Iranian state-linked hacking group MuddyWater has been connected to a large-scale cyber espionage campaign that impacted at least nine organizations across nine countries during the first quarter of 2026.
According to researchers from Symantec’s Threat Hunter Team and Carbon Black, the attacks targeted organizations in industries including industrial manufacturing, electronics, education, government, financial services, and professional services.
One of the most significant victims was a major South Korean electronics manufacturer, where attackers reportedly maintained access to the network for nearly a week in February 2026.
Global Targets Included Airports and Financial Firms
The campaign also affected:
- An international airport in the Middle East
- Industrial manufacturers in Southeast Asia
- A financial services provider in Latin America
Security researchers say the attackers relied heavily on DLL side-loading techniques using legitimate, digitally signed binaries to disguise malicious activity.
Attackers Used Trusted Software to Hide Malware
The hackers abused legitimate applications such as:
- Fortemedia’s fmapp.exe
- SentinelOne’s sentinelmemoryscanner.exe
These trusted binaries were used to load malicious DLL files while appearing harmless to security tools.
Researchers noted that the use of fmapp.exe to sideload a malicious fmapp.dll had previously been seen in another MuddyWater operation known as Operation Olalampo.
The malicious DLL reportedly connected to an attacker-controlled IP address and enabled further compromise of victim systems.
SentinelOne Binary Abuse Helped Evade Detection
The use of sentinelmemoryscanner.exe is considered particularly concerning because the binary belongs to a legitimate cybersecurity product, making it more difficult for signature-based security solutions to detect malicious behavior.
In this case, the executable loaded a rogue DLL called sentinelagentcore.dll.
Both malicious DLLs were found to contain an open-source tool named ChromElevator, which is designed to steal:
- Browser passwords
- Cookies
- Payment card information
The tool specifically targets Chromium-based browsers and can bypass Google Chrome’s App-Bound Encryption (ABE) protections.
Node.js and PowerShell Used for Reconnaissance
Investigators also discovered that the attackers used Node.js scripts to launch PowerShell commands responsible for reconnaissance and data collection.
The malware chain reportedly performed activities such as:
- System discovery
- Screenshot capture
- Credential theft
- SAM hive extraction
- Privilege escalation
- SOCKS5 reverse-proxy tunneling
In at least one incident, stolen data was staged using the public file-sharing service sendit.sh before exfiltration.
South Korean Electronics Firm Targeted Repeatedly
In the attack against the South Korean electronics company, MuddyWater operators repeatedly executed PowerShell reconnaissance scripts and relaunched malicious binaries to maintain persistent access inside the environment.
Researchers were unable to determine the original entry point used to breach the organization.
Security analysts noted that the attackers demonstrated a more disciplined and stealth-focused operational style compared to earlier MuddyWater campaigns.
“Its campaign history shows a clear move towards quieter, more disciplined operations,” researchers stated.
European Council Sanctions Iranian Cyber Group
The revelations come shortly after the European Council imposed sanctions on Iranian company Emennet Pasargad over multiple cyber and disinformation operations.
The group was accused of:
- Hacking a Swedish SMS service
- Accessing and selling data from a French subscriber database
- Spreading disinformation through compromised advertising billboards during the 2024 Paris Olympic Games
The organization is reportedly linked to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) and is also tracked under several aliases, including:
- Cobalt Obelisk
- Cotton Sandstorm
- Haywire Kitten
- Marnanbridge
- UNC5866
Iran-Linked Destructive Attacks Also Reported
Separately, Iran-backed threat actors were tied to another campaign targeting organizations in:
- The United States
- Israel
- Saudi Arabia
- Turkey
The attacks occurred between late March and early April 2026 and included destructive actions against at least two U.S. victims, including deletion of data backups and system partitions.
Initially attributed to a pro-Iranian persona called Ababil of Minab, researchers at Gambit Security later connected the campaign infrastructure to Iran’s Ministry of Intelligence and Security (MOIS).
Custom Data Theft Tool “FileFiend” Identified
Researchers also uncovered a custom-built C++ malware tool internally named FileFiend.
The malware was capable of:
- Enumerating local drives and SMB shares
- Searching the file system
- Uploading stolen files to command-and-control servers
In some cases, attackers compressed stolen data into RAR archives, uploaded them to compromised public websites, and then extracted the files using the Axel command-line download utility combined with proxy tunneling tools.
Growing Sophistication of Iranian Cyber Operations
Cybersecurity experts warn that these campaigns demonstrate the increasing sophistication and operational maturity of Iranian cyber threat groups.
While many of the individual techniques used in the attacks are not entirely new, researchers say the combination of stealth, persistence, credential theft, and abuse of legitimate software reflects a significant evolution in MuddyWater’s tactics.
Experts emphasize that organizations must maintain continuous visibility across their networks to quickly distinguish real threats from online propaganda and hacktivist noise.
