Iran linked threat group MuddyWater has been associated with a large scale cyber espionage campaign targeting organizations across nine countries spanning four continents during the first quarter of 2026. According to researchers from Symantec and Carbon Black Threat Hunter Team, the operation affected at least nine organizations working in industrial and electronics manufacturing, financial services, education, public sector, and professional services. One of the reported victims includes a major South Korean electronics manufacturer, where attackers reportedly remained active inside the company’s network for nearly a week in February 2026. Other affected entities included a Middle Eastern international airport, industrial manufacturers in Southeast Asia, and a financial services provider based in Latin America, indicating a broad geographic and sector based targeting approach.
Security researchers found that the attackers relied heavily on DLL side loading techniques to deploy malicious code while disguising activity as legitimate software behavior. The campaign used legitimately signed binaries linked to Fortemedia and SentinelOne to sideload harmful DLL files into compromised systems. Specifically, the threat actors leveraged “fmapp.exe” to load a malicious “fmapp.dll,” a method previously documented by Group IB in connection with a MuddyWater operation identified as Operation Olalampo. Researchers from Huntress reported that the DLL was designed to connect to an attacker controlled IP address. Another notable method involved the use of “sentinelmemoryscanner.exe,” a legitimate executable tied to a security product, to sideload a rogue DLL named “sentinelagentcore.dll.” Security experts believe this tactic was selected intentionally to bypass traditional signature based security detection and maintain a lower profile during intrusions.
The campaign also included the deployment of an open source utility known as ChromElevator, which was embedded inside both malicious DLL files. The tool was reportedly used to extract passwords, cookies, and payment card information from Chromium based browsers while bypassing App Bound Encryption protections. Researchers further observed attackers using Node.js scripts to launch PowerShell commands responsible for reconnaissance, information gathering, screenshot collection, credential theft, privilege escalation, and SOCKS5 reverse proxy tunnelling. In at least one incident, stolen information was temporarily staged using the public file transfer platform sendit.sh. Investigators noted that the attackers repeatedly attempted to dump credentials to support lateral movement across targeted networks, strengthening their access and persistence.
In the intrusion involving the South Korean electronics manufacturer, MuddyWater repeatedly executed PowerShell based reconnaissance and relaunched malicious binaries to maintain continued access to compromised systems. Researchers stated that the pace and repetition of activity suggested automated implant driven operations instead of constant manual intervention by operators. Symantec and Carbon Black noted that although none of the techniques individually appeared highly sophisticated, their coordinated use reflected a noticeable shift toward quieter and more disciplined operations compared to previous MuddyWater activity.
The campaign surfaced as European authorities imposed sanctions on Iranian company Emennet Pasargad over allegations involving cyber operations against Swedish and French organizations, alongside claims of spreading disinformation during the 2024 Paris Olympic Games. The company, also identified as Shahid Shushtari, has reportedly been linked to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command and is tracked under aliases including Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten, Marnanbridge, and UNC5866. Meanwhile, separate investigations tied Iran backed threat actors to data exfiltration attacks targeting organizations in the United States, Israel, Saudi Arabia, and Turkey earlier in 2026. Research from Gambit Security connected parts of that activity to Iran’s Ministry of Intelligence and Security, where attackers reportedly used a custom file theft tool known as FileFiend to collect and transfer sensitive information from compromised systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
