Opera, and Brave.    
      
   Until mid-2022, macro-enabled Office documents were the most popular attack   
   methods for phishing hackers around the world.    
      
   However, mid-2022, Word (along with Excel, PowerPoint, Access, and Visio)   
   began blocking macros by default for downloaded or email-delivered files   
   marked as coming from the internet (i.e., with the Mark of the Web), forcing   
   threat actors to pivot to other formats.    
      
   Macro-enabled Office files as phishing lures practically died that day.    
      
   Group-IB attributed this campaign to MuddyWater, an Iranian state-sponsored   
   threat actor. Ironically enough, this campaign proves once again that   
   government agencies tend to use outdated technologies and techniques, and it   
   seems that even hackers are not immune to that.    
      
   The researchers said that the code they found in previous MuddyWater attacks   
   overlaps with this one. Domain infrastructure, as well as malware samples,    
   are all pointing to MuddyWater, as well as targeting patterns.    
      
    Via Infosecurity Magazine    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/iranian-muddywater-hackers-use-compromi   
   sed-mailboxes-for-global-phishing-scams   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426