Thought Leadership
The hacking group MuddyWater is infiltrating industrial and financial companies across nine countries by smuggling malicious code in through legitimate system files.
The Iranian hacking group known as MuddyWater has been linked to a new, globally coordinated cyberespionage campaign. According to joint analyses by the threat teams at Symantec and Carbon Black, at least nine organizations in nine different countries across four continents were affected by the targeted attacks in the first quarter of 2026. The range of targeted industries is broad, spanning industrial and electronics manufacturing, educational institutions, public sector agencies, financial services providers, and professional consulting firms.
Among the most prominent victims is a major South Korean electronics manufacturer, in whose internal network the attackers were able to move undetected for over a week in February 2026. In addition, security analysts documented successful breaches at an international airport in the Middle East, at industrial manufacturing operations in Southeast Asia, and at a financial services provider in Latin America. The wide geographic and sectoral spread highlights the increased operational capacity of the actors.
Technical Exploitation of Legitimate System Components
A central feature of the current attack chain is the heavy use of so called DLL side loading. In this method, the attackers abuse the normal loading behavior of operating systems in order to execute malicious code disguised as harmless software. Broadcom’s cybersecurity teams found that MuddyWater primarily uses digitally signed, and therefore trusted, third party binaries for this purpose. Specifically, this involves the application fmapp.exe from Fortemedia as well as the file sentinelmemoryscanner.exe, which normally belongs to a security and antivirus product from SentinelOne.
The deliberate repurposing of well known security software is considered a calculated strategy among experts, since signed system files are often exempted from deep inspection by conventional, signature based Endpoint Detection and Response systems. Through fmapp.exe, the attackers inject a manipulated fmapp.dll whose code establishes a connection to a controlled IP address. The SentinelOne tool, in turn, is used to anchor the malicious file sentinelagentcore.dll in system memory.
Data Theft Through ChromElevator and PowerShell Scripts
Both malicious DLL files serve as carrier systems for an open source tool called ChromElevator. This software was developed specifically to systematically extract confidential user data such as passwords, session cookies, and payment card details from web browsers based on the Chromium architecture. The tool manages to completely bypass the modern protection mechanisms of application bound encryption, known as App Bound Encryption. Alongside the browser infiltration tool, MuddyWater relies on a combination of Node.js environments and PowerShell scripts.
Through an implant based on node.exe, the perpetrators inject code sequences responsible for internal network reconnaissance, taking screenshots, and stealing the SAM database for local privilege escalation. To obscure the data outflow, the hackers set up SOCKS5 reverse proxy tunnels. In at least one confirmed case, the exfiltrated data sets are temporarily stored on the public file transfer service sendit.sh in order to conceal the direct flow to a known attacker server and to minimize detection by anomaly filters in network traffic.
Attacks Point to Implant Driven Automation
Analysis of the attacks on the South Korean electronics company shows that the hackers controlled the reconnaissance processes and the repeated execution of the manipulated binaries at fixed intervals. IT security researchers emphasize that this rhythm strongly suggests purely implant driven automation rather than the constant manual presence of a human operator within the system. Taken as a whole, the history of MuddyWater’s campaigns shows a clear evolution toward quieter and more disciplined operations.
Although the techniques used are not novel in themselves, their combination demonstrates a significant increase in operational hygiene compared to the activities documented two or three years ago under the name Seedworm. This professionalization coincides with tightened international sanctions. The European Council recently imposed sanctions on the Iranian company Emennet Pasargad, which is connected to the Cyber Electronic Command of the Iranian Revolutionary Guards. The company is accused of carrying out cyber operations during the 2024 Olympic Games in Paris as well as massive disinformation campaigns and sabotage acts against critical infrastructure in the United States and Europe.
Parallel Destructive Campaigns and the Tool FileFiend
These espionage activities are accompanied by a parallel campaign that ran between late March and early April 2026. A report published by Gambit Security links this infrastructure directly to the Iranian Ministry of Intelligence and Security, even though the acts were claimed online under the pseudonym Ababil of Minab. These attacks targeted entities in the United States, Israel, Saudi Arabia, and Turkey. While victims in Israel and Turkey, among them a media company, a university, and an insurance broker, were primarily subjected to espionage, at least two companies in the US energy and logistics sectors experienced destructive operations.
The attackers deliberately deleted disk partitions and destroyed existing backups in order to permanently cripple operations. In the pure espionage incidents, the actors deployed a custom data collection tool written in C++ called FileFiend. This software is capable of systematically searching local drives as well as SMB network shares and transferring the identified files directly to a hardcoded command server. Alternatively, the perpetrators compress the data into RAR archives in the web root of the victim’s public company website, in order to then siphon it off unnoticed using the command line download accelerator Axel and proxy chains.
