Skip to content
Malware family

Phoenix

Phoenix is a custom Windows backdoor associated primarily with the Iranian state-aligned threat group MuddyWater, also tracked as Seedworm, TA450, Mango Sandstorm, Static Kitten, MERCURY, and Earth Vetala, and assessed in the reporting as linked to Iran’s Ministry of Intelligence and Security.

Profile source: Mallory opens in a new tab

Phoenix

Family profile

Phoenix is a custom Windows backdoor associated primarily with the Iranian state-aligned threat group MuddyWater, also tracked as Seedworm, TA450, Mango Sandstorm, Static Kitten, MERCURY, and Earth Vetala, and assessed in the reporting as linked to Iran’s Ministry of Intelligence and Security. It has been active since at least April 2025 and was used in multiple espionage campaigns across the Middle East and North Africa, including attacks on more than 100 government entities and international organizations, embassies, diplomatic missions, foreign affairs ministries, consulates, North African energy-sector organizations, and other diplomatic, financial, telecommunications, and critical infrastructure targets.

Observed delivery commonly relied on spear-phishing and malicious Microsoft Word documents containing embedded VBA macros. In reported campaigns, victims were prompted to enable content, which executed macro code that wrote a loader to disk and installed Phoenix. Group-IB reported MuddyWater malicious documents with decoy content and VBA macros designed to install Phoenix, and other reporting linked Phoenix delivery to executable files disguised as PDFs and DOC files with macro code. One campaign used a compromised mailbox accessed via NordVPN to distribute the malware.

Phoenix provides remote control and data-collection capability on infected Windows systems. Reported functionality includes collection of system information such as computer name and Windows version, credential theft, beaconing to command-and-control infrastructure via WinHTTP, and support for commands including sleep control, file upload and download, and shell access. Reporting also notes use of a custom browser credential stealer alongside Phoenix in some campaigns.

Version 4 of Phoenix was specifically described in 2025 reporting. In that campaign, a FakeUpdate loader decrypted and installed Phoenix v4 as an AES-encrypted payload written to C:\ProgramData\sysprocupdate.exe. Persistence was established through Windows Registry modification, and Phoenix v4 was reported to include a new COM-based persistence mechanism and functional differences from earlier versions. Group-IB also reported a Phoenix injector used to deploy a stripped-down BugSleep variant, indicating Phoenix also functioned within MuddyWater’s broader malware framework.

Phoenix is repeatedly described as part of MuddyWater’s evolving custom malware ecosystem alongside BugSleep, StealthCache, Fooder, MuddyViper, RustyWater, CHAR, GhostFetch/HTTP_VIP, GhostBackDoor, and UDPGangster. The malware’s operational purpose in the cited campaigns was long-term espionage, persistent access, intelligence gathering, and potential disruption rather than financial gain.

The name Phoenix also appears in unrelated contexts in the source material, including an exploit kit, historical DOS-era virus attribution to Dark Avenger, and references to Android malware lineage. However, the dominant and high-confidence usage in the provided content refers to the MuddyWater/Seedworm Windows backdoor.

Reported operators

Threat actors

2 named in public reporting
MuddyWater

MuddyWater was observed deploying the Phoenix backdoor against North African organizations within the energy sector beginning August 2025, providing the group strategic and persistent access for intelligence gathering and potential disruption efforts.

Turla

“It also started using a new framework that we call Phoenix...”

MITRE ATT&CK

Phoenix in ATT&CK

16 distinct techniques

Reporting

Research mentioning Phoenix

Mar 20
Scworld

Perseus Android malware evolves from Cerberus and Phoenix for device takeover | brief | SC Media

This sophisticated malware builds upon the foundations of previous threats like Cerberus and Phoenix, evolving into a more capable platform for compromising Android devices.

Mar 20
Cyber Security News

Perseus Android Malware Steals User Notes and Enables Full Device Takeover

Built on the leaked source code of Cerberus and drawing directly from the Phoenix codebase, Perseus refines and extends the capabilities of its predecessors.

Mar 17
Cobalt

The Iranian Cyber Playbook: What Security Teams Should Expect

Groups such as Seedworm have used custom backdoors—such as the Phoenix malware—to maintain long-term access even after initial vulnerabilities are patched.

Mar 6
Industrialcyber

Symantec reports Iranian Seedworm hackers infiltrate US infrastructure and defense supply chain networks - Industrial Cyber

In October 2025, the group launched a spear phishing campaign ... to distribute a custom backdoor known as Phoenix to more than 100 government entities and international organizations across the Middle East and North Africa.

Mar 5
Symantec

Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company | SECURITY.COM

In an October 2025 campaign, Seedworm carried out a sophisticated spear-phishing attack that used a compromised mailbox to distribute a custom backdoor known as Phoenix to international organizations across the Middle East and North Africa (MENA), targeting more than 100 government entities as part of an espionage campaign.

Mar 2
Trellix

The Iranian Cyber Capability 2026

The group introduced a succession of custom implants, BugSleep, StealthCache, the Phoenix backdoor, the Fooder loader, and the MuddyViper backdoor...

Mar 1
Osint Team

Cyber Threat Profiles of Iranian Threat Actors & Iranian Cyber Proxies | by SIMKRA | Mar, 2026 | OSINT Team

Key Malware: GhostFetch/HTTP_VIP downloaders, GhostBackDoor, CHAR (Rust backdoor), RustyWater, Phoenix, Fooder loader.

Jan 8
The Hacker News

ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories

The Iranian nation-state group known as MuddyWater has been conducting phishing attacks designed to deliver known backdoors such as Phoenix and UDPGangster through executable files disguised as PDFs and DOC files with macro code.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.