MuddyWater's DLL Side-Loading Espionage Campaign Spans 9 Countries
- May 26
- 3 min read
Key Findings
MuddyWater conducted a widespread espionage campaign affecting at least nine organizations across nine countries on four continents in Q1 2026
Targets included a major South Korean electronics manufacturer, a Middle Eastern airport, Southeast Asian industrial firms, and Latin American financial services
Attackers used DLL side-loading with legitimate binaries (fmapp.exe and sentinelmemoryscanner.exe) to execute malicious code while evading detection
ChromElevator malware was deployed to steal passwords, cookies, and payment card data from Chromium browsers, bypassing App-Bound Encryption protections
Node.js and PowerShell were leveraged for reconnaissance, credential theft, lateral movement, and establishing persistent access
The campaign demonstrates significantly improved operational security compared to MuddyWater's previous activity
Background
MuddyWater, an Iranian state-sponsored hacking group affiliated with the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), has long been tracked as a sophisticated threat actor. The group has been linked to multiple intrusions targeting critical infrastructure, businesses, and government agencies across multiple continents. Recent sanctions and designations have tied associated entities like Shahid Shushtari (operating under aliases including Cobalt Obelisk and Cotton Sandstorm) to significant financial damage and disruption campaigns affecting U.S. and allied interests.
Targeting and Scope
The campaign impacted organizations across diverse sectors including industrial and electronics manufacturing, education, public administration, financial services, and professional services. A notable victim was a major South Korean electronics manufacturer where attackers maintained access for approximately one week in February 2026. Additional targets encompassed an international airport in the Middle East and various industrial manufacturers throughout Southeast Asia. The geographic spread across four continents and nine countries suggests a coordinated, resource-intensive operation targeting high-value intelligence collection objectives.
Technical Approach: DLL Side-Loading
The attackers' primary infection mechanism relied on DLL side-loading using legitimately signed binaries. Two specific techniques were identified. The first paired fmapp.exe (a Fortemedia application binary) with fmapp.dll to execute malicious code while appearing benign. This technique had previously been documented in Operation Olalampo. The second pairing abused sentinelmemoryscanner.exe, a legitimate SentinelOne security product binary, to sideload sentinelagentcore.dll. This choice appeared deliberate, as security product binaries are often whitelisted by endpoint detection systems, effectively bypassing signature-based defenses.
Credential Theft and Data Exfiltration
Both malicious DLLs embedded ChromElevator, an open-source tool designed to extract sensitive data from Chromium-based browsers including passwords, cookies, and payment card information. The significance of this approach lies in its ability to circumvent App-Bound Encryption protections that browser vendors have implemented. Stolen credentials were leveraged to facilitate lateral movement across compromised networks. In at least one case, attackers staged exfiltrated data on sendit.sh, a public file-transfer service, for eventual retrieval.
Command and Control Infrastructure
The malicious DLLs were configured to beacon to attacker-controlled infrastructure at IP address 157.20.182.49. This relatively small infrastructure footprint suggests either compartmentalization or reuse across multiple campaigns. The attackers maintained persistence through repeated re-execution of the DLL side-loading pairs, ensuring continued access to compromised systems even if individual sessions were terminated.
Reconnaissance and Lateral Movement
MuddyWater deployed Node.js-based implants that executed PowerShell scripts for reconnaissance activities. These scripts performed discovery operations, captured screenshots, extracted SAM hive credentials, attempted privilege escalation, and established SOCKS5 reverse-proxy tunnels for covert command and control. The use of scripting languages like PowerShell and Node.js allowed attackers to operate with minimal additional binary artifacts on disk, reducing detection opportunities. In the South Korean manufacturer intrusion, PowerShell-based reconnaissance was repeatedly executed, suggesting the attackers were methodically mapping the network before conducting targeted data collection.
Operational Evolution
Security researchers noted that MuddyWater's operational tempo and tradecraft reflect a significant maturation from the group's previous activity two to three years prior. While individual techniques employed were not novel, their combination demonstrated increased operational discipline and security awareness. The attackers maintained what researchers characterized as implant-driven activity rather than continuous operator presence, suggesting a more measured approach designed to minimize detection risk. This shift toward "quieter, more disciplined operations" represents a meaningful evolution in the group's capabilities and suggests ongoing training and refinement of tactics.
Broader Iranian Cyber Activity
This campaign occurs within a wider context of Iranian cyber operations. Related Iranian state-sponsored entities were simultaneously conducting destructive operations against organizations in the U.S., Israel, Saudi Arabia, and Turkey between late March and early April 2026. Infrastructure analysis linked these operations to Iran's Ministry of Intelligence and Security (MOIS) despite initial claims from pro-Iranian personas. These parallel campaigns indicate sustained, multi-faceted Iranian cyber operations targeting multiple countries and sectors simultaneously, suggesting either multiple autonomous operational groups or a highly compartmentalized structure within Iranian cyber command.
Sources
https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html
https://www.socdefenders.ai/item/4b51b85a-c420-4b1d-905f-98b8f203f4b1
https://x.com/TweetThreatNews/status/2059352644418670802
https://www.youtube.com/shorts/LiWvizibZDM
https://www.linkedin.com/posts/the-cyber-security-hub_muddywater-uses-dll-side-loading-in-espionage-activity-7465110194335739906-GNR7

Comments