26.05.2026
3 min
121
The Iranian hacking group MuddyWater has launched a new wave of attacks using DLL side-loading to deploy malware through legitimate applications. The campaign targets organizations in the Middle East and relies on phishing emails and fake files to gain access to victim systems.
The Iranian hacking group known as MuddyWater has been linked to a new cyber campaign that targeted at least nine organizations across nine countries on four continents during the first quarter of 2026.
According to Symantec’s Threat Hunter Team and Carbon Black, the attacks targeted organizations in the industrial and electronics manufacturing sectors, as well as educational institutions, government agencies, financial companies, and professional services firms. Among the victims was a major South Korean electronics manufacturer whose network was targeted by the attackers for an entire week in February 2026.
The broader espionage operation also included a Middle Eastern international airport, industrial manufacturers in Southeast Asia, and a Latin American financial services provider.
“The attackers heavily relied on DLL side-loading, using legitimately signed binaries from Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) to execute malicious DLLs while disguising themselves as trusted software,” Broadcom’s cybersecurity teams said.
The abuse of “fmapp.exe” to load “fmapp.dll” had previously been documented by Group-IB in connection with another MuddyWater campaign called Operation Olalampo. According to Huntress, the DLL contains code designed to connect to an attacker-controlled IP address (“157.20.182[.]49”).
Meanwhile, the misuse of “sentinelmemoryscanner.exe” — a binary tied to a security product — is believed to be a deliberate attempt to bypass signature-based detection systems. The executable is designed to load a malicious DLL named “sentinelagentcore.dll.”
Both DLLs contain an open-source tool called ChromElevator, which is capable of stealing passwords, cookies, and payment card data from Chromium-based browsers while bypassing App-Bound Encryption (ABE) protections.
One notable aspect of the attacks is the use of Node.js scripts to launch PowerShell code responsible for reconnaissance and data collection activities. In at least one case, the attackers were seen uploading stolen data to sendit[.]sh, a public file-sharing service.
“The node.exe-based implant chain was used to drop PowerShell scripts that performed reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse proxy tunneling,” Symantec and Carbon Black said.
The two DLL side-loading chains were also used to provide attackers with covert tunnels for relaying traffic and launching ChromElevator. The attacks further involved credential dumping attempts designed to help the attackers move laterally through victim networks.
In the attack against the South Korean electronics company, MuddyWater repeatedly carried out PowerShell-based reconnaissance while re-executing the two binaries multiple times to maintain access to compromised systems. The initial access vector used to breach the organization remains unknown.
“The cadence once again aligns with implant-driven activity rather than continuous operator presence,” the researchers said. “The campaign history demonstrates a clear shift toward quieter, more disciplined operations. None of these techniques are individually new, but together they provide more evidence of significantly improved operational hygiene compared to the seed-worm style activity we saw two or three years ago.”
The disclosure comes after the European Council imposed sanctions on the Iranian company Emennet Pasargad for hacking a Swedish SMS service, accessing a French subscriber database and offering it for sale, as well as spreading disinformation through compromised digital billboards during the 2024 Paris Olympics.
According to the U.S. State Department, the company — also known as Shahid Shushtari — is linked to the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Its activity is tracked under several aliases, including Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (formerly ChaoticOrchestra), Marnanbridge, and UNC5866.
“Members of Shahid Shushtari caused significant financial damages and operational disruptions to U.S. businesses and government entities through coordinated cyber and influence operations,” the State Department said in December 2025. “These campaigns targeted multiple critical infrastructure sectors, including news, shipping, travel, energy, finance, and telecommunications across the United States, Europe, and the Middle East.”
Iran-linked hackers have also been connected to a separate data theft campaign targeting organizations in the United States, Israel, Saudi Arabia, and Turkey between late March and early April 2026. At least two U.S.-based victims were additionally targeted with destructive actions involving partition wiping and backup deletion.
Although a pro-Iranian actor known as Ababil from Minab claimed responsibility for the attacks, a new report from Gambit Security linked the campaign infrastructure to Iran’s Ministry of Intelligence and Security (MOIS).
Additional targets included an Israeli media organization, an Israeli academic institution, a Turkish insurance brokerage firm, and several other websites related to restaurants, culture, digital services, and news.
No destructive activity was observed against those particular victims. Instead, the attackers were found using a custom C++ data collection and exfiltration tool internally named FileFiend.
“The binary was capable of enumerating local drives and SMB shares, traversing the file system, and sending files to a hardcoded command-and-control server,” Gambit Security researchers Eyal Sela and Nir Varon said in a report published today.
In some cases, targeted data was compressed into RAR archives directly on victim systems and uploaded to public-facing web directories, where it was later downloaded using the Axel command-line download accelerator and tunneled through proxy chains.
