A cyber-espionage group traced to Iran, known as MuddyWater, has been connected to a fresh wave of attacks that impacted a minimum of nine organizations spanning nine nations across four continents during the opening quarter of 2026.
The campaign struck targets in industrial and electronics manufacturing, education and government agencies, financial services, and professional consulting, according to the Threat Hunter Team at Symantec and Carbon Black. Among those compromised was a prominent South Korean electronics manufacturer, where the intruders remained active on its network for an entire week in February 2026.
Also identified as victims of this wide-ranging spying operation were a major international airport in the Middle East, industrial manufacturing firms in Southeast Asia, and a financial-services company based in Latin America.
“The attackers leaned heavily on DLL side-loading, exploiting legitimate, digitally signed binaries from Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) to run hidden malicious DLLs disguised as normal software,” explained Broadcom’s cybersecurity units.
The tactic of using “fmapp.exe” to load “fmapp.dll” was previously flagged by Group-IB in relation to a separate MuddyWater operation dubbed Operation Olalampo. Huntress reports that the DLL contains code tying back to an attacker-managed IP address (“157.20.182[.]49”).
Meanwhile, the misuse of “sentinelmemoryscanner.exe”—a file tied to a security product—appears to be a calculated move, since it can slip past signature-based detection. This binary is set up to load a malicious DLL called “sentinelagentcore.dll.”
Both DLLs bundle an open-source utility named ChromElevator, designed to harvest passwords, cookies, and credit card information from browsers built on Chromium, effectively circumventing App-Bound Encryption (ABE) defenses.
One notable tactic in these attacks involves Node.js scripts used to kick off PowerShell scripts responsible for carry out discovery and data collection. In at least one case, the attackers chose to stash the stolen data on sendit[.]sh, a publicly accessible file-sharing service.
“A Node.js-based implant chain was deployed to drop PowerShell scripts that ran reconnaissance, taking screenshots, stealing the SAM hive, escalating privileges, and establishing a SOCKS5 reverse-proxy tunnel,” noted Symantec and Carbon Black.
The attackers also delivered the two mentioned DLL side-loading pairs to create a covert channel for relaying commands and launching ChromElevator. Another hallmark of these campaigns is credential dumping, which enables them to move laterally through the targeted networks.
In the breach hitting the South Korean electronics manufacturer, MuddyWater likely conducted repeated PowerShell-based reconnaissance and re-ran the dual binaries to maintain its foothold on the compromised machine. The initial access method used to infiltrate the organization remains a mystery.
“The activity pattern aligns with implant-driven operations rather than an operator being constantly present,” the researchers explained. “Their campaign history points to a shift toward quieter, more methodical operations. While no single technique is brand new, together they signal a noticeable improvement in operational security compared to the Seedworm group we saw two or three years ago.”
This development follows the European Council’s move to sanction the Iranian entity Emennet Pasargad for hacking a Swedish SMS platform, stealing the contents of a French subscriber database to sell online, and spreading false advertising through hijacked digital billboards during the 2024 Paris Olympic Games.
According to the U.S. State Department, the company operates under the alias Shahid Shushtari and has links to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). It’s recognized by several names, including Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (previously ChaoticOrchestra), Marnanbridge, and UNC5866.
“Members of Shahid Shushtari have inflicted substantial financial losses and disruption on U.S. businesses and government entities through synchronized cyber and cyber-backed information campaigns,” the State Department stated in December 2025. “These operations have hit various critical infrastructure sectors, such as media, shipping, travel, energy, finance, and telecommunications across the U.S., Europe, and the Middle East.”
Hackers backed by Iran have also been linked to a data theft campaign aimed at organizations in the U.S., Israel, Saudi Arabia, and Turkey from late March through early April 2026. At least two American targets were additionally hit with destructive actions like wiping partitions and erasing backup data.
While a pro-Iranian identity calling itself Ababil of Minab claimed responsibility for these incidents, a fresh analysis from Gambit Security traced the campaign’s infrastructure back to Iran’s Ministry of Intelligence and Security (MOIS).
Other victims included a media organization in Israel, an Israeli university, a Turkish insurance broker, and various additional websites in the restaurant, culture, digital services, and news industries.
No destructive actions were detected against these targets. Instead, the attackers deployed a custom-built C++ tool for file collection and exfiltration, internally labeled FileFiend.
“The binary could map out local drives and SMB shares, traverse directories, and transmit files to a hard-coded C2 [command-and-control] server,” wrote Gambit Security researchers Eyal Sela and Nir Varon in a report released today.
As an alternative approach, sensitive data was compressed into RAR archives on a machine within the victim’s environment and uploaded to the company’s public website at the web root, after which it was grabbed using the Axel command-line download tool and routed through proxychains.
