The Iranian hacking group known as MuddyWater has been linked to a new cyber espionage campaign impacting at least nine organizations across four continents in early 2026. The targeted sectors include industrial and electronics manufacturing, education, public services, financial services, and professional services, as reported by the Threat Hunter Team from Symantec and Carbon Black.
Details of the Campaign
Among the identified victims is a prominent South Korean electronics manufacturer, which experienced a week-long intrusion in February 2026. Other affected entities include an international airport in the Middle East, industrial manufacturers in Southeast Asia, and a financial services provider in Latin America.
Attack Techniques
MuddyWater’s attackers utilized DLL side-loading techniques, leveraging legitimately signed binaries from Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) to execute malicious DLLs disguised as benign software. The use of fmapp.exe to sideload fmapp.dll was previously documented in connection with another campaign named Operation Olalampo. The sentinelmemoryscanner.exe binary, associated with a security product, was also exploited to sideload a rogue DLL named sentinelagentcore.dll.
Both DLLs incorporate an open-source tool called ChromElevator, which is designed to extract sensitive information such as passwords, cookies, and payment card data from Chromium-based browsers, circumventing App-Bound Encryption (ABE) protections. The attackers also employed Node.js scripts to initiate PowerShell commands for reconnaissance and information gathering.
Data Staging and Reconnaissance
In at least one instance, stolen data was staged on a public file-transfer service, sendit.sh. The attackers utilized a node.exe-based implant chain to deploy PowerShell scripts that facilitated reconnaissance, screenshot capture, and privilege escalation. The campaign is characterized by efforts to dump credentials, enabling lateral movement within compromised networks.
In the case involving the South Korean electronics manufacturer, MuddyWater reportedly conducted repeated reconnaissance using PowerShell and re-executed the two binaries to maintain access to the compromised system. The initial access vector for this breach remains unclear.
Context and Implications
This campaign reflects a notable evolution in MuddyWater’s operational tactics, indicating a shift towards more disciplined and quieter operations compared to previous activities. The European Council has recently imposed sanctions against an Iranian company, Emennet Pasargad, for various cyber activities, highlighting ongoing concerns regarding Iranian cyber operations.
While the techniques employed in this campaign are not entirely novel, their combination signifies an increase in operational sophistication for MuddyWater. The implications of these attacks extend beyond immediate data theft, potentially affecting critical infrastructure sectors across multiple regions.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
