- Group-IB links a macro-based phishing campaign to Iranian threat actor MuddyWater
- Attackers used fake emails and Word docs to deploy Phoenix v4 and other malware
- Despite macro blocking since 2022, outdated techniques are still being used in the wild
It’s October 2025, yet some cybercriminals are still trying to deliver malware via Microsoft Word macros, experts have warned.
Recently, security researchers Group-IB discovered a new cyber-espionage campaign which begins with compromised email accounts, which the threat actors used to distribute phishing emails. These messages were targeting international organizations in different regions of the world, mimicking authentic correspondence to increase the chances of the victims actually opening up the emails.
The messages also carried malicious attachments - Microsoft Word documents which, if opened, urged the victims to enable macros. If they do so, macros would execute embedded Visual Basic code which, in turn, deployed the Phoenix v4 backdoor.
Macros are dead, long live macros!
As is usual for backdoors, Phoenix v4 provides attackers with remote control, and comes with advanced persistence mechanisms. The attackers also dropped different remote monitoring and management (RMM) tools PDQ, Action1 and ScreenConnect) as well as an infostealer named Chromium_Stealer, capable of grabbing browser data from Chrome, Edge, Opera, and Brave.
Until mid-2022, macro-enabled Office documents were the most popular attack methods for phishing hackers around the world.
However, mid-2022, Word (along with Excel, PowerPoint, Access, and Visio) began blocking macros by default for downloaded or email-delivered files marked as coming from the internet (i.e., with the “Mark of the Web”), forcing threat actors to pivot to other formats.
Macro-enabled Office files as phishing lures practically died that day.
Group-IB attributed this campaign to MuddyWater, an Iranian state-sponsored threat actor. Ironically enough, this campaign proves once again that government agencies tend to use outdated technologies and techniques, and it seems that even hackers are not immune to that.
The researchers said that the code they found in previous MuddyWater attacks overlaps with this one. Domain infrastructure, as well as malware samples, are all pointing to MuddyWater, as well as targeting patterns.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
English (US) ·