Finance Executives Across Five Continents Targeted in New Espionage Campaign Attributed to MuddyWater

A spear-phishing campaign attributed to the Iranian state-sponsored group MuddyWater (aka Mango Sandstorm, Static Kitten) has been uncovered, targeting Chief Financial Officers (CFOs) and finance executives across multiple continents. The investigation from Hunt.io reported that "a sophisticated spear-phishing campaign is actively targeting CFOs and finance executives across multiple continents, leveraging legitimate remote-access tools, such as NetBird, to maintain persistent control over compromised systems." The campaign relied on spear-phishing emails impersonating Rothschild & Co recruiters, directing victims to Firebase-hosted phishing pages featuring CAPTCHA challenges designed to deceive users into downloading malicious ZIP archives. Infrastructure analysis, including overlaps with past campaigns and hosting on IP address 192.3.95[.]152, provided indicators tying the operation to MuddyWater, reinforcing the group’s established pattern of using social engineering and legitimate remote access tools to infiltrate targets in Africa, Asia, Europe, North America, and South America.

Hunt.io’s investigation revealed that upon downloading the ZIP file, victims were lured into executing a malicious VBScript file, which had a noted creation timestamp of May 27, 2025. This script initiated the attack by launching a browser window as a distraction while invoking a hidden PowerShell instance to execute further stages. The PowerShell commands extracted and installed NetBird and OpenSSH MSI packages, configured them to start automatically, and introduced a 60-second delay to ensure stealth before continuing. A new user account was created with administrative privileges, concealed from the login screen through registry modification, and set with a password that never expires. Additional registry edits enabled Remote Desktop Protocol (RDP) access, with scheduled tasks created to maintain persistence, and indicators such as shortcut files be removed with "Remove-Item." Investigation into overlapping infrastructure called attention to the AteraAgent remote monitoring and management (RMM) tool being used for abuse.

Attribution was bolstered by infrastructure overlaps between this campaign and previously documented MuddyWater operations. Specifically, the shared use of NetBird setup keys, identical admin account credentials, and reused directory structures across domains indicated consistency in tactics and tooling. Hunt.io also identified phishing kits reused across multiple Firebase and Web App domains, with consistent obfuscation logic and client-side AES decryption scripts. One domain, cloud-ed980[.]firebaseapp[.]com, even leveraged OpenSSL-based AES encryption, offering variant delivery techniques with similar end goals. Additional indicators of compromise, such as IP address 198.46.178[.]135 and domains impersonating cloud services, further mapped to the campaign lineage.