In recent weeks, the Israel National Cyber Directorate (INCD) has identified a large-scale phishing campaign targeting organizations, employing a method that appears highly credible to recipients. The systematic attack attempts are attributed to the Iranian-linked attack group MuddyWater. A special report on the campaign was released today and will be presented during Cyber Week (CyberWeek) at Tel Aviv University.
As part of the attacks, threat actors breach legitimate organizational email accounts and use them to distribute phishing emails that appear authentic – featuring proper Hebrew, content tailored to the organization’s field of activity, and attachments with relevant filenames. The emails include a malicious Word document, and once the user clicks “Enable Content,” the malicious tool takes control of the workstation. The messages are customized to match the organization’s environment, including the use of official-looking logos, signatures, and documents.
Upon opening the file, a dedicated attack tool known as BlackBeard is installed on the endpoint. This relatively new malware enables the attacker to gain full control of the system, map the environment, bypass security products, and download additional attack components as needed. From the moment of infection, the compromised user’s email account is leveraged to further propagate the attack both inside and outside the organization, reaching thousands of recipients. The malware employs stealthy persistence techniques that allow it to remain active without appearing in locations commonly monitored by security tools. This operational pattern is highly consistent with MuddyWater’s known tactics and has been observed in previous attacks in Israel.
MuddyWater, which operates under Iran’s Ministry of Intelligence, focuses on intelligence collection and establishing long-term footholds within target networks. In recent years, the group has consistently attempted to attack Israeli entities, including government, healthcare, education, and small-to-medium-sized businesses. The group combines self-developed tools with distributed command-and-control infrastructures. Its attack attempts have also been identified in other countries, including Turkey, Afghanistan, Pakistan, the United Arab Emirates, Iraq, the United Kingdom, Azerbaijan, the United States, Egypt, and Nigeria.
The Israel National Cyber Directorate calls on organizations across Israel to exercise heightened vigilance, strictly implement several critical protective measures, and review the published indicators of compromise (IOCs) and recommended mitigation actions.
According to INCD cyber researchers, authors of the report: “The recent attacks once again demonstrate persistent attempts by Iranian actors to infiltrate Israeli networks and establish long-term presence within them. The impersonation, precise language, and legitimate-looking files are all designed to bypass human instinct and lure users into opening the malicious attachment. A single successful intrusion of this kind can rapidly escalate into a widespread attack across entire organizations. This is why the INCD continues to issue updates, warnings, and hands-on guidance to organizations in order to reduce risk and strengthen national cyber resilience.”
Click here for the full report
Related Topics
