MuddyWater Uses DLL Side-Loading in Espionage Campaign Targets 9 Countries

An Iranian hacking group known as Water Water linked to a new campaign affecting at least nine organizations in nine countries on four continents in the first quarter of 2026.

The activity targeted industrial manufacturing and electronics, education and public sector organizations, financial services, and professional services, according to the Threat Hunter Team from Symantec and Carbon Black. Among the victims is a major South Korean electronics manufacturer, attackers spent a week inside their network in February 2026.

Also designated as part of the growing intelligence effort are international airports in the Middle East, industrial manufacturers in Southeast Asia, and financial services providers in Latin America.

“Attackers rely heavily on DLL sideloading using legitimately signed versions of Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) to extract malicious DLLs while masquerading as malicious software,” Broadcom’s cybersecurity teams said.

The use of “fmapp.exe” to sideload “fmapp.dll” was previously documented by Group-IB in connection with another MuddyWater campaign called Operation Olalampo. According to Huntress, the DLL contains code to connect to an IP address controlled by the attacker (“157.20.182)[.]49).

On the other hand, the abuse of “sentinelmemoryscanner.exe” – the binary associated with the protection product – is evaluated as a deliberate choice, as it can bypass signature-based detection. It is designed to sideload a malicious DLL called “sentinelagentcore.dll.”

Both DLLs embed an open source tool called ChromElevator to extract passwords, cookies, and payment card data from Chromium-based browsers, effectively achieving App-Bound Encryption (ABE) protection.

A notable feature of the attack is the use of Node.js scripts to launch PowerShell code responsible for performing detection and information gathering operations. In at least one instance, attackers were found to be uploading stolen data to sendit[.]sh, a public file transfer service.

“An injection chain based on node.exe was used to drop PowerShell scripts that re-examined, captured a screenshot, hijacked a SAM nest, elevated privilege, and interpreted the SOCKS5 proxy,” Symantec and Carbon Black said.

Also introduced are the aforementioned side-loading DLL pairs to provide attackers with a secret tunnel to forward traffic and boot. The ChromElevator. These attacks are also characterized by attempts to dump information that will allow them to travel sequentially across networks.

In an attack targeting a South Korean electronics manufacturer, MuddyWater is believed to have retested PowerShell, and re-used two binaries to ensure it kept access to the vulnerable host. The initial access vector used to breach the organization is unknown.

“The cadence also corresponds to implant-driven activity rather than continuous operator presence,” the researchers said. “Its campaign history shows a clear movement toward quiet, disciplined operations. None of these techniques are individually novel, but taken together they provide further evidence of a significant step up in the cleanliness of Seedworm operations that we knew two or three years ago.”

The development comes as the European Council imposed sanctions on the Iranian company Emennet Pasargad for hacking a Swedish SMS service, accessing the content of French subscribers’ websites and selling it, and spreading false information through vulnerable billboards during the 2024 Paris Olympic Games.

The company, according to the US State Department, goes by the name Shahid Shushtari and is linked to the Iran Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Tracked under the monikers Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (formerly ChaoticOrchestra), Marnanbridge, and UNC5866.

“Shahid Shushtari’s members have caused significant financial damage and disruption to US businesses and government institutions through the use of combined cyber and cyber-enabled information,” the State Department noted in December 2025. “These campaigns have targeted many critical infrastructure sectors, including news, transportation, tourism, energy, finance, and communications in the United States, Europe and the Middle East.”

Iranian-backed hackers have also been implicated in a surveillance campaign targeting organizations in the US, Israel, Saudi Arabia, and Turkey between late March and early April 2026, with at least two US victims also being targeted for malicious activities, such as the removal of partitions and data backups.

Although the incidents were claimed by a pro-Iranian named Ababil from Minab, a new analysis from Gambit Security has tied the operation’s infrastructure to Iran’s Ministry of Intelligence and Security (MOIS).

Other targets include an Israeli organization in the media sector, an Israeli higher education institution, a Turkish insurance company, and several additional websites across the fields of dining, culture, digital services, and news.

No harmful action has been observed against these victims. In these cases, the adversary was detected using a bespoke C++ file collection and filtering tool written in the FileFiend code.

“The binary can enumerate local drives and SMB shares, navigate through the file system, and send files to C2 hardcoded. [command-and-control] server,” said Gambit Security researchers Eyal Sela and Nir Varon in a report published today.

Alternatively, the data of interest is compressed into RAR archives on a host inside the victim’s environment and uploaded to the public organization’s website on the web root, where it is extracted using the Axel command-line download accelerator and tuned through proxychains.