Overview
- More than 100 government entities across the Middle East and North Africa were targeted, with most victims in embassies, diplomatic missions, foreign ministries, and consulates, alongside international organizations and telecom firms.
- Attackers used a compromised mailbox accessed through NordVPN to send authentic-looking emails carrying macro-laced Word documents that dropped a FakeUpdate loader and decrypted the Phoenix v4 backdoor.
- Researchers traced the operation’s infrastructure to the domain screenai[.]online and the real IP 159.198.36.115, noting the server was briefly active in August before its command component was taken down on August 24.
- The infrastructure hosted legitimate RMM tools PDQ, Action1, and ScreenConnect, plus a custom Chromium-based credential stealer that impersonated a calculator app to exfiltrate browser credentials.
- Phoenix v4 added COM-based persistence, system profiling, registry changes, and WinHTTP beaconing with commands for file transfer and shell access, and Group-IB urged macro restrictions, EDR deployment, phishing training, and IoC monitoring.