The Iranian hacker group known as Muddywater is said to be behind a new campaign that will affect at least nine organizations in nine countries on four continents in the first quarter of 2026.
According to Symantec and Carbon Black’s Threat Hunter Team, the activity targeted industrial and electronics manufacturing, education and public sector entities, financial services, and professional services. Among the victims was a major South Korean electronics manufacturer, and the attackers spent a week inside the company’s network in February 2026.
International airports in the Middle East, industrial manufacturers in Southeast Asia and financial services providers in Latin America were also named as part of the larger espionage operation.
“The attackers relied heavily on DLL sideloading using legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to execute malicious DLLs while masquerading as benign software,” Broadcom’s cybersecurity team said.
The use of ‘fmapp.exe’ to sideload ‘fmapp.dll’ has been previously documented by Group-IB in connection with another MuddyWater campaign codenamed Operation Olalampo. According to Huntress, the DLL contains code that connects to an attacker-controlled IP address (“157.20.182”).[.]49 inches).
On the other hand, the exploitation of ‘sentinelmemoryscanner.exe’, a binary associated with a security product, is assessed as a deliberate choice as it allows it to evade signature-based detection. It is designed to sideload a malicious DLL named ‘sentinelagentcore.dll’.
Both DLLs include an open-source tool called ChromElevator that siphons passwords, cookies, and payment card data from Chromium-based browsers, effectively bypassing App-Bound Encryption (ABE) protections.
A notable aspect of this attack is the use of Node.js scripts to launch PowerShell code that performs discovery and information gathering operations. In at least one instance, attackers have been found to stage stolen data during transmission.[.]sh, public file transfer service.
“A node.exe-based implant chain was used to drop PowerShell scripts that performed reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse proxy tunneling,” Symantec and Carbon Black said.
It also provides the two aforementioned DLL sideloading pairs that provide the attacker with a secret tunnel to relay traffic and launch ChromElevator. This attack is also characterized by an attempt to dump credentials that allow for lateral movement across the network.
In this intrusion targeting a South Korean electronics manufacturer, MuddyWater is believed to have performed repeated PowerShell-based reconnaissance and re-executed two binaries to ensure it maintained access to the compromised hosts. The initial access vector used to infiltrate the organization is unknown.
“This rhythm is again consistent with activity by the implant, rather than the continuous presence of the operator,” the researchers said. “The history of that campaign shows a clear move towards quieter, more disciplined operations. None of these techniques are new individually, but in combination they provide further evidence that operational hygiene has significantly improved over the seedworm we knew a few years ago.”
This comes after the European Council imposed sanctions on Iranian company Emmennet Pasargad for hacking a Swedish SMS service, accessing and selling the contents of a French subscriber database, and spreading disinformation via compromised billboards during the 2024 Paris Olympics.
The company is called Shahid Shushtari and is affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber Electronics Command (IRGC-CEC), according to the US State Department. It has been tracked under the names Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (formerly ChaoticOrchestra), Marnanbridge, and UNC5866.
“Members of Shahid Shushtari have caused significant economic damage and disruption to U.S. businesses and government agencies through coordinated cyber and cyber-enabled information operations,” the State Department said in December 2025. “These operations have targeted multiple critical infrastructure sectors, including news, shipping, travel, energy, finance, and communications in the United States, Europe, and the Middle East.”
Iranian-backed hackers were also involved in a theft campaign targeting organizations in the United States, Israel, Saudi Arabia, and Turkey in late March and early April 2026, with at least two American victims also targeted in destructive operations that included partition deletion and data backup.
These incidents were claimed by a pro-Iranian named Ababil of Minab, but a new analysis by Gambit Security finds that the campaign’s infrastructure is tied to Iran’s Ministry of Intelligence and Security (MOIS).
Other targets include organizations in the Israeli media sector, Israeli higher education institutions, a Turkish insurance brokerage, and several additional websites across the restaurant, culture, digital services, and news sectors.
No destructive activities have been observed against these victims. In these cases, the adversary has been found to use a custom-built C++ file collection and extraction tool, internally codenamed FileFiend.
“The binary enumerates local drives and SMB shares, explores the file system, and potentially sends files to a hardcoded C2. [command-and-control] ” said Gambit Security researchers Eyal Sela and Nir Varon in a report published today.
Alternatively, the data of interest is compressed into a RAR archive on a host within the victim environment, uploaded to the organization’s public website at the web root, from where it is extracted using the Axel command line download accelerator, and tunneled through a proxy chain.
Source link
