MuddyWater APT Targets 9 Countries in DLL Side-Loading Espionage Campaign

The Iranian threat actor MuddyWater has been linked to a sophisticated cyber espionage campaign that compromised at least nine organizations across nine countries on four continents during the first quarter of 2026. The targeting included industrial and electronics manufacturing, education, public sector, financial services, and professional services. Notably, a major South Korean electronics manufacturer was breached, with attackers maintaining network access for approximately one week in February 2026. Additional victims included an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial services provider, according to joint analysis by Symantec and Carbon Black's Threat Hunter Team.

The threat actors relied heavily on DLL side-loading techniques, leveraging legitimately signed binaries including Fortemedia's fmapp.exe and SentinelOne's sentinelmemoryscanner.exe to execute malicious DLLs while appearing as benign software. The fmapp.exe binary was used to sideload a malicious fmapp.dll, a technique previously documented by Group-IB in connection with MuddyWater's Operation Olalampo. The SentinelOne binary abuse was particularly noteworthy as it could bypass signature-based detection mechanisms. Both malicious DLLs contained code to connect to attacker-controlled infrastructure at IP address 157.20.182[.]49 and embedded an open-source tool called ChromElevator to exfiltrate passwords, cookies, and payment card data from Chromium-based browsers, effectively circumventing App-Bound Encryption protections.

The attack chain utilized Node.js scripts to launch PowerShell code for discovery and information gathering operations, including reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling. Staged data was exfiltrated via the public file-transfer service sendit[.]sh. Organizations should monitor for unusual PowerShell execution and verify whether employee credentials may have been compromised using an email breach checker. The initial access vector in the South Korean electronics manufacturer breach remains unknown, though the attackers repeatedly executed PowerShell-based reconnaissance and re-ran the DLL side-loading binaries to maintain persistent access. Network defenders should audit passwords and check for potential exposure with a password checker to ensure credentials haven't been weakened by this campaign. Additionally, organizations can run a DNS leak test to verify their network configuration hasn't been compromised by the SOCKS5 proxy tunnels deployed in these attacks.