Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage

Group-IB documents a high-confidence attribution of a MuddyWater espionage campaign that used a compromised mailbox via NordVPN to send macro-enabled Word attachments which installed a FakeUpdate injector and Phoenix backdoor v4; the actor also hosted a custom Chromium credential stealer and RMM tools on C2 infrastructure (screenai.online -> 159.198.36.115). The report includes technical malware and persistence analysis (Winlogon registry modification and a COM-based persistence DLL), command mappings, IOCs (file hashes, domain, real C2 IP), targeting patterns (governmental and international organizations), and detailed mitigation recommendations.