- Group-IB links macro-phishing campaign to Iranian actor MuddyWater
- Attackers used fake emails and Word documents to deploy Phoenix v4 and other malware.
- Despite macros being blocked since 2022, outdated techniques are still used in the wild
It’s October 2025, and yet some cybercriminals are still trying to distribute malware via Microsoft Word macros, experts have warned.
Recently, security researchers at Group-IB discovered a new cyberespionage campaign that begins with compromised email accounts, which malicious actors were using to distribute phishing emails. These messages targeted international organizations in different regions around the world, imitating authentic correspondence to increase the chances that victims would actually open the emails.
The messages also contained malicious attachments – Microsoft Word documents that, if opened, tricked victims into enabling macros. If they did so, the macros would execute embedded Visual Basic code which, in turn, would deploy the Phoenix v4 backdoor.
Macros are dead, long live macros!
As usual for backdoors, Phoenix v4 offers attackers remote control and comes with advanced persistence mechanisms. The attackers also dropped various remote monitoring and management (RMM) tools (PDQ, Action1 and ScreenConnect), as well as an information stealer named Chromium_Stealer, capable of scraping data from Chrome, Edge, Opera and Brave browser.
Until mid-2022, macro-enabled Office documents were the most popular attack methods for phishing hackers worldwide.
However, in mid-2022, Word (along with Excel, PowerPoint, Access, and Visio) began blocking macros by default for downloaded or emailed files marked as coming from the Internet (i.e., “Web Mark”), forcing bad actors to turn to other formats.
Macro-enabled Office files as phishing bait all but disappeared that day.
Group-IB attributed this campaign to MuddyWater, an Iranian state-sponsored threat actor. Ironically, this campaign once again proves that government agencies tend to use outdated technologies and techniques, and it seems that even hackers are not safe from this.
Researchers said code found in previous MuddyWater attacks overlapped with this one. The domain infrastructure, as well as the malware samples, all point to MuddyWater, along with targeting patterns.
Via Infosecurity magazine
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
The best antivirus for every budget
