A state-sponsored Iranian hacking group known as MuddyWater has been linked to a large-scale phishing campaign targeting more than 100 government entities and international organizations across the Middle East and North Africa.

The campaign — attributed by cybersecurity firm Group-IB to MuddyWater — used a compromised email account to distribute an updated version of the Phoenix backdoor, a piece of Windows malware that allows remote control and data collection from infected systems.

According to Group-IB, the hackers gained access to the mailbox by abusing the virtual private network (VPN) service NordVPN and sending emails with malicious Microsoft Word attachments. When opened, the files prompted recipients to “enable content,” activating Windows macros that installed the Phoenix backdoor.

Active since at least April, Phoenix can collect system information such as computer names, Windows versions, and user credentials, giving attackers persistent access for espionage.

Researchers said MuddyWater mixed official government email addresses with personal ones from services like Yahoo and Gmail — a sign that the hackers had done careful research on their targets. The campaign also targeted global organizations involved in international cooperation and humanitarian work, underscoring what analysts described as the group’s “broader geopolitical motivations.”

“This campaign highlights MuddyWater’s evolving tradecraft and operational maturity,” Group-IB said, adding that further activity is likely amid ongoing regional tensions.

MuddyWater, also tracked as TA450 and Seedworm, has been active since at least 2017 and is believed to operate under Iran’s Ministry of Intelligence and Security. The group is known for using phishing to compromise government, energy, telecommunications and other critical infrastructure sectors across the Middle East, South Asia, and NATO countries — focusing on long-term intelligence collection rather than financial gain.