- Group-IB Links Macro-Based Phishing Campaign to Iranian Threat Actor MuddyWater
- Attackers used fake emails and Word documents to deploy Phoenix v4 and other malware
- Despite macro lockdown since 2022, outdated techniques are still used in nature
It’s October 2025, but some cybercriminals are still trying to distribute malware through Microsoft Word macros, experts have warned.
Recently, security researchers Group-IB discovered a new cyberespionage campaign that begins with compromised email accounts, which threat actors used to distribute phishing emails. These messages were targeted at international organizations in different regions of the world, mimicking authentic correspondence to increase the chances that victims would actually open the emails.
The messages also contained malicious attachments: Microsoft Word documents that, if opened, urged victims to enable macros. If they do, the macros would execute embedded Visual Basic code which, in turn, would implement the Phoenix v4 backdoor.
Macros are dead, long live macros!
As is typical for backdoors, Phoenix v4 provides attackers with remote control and comes with advanced persistence mechanisms. The attackers also released different remote monitoring and management (RMM) tools (PDQ, Action1 and ScreenConnect), as well as an information stealer called Chromium_Stealer, capable of capturing browser data from Chrome, Edge, Opera and Brave.
Until mid-2022, macro-enabled Office documents were the most popular attack methods for phishing hackers worldwide.
However, in mid-2022, Word (along with Excel, PowerPoint, Access, and Visio) began blocking macros by default for downloaded or emailed files marked as coming from the Internet (i.e., with the “Web Mark”), forcing threat actors to switch to other formats.
Macro-enabled Office files as phishing lures pretty much died that day.
Group-IB attributed this campaign to MuddyWater, an Iranian state-sponsored threat actor. Ironically, this campaign proves once again that government agencies tend to use outdated technologies and techniques, and it seems that even hackers are not immune to it.
Researchers said the code they found in previous MuddyWater attacks overlaps with this one. Domain infrastructure as well as malware samples point to MuddyWater, as do targeting patterns.
Through Infosecurity Magazine
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
The best antivirus for all budgets
