Iran-linked MuddyWater — tracked by some researchers as Seedworm or Static Kitten — conducted an espionage campaign in early 2026 targeting at least nine organizations globally, with the most prominent confirmed victim being a major South Korean electronics manufacturer. Analysis published by Symantec’s Threat Hunter Team documented a February 20–27, 2026 operation against the South Korean target in which the group weaponized legitimate, digitally signed software from recognized security and technology vendors as vehicles for loading malicious DLL libraries into memory — a technique designed to blend malicious activity into processes that defenders treat as trusted.
MuddyWater’s February 2026 Attack on a South Korean Electronics Maker
The intrusion against the South Korean electronics company, which Symantec did not name, ran for eight days between February 20 and February 27, 2026. MuddyWater’s objective across this campaign was intelligence collection: the group stole credentials, harvested browser data, and exfiltrated files, consistent with its historical focus on gathering information from organizations aligned with Iranian geopolitical intelligence priorities.
Attribution to MuddyWater rests on Symantec’s Threat Hunter Team’s assessment of operational patterns, tooling, and techniques historically associated with the Iranian-linked group — factors that held consistent across the nine confirmed targets in the campaign.
DLL Sideloading via Fortemedia and SentinelOne Signed Executables
The central technique in the campaign was DLL sideloading through legitimate signed binaries from vendors whose software is commonly present in enterprise environments. MuddyWater paired Fortemedia’s fmapp.exe — a legitimate audio management executable — with a malicious replacement fmapp.dll. When the signed Fortemedia binary executes, Windows loads the malicious DLL alongside it. Because the parent process is a known, signed executable, the behavior can pass initial scrutiny in endpoint telemetry.
The group applied the same technique using a SentinelOne component: sentinelmemoryscanner.exe, a legitimate SentinelOne binary, was paired with a malicious sentinelagentcore.dll. The choice of a security vendor’s executable is deliberate — defenders are unlikely to flag activity originating from a process associated with their own security tooling, and security product names often appear in allowlists or receive reduced scrutiny in detection rules.
Credential Theft Tools and Data Exfiltration via sendit.sh
Beyond the DLL sideloading mechanism, MuddyWater deployed a range of supplementary tools throughout the campaign. PowerShell scripts controlled through Node.js loaders handled post-exploitation execution. ChromElevator, a browser credential extraction utility, was used to harvest credentials stored in Chrome. Fake Windows authentication prompts were displayed to victims to capture credentials entered in apparent system dialogs. Registry hive theft enabled offline credential extraction from the victim’s SAM database.
For data exfiltration, MuddyWater used sendit.sh, a publicly accessible file-sharing service, to move collected data out of victim environments. Using a legitimate public service for exfiltration is a technique intended to avoid detection by network controls that look for connections to known malicious infrastructure — outbound traffic to a generic file-sharing platform generates less scrutiny than connections to flagged command-and-control hosts.
Nine Organizations Targeted Across Five Sectors Globally
Symantec’s research identified nine confirmed targets across the campaign. Beyond the South Korean electronics manufacturer, targeted sectors included government agencies, international airports in the Middle East, industrial manufacturers in Asia, and educational institutions. The breadth of targets is consistent with Iranian strategic intelligence collection: government agencies provide diplomatic and policy intelligence, airports offer logistics and transit visibility, industrial manufacturers hold technology and production data.
MuddyWater has operated persistently for years as one of Iran’s most active cyber espionage groups, with previous campaigns documented against telecommunications infrastructure, defense contractors, and government entities across the Middle East, Europe, and Asia. The group’s continued adaptation of living-off-the-land techniques — using trusted vendor binaries rather than purpose-built malware — reflects an operational posture that prioritizes persistence and detection evasion over the speed of more aggressive attack frameworks.
