The Iranian hacking group known as MuddyWater has launched a new espionage campaign impacting organizations across nine different countries, spanning four continents, in the first quarter of 2026. This campaign has targeted sectors including industrial and electronics manufacturing, education, financial services, and public-sector bodies.
Among the affected entities is a major South Korean electronics manufacturer, which experienced a network breach that lasted a week in February 2026. The attacks also extended to an international airport in the Middle East, Southeast Asian industrial manufacturers, and a financial services provider in Latin America.
Technical Details of the Campaign
According to Symantec and Carbon Black’s Threat Hunter Team, the attackers employed DLL side-loading techniques extensively. They utilized legitimately signed binaries from Fortemedia and SentinelOne to execute malicious DLLs disguised as legitimate software. This method effectively bypasses conventional security measures, allowing the attackers to operate under the radar.
The use of ‘fmapp.exe’ to sideload ‘fmapp.dll’ had been previously documented in connection with MuddyWater’s Operation Olalampo. This DLL is designed to connect to attacker-controlled IP addresses. Similarly, ‘sentinelmemoryscanner.exe’, associated with a security product, was exploited to sideload a rogue DLL, ‘sentinelagentcore.dll’, enhancing the attackers’ ability to evade detection.
Impact and Techniques Used
The attacks made use of Node.js scripts to deploy PowerShell code for reconnaissance and information gathering. In one instance, stolen data was staged on sendit[.]sh, a public file-transfer service. This approach highlights the attackers’ ability to adapt and use publicly available tools to achieve their goals.
Furthermore, the attackers utilized a node.exe-based implant chain to drop PowerShell scripts that performed various malicious activities, including reconnaissance, screenshot capture, and privilege escalation. The use of ChromElevator, an open-source tool, allowed them to steal sensitive data from browsers, effectively circumventing encryption protections.
Wider Implications and Future Outlook
The campaign underscores a shift towards quieter and more disciplined operations by MuddyWater, as noted by researchers. This evolution in technique indicates a significant improvement in their operational hygiene compared to previous years.
The European Council’s recent sanctions against Iranian company Emennet Pasargad, linked to previous cyber activities, reflect the growing concerns over Iran-backed cyber threats. These campaigns have targeted critical infrastructure sectors globally, causing significant disruptions.
Recent analyses have also connected Iran’s Ministry of Intelligence and Security to further exfiltration campaigns targeting organizations in the U.S., Israel, Saudi Arabia, and Turkey. These ongoing threats highlight the importance of robust cybersecurity measures and the need for continuous monitoring and adaptation to counter evolving cyber threats.
