MuddyWater was observed deploying the Phoenix backdoor against North African organizations within the energy sector beginning August 2025, providing the group strategic and persistent access for intelligence gathering and potential disruption efforts.
Phoenix
Phoenix is a custom Windows backdoor associated primarily with the Iranian state-aligned threat group MuddyWater, also tracked as Seedworm, TA450, Mango Sandstorm, Static Kitten, MERCURY, and Earth Vetala, and assessed in the reporting as linked to Iran’s Ministry of Intelligence and Security.
Profile source: Mallory opens in a new tabPhoenix
Family profile
Phoenix is a custom Windows backdoor associated primarily with the Iranian state-aligned threat group MuddyWater, also tracked as Seedworm, TA450, Mango Sandstorm, Static Kitten, MERCURY, and Earth Vetala, and assessed in the reporting as linked to Iran’s Ministry of Intelligence and Security. It has been active since at least April 2025 and was used in multiple espionage campaigns across the Middle East and North Africa, including attacks on more than 100 government entities and international organizations, embassies, diplomatic missions, foreign affairs ministries, consulates, North African energy-sector organizations, and other diplomatic, financial, telecommunications, and critical infrastructure targets.
Observed delivery commonly relied on spear-phishing and malicious Microsoft Word documents containing embedded VBA macros. In reported campaigns, victims were prompted to enable content, which executed macro code that wrote a loader to disk and installed Phoenix. Group-IB reported MuddyWater malicious documents with decoy content and VBA macros designed to install Phoenix, and other reporting linked Phoenix delivery to executable files disguised as PDFs and DOC files with macro code. One campaign used a compromised mailbox accessed via NordVPN to distribute the malware.
Phoenix provides remote control and data-collection capability on infected Windows systems. Reported functionality includes collection of system information such as computer name and Windows version, credential theft, beaconing to command-and-control infrastructure via WinHTTP, and support for commands including sleep control, file upload and download, and shell access. Reporting also notes use of a custom browser credential stealer alongside Phoenix in some campaigns.
Version 4 of Phoenix was specifically described in 2025 reporting. In that campaign, a FakeUpdate loader decrypted and installed Phoenix v4 as an AES-encrypted payload written to C:\ProgramData\sysprocupdate.exe. Persistence was established through Windows Registry modification, and Phoenix v4 was reported to include a new COM-based persistence mechanism and functional differences from earlier versions. Group-IB also reported a Phoenix injector used to deploy a stripped-down BugSleep variant, indicating Phoenix also functioned within MuddyWater’s broader malware framework.
Phoenix is repeatedly described as part of MuddyWater’s evolving custom malware ecosystem alongside BugSleep, StealthCache, Fooder, MuddyViper, RustyWater, CHAR, GhostFetch/HTTP_VIP, GhostBackDoor, and UDPGangster. The malware’s operational purpose in the cited campaigns was long-term espionage, persistent access, intelligence gathering, and potential disruption rather than financial gain.
The name Phoenix also appears in unrelated contexts in the source material, including an exploit kit, historical DOS-era virus attribution to Dark Avenger, and references to Android malware lineage. However, the dominant and high-confidence usage in the provided content refers to the MuddyWater/Seedworm Windows backdoor.
Reported operators
Threat actors
2 named in public reporting“It also started using a new framework that we call Phoenix...”
MITRE ATT&CK
Phoenix in ATT&CK
16 distinct techniquesTechniques
16 techniquesReporting
Research mentioning Phoenix
Perseus Android malware evolves from Cerberus and Phoenix for device takeover | brief | SC Media
This sophisticated malware builds upon the foundations of previous threats like Cerberus and Phoenix, evolving into a more capable platform for compromising Android devices.
Perseus Android Malware Steals User Notes and Enables Full Device Takeover
Built on the leaked source code of Cerberus and drawing directly from the Phoenix codebase, Perseus refines and extends the capabilities of its predecessors.
The Iranian Cyber Playbook: What Security Teams Should Expect
Groups such as Seedworm have used custom backdoors—such as the Phoenix malware—to maintain long-term access even after initial vulnerabilities are patched.
Symantec reports Iranian Seedworm hackers infiltrate US infrastructure and defense supply chain networks - Industrial Cyber
In October 2025, the group launched a spear phishing campaign ... to distribute a custom backdoor known as Phoenix to more than 100 government entities and international organizations across the Middle East and North Africa.
Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company | SECURITY.COM
In an October 2025 campaign, Seedworm carried out a sophisticated spear-phishing attack that used a compromised mailbox to distribute a custom backdoor known as Phoenix to international organizations across the Middle East and North Africa (MENA), targeting more than 100 government entities as part of an espionage campaign.
The Iranian Cyber Capability 2026
The group introduced a succession of custom implants, BugSleep, StealthCache, the Phoenix backdoor, the Fooder loader, and the MuddyViper backdoor...
Cyber Threat Profiles of Iranian Threat Actors & Iranian Cyber Proxies | by SIMKRA | Mar, 2026 | OSINT Team
Key Malware: GhostFetch/HTTP_VIP downloaders, GhostBackDoor, CHAR (Rust backdoor), RustyWater, Phoenix, Fooder loader.
ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories
The Iranian nation-state group known as MuddyWater has been conducting phishing attacks designed to deliver known backdoors such as Phoenix and UDPGangster through executable files disguised as PDFs and DOC files with macro code.