Full Report
The Iranian hacking group known as MuddyWater has been linked to a new campaign affecting at least nine organizations across nine countries on four continents in the first quarter of 2026. The activity targeted industrial and electronics manufacturing, education and public-sector bodies, financial services, and professional services, per the Threat Hunter Team from Symantec and Carbon Black.
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Name:** MuddyWater
* **Aliases:** Seedworm, Boggy Serengeti, TEMP.Zagros.
* **Associated Groups:** Affiliated with Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).
* **Note on Related Entities:** The article mentions sanctions against **Emennet Pasargad** (aka Shahid Shushtari, Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten, Marnanbridge, UNC5866), another IRGC-linked entity, indicating a broader ecosystem of Iranian state-sponsored activity.
## Activity Summary
In the first quarter of 2026, MuddyWater launched a widespread espionage campaign affecting at least nine organizations across four continents. The campaign is characterized by increased "operational hygiene," moving toward quieter, disciplined, implant-driven activity rather than continuous manual operator presence.
## Tactics, Techniques & Procedures
* **DLL Side-Loading:** Abuse of legitimate signed binaries to host malicious DLLs.
* `fmapp.exe` (Fortemedia) logs `fmapp.dll`.
* `sentinelmemoryscanner.exe` (SentinelOne) loads `sentinelagentcore.dll`.
* **Credential Theft:** Use of an open-source tool, **ChromElevator**, to bypass Google Chrome’s App-Bound Encryption (ABE) and siphon passwords, cookies, and card data.
* **Living-off-the-Land (LotL):** Heavy reliance on PowerShell for discovery and reconnaissance.
* **Execution Chain:** Use of Node.js scripts (`node.exe`) to drop and launch PowerShell-based implants.
* **Persistence & Lateral Movement:** Systematic dumping of credentials and re-execution of side-loading pairs to maintain access.
* **Exfiltration:** Staging stolen data on a public file-transfer service (`sendit[.]sh`).
* **Tunneling:** Deployment of SOCKS5 reverse-proxy tunneling for covert traffic relay.
## Targeting
* **Sectors:** Industrial and electronics manufacturing, education, public-sector bodies, financial services, professional services, and aviation (airports).
* **Geography:** Global (9 countries across 4 continents), specifically naming South Korea, Southeast Asia, the Middle East (MENA region), and Latin America.
* **Victims:**
* A major South Korean electronics manufacturer (February 2026).
* An international airport in the Middle East.
* Southeast Asian industrial manufacturers.
* A Latin American financial-services provider.
## Tools & Infrastructure
* **Malware/Tools:**
* ChromElevator (Open-source Chromium credential stealer).
* Custom Node.js-based implants.
* PowerShell scripts for SAM hive theft and screenshot capture.
* **Infrastructure:**
* **C2 IP:** `157.20.182[.]49`
* **Exfiltration Site:** `sendit[.]sh` (Public file-transfer service).
## Implications
MuddyWater has demonstrated a significant evolution in operational maturity. By shifting to "disciplined" implant-driven activity and using security software binaries (SentinelOne) for side-loading, the group is successfully bypassing traditional signature-based detections. Their focus on manufacturing and electronics suggests a strategic interest in intellectual property and supply chain intelligence alongside traditional political espionage.
## Mitigations
* **DLL Sideloading Defense:** Implement strict Folder/File access control and monitor for the execution of known vulnerable binaries (like `fmapp.exe` or `sentinelmemoryscanner.exe`) from unconventional directory paths.
* **PowerShell Monitoring:** Enable enhanced PowerShell logging (Script Block Logging) to detect discovery commands and SAM hive access attempts.
* **Credential Protection:** Monitor for unauthorized access to Chromium browser data folders and enforce hardware-based MFA to mitigate the impact of stolen session cookies.
* **Network Filtering:** Block known public file-sharing domains like `sendit[.]sh` if they are not required for business operations.
* **Process Auditing:** Monitor for `node.exe` spawning PowerShell or cmd.exe, as this is a primary indicator of their 2026 execution chain.