- Group-IB links a macro-based phishing campaign to Iranian threat actor MuddyWater
- Attackers used fake emails and Word documents to deploy Phoenix v4 and other malware
- Despite macro blocking since 2022, outdated techniques are still being used in the wild
It’s October 2025, but some cybercriminals are still trying to deliver malware via Microsoft Word macros, experts have warned.
Recently, security researchers Group-IB discovered a new cyberespionage campaign, which begins with compromised email accounts that the threat actors used to distribute phishing emails. These messages targeted international organizations in different regions of the world and mimicked authentic correspondence to increase the chances that victims would actually open the emails.
The messages also contained malicious attachments – Microsoft Word documents that, if opened, encouraged victims to enable macros. If they do, macros will execute embedded Visual Basic code, which in turn implemented the Phoenix v4 backdoor.
Macros are dead, long live macros!
As is usual for backdoors, Phoenix v4 gives attackers remote control and comes with advanced persistence mechanisms. The attackers also dropped various remote monitoring and management tools PDQ, Action1 and ScreenConnect) as well as an infostealer named Chromium_Stealer capable of capturing browser data from Chrome, Edge, Opera and Brave.
Until mid-2022, macro-enabled Office documents were the most popular attack methods for phishing hackers worldwide.
However, in mid-2022, Word (along with Excel, PowerPoint, Access, and Visio) began blocking macros by default for downloaded or email-delivered files that are marked as coming from the Internet (ie, with “Mark of the Web”), forcing threat actors to pivot to other formats.
Macro-enabled Office files as phishing lures almost died that day.
Group-IB attributed this campaign to MuddyWater, an Iranian state-sponsored threat actor. Ironically, this campaign proves once again that government agencies tend to use outdated technologies and techniques, and it seems that even hackers are not immune to it.
The researchers said the code they found in previous MuddyWater attacks overlaps with this one. Domain infrastructure as well as malware samples all point to MuddyWater as well as targeting patterns.
Via Information security Magazine
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
The best antivirus for all budgets
