Iran's favorite muddy-footed cyberespionage crew is at it again, this time breaching more than 100 government entities across the Middle East and North Africa, according to researchers at Group-IB.

The campaign , which began in August, used a compromised enterprise mailbox to sling convincing phishing emails at embassies, ministries, and telecom outfits. The attackers, tracked as MuddyWater (also known as Seedworm, APT34, OilRig, and TA450), were able to send malicious messages from a legitimate address accessed through the NordVPN service.

Each message carried a weaponized Word attachment that asked users to "Enable Content." Anyone who did set off a macro that unpacked a loader nicknamed "FakeUpdate," which then installed an updated version of the crew's custom backdoor, "Phoenix." Onc

See Full Page