Iranian hacking group known as muddy water It has been linked to a new campaign impacting at least nine organizations in nine countries across four continents in the first quarter of 2026.
According to Symantec and Carbon Black’s Threat Hunter team, the activity targeted industrial and electronics manufacturing, education and public sector bodies, financial services and professional services. The victims also include a major South Korean electronics manufacturer, whose attackers spent a week inside its network in February 2026.
An international airport in the Middle East, a Southeast Asian industrial manufacturer and a Latin American financial-services provider were also targeted as part of the broader spying effort.
“The attackers relied heavily on DLL side-loading by using legitimately signed ForteMedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to execute malicious DLLs,” Broadcom’s cybersecurity teams said.
The use of “fmapp.exe” to sideload “fmapp.dll” was previously documented by Group-IB in connection with another Muddywater campaign called Operation Olalampo. According to Huntress, the DLL contains code to connect to an attacker-controlled IP address (“157.20.182″).[.]49”).
On the other hand, misuse of “sentinelmemoryscanner.exe” – a binary associated with a security product – is believed to be a deliberate choice, as it can bypass signature-based detection. It is designed to sideload a rogue DLL named “sentinelagentcore.dll”.
Both DLLs embed an open-source tool called ChromeElevator to siphon passwords, cookies, and payment card data from Chromium-based browsers, effectively achieving app-bound encryption (ABE) protection.
A notable aspect of the attacks is the use of Node.js scripts to launch the PowerShell code responsible for performing search and information gathering operations. In at least one instance, attackers have been found posting stolen data on Sendit[.]sh, a public file-transfer service.
“A Node.exe-based implant series was used to drop PowerShell scripts that performed reconnaissance, screenshot capture, SAM hive evasion, privilege escalation, and SOCKS5 reverse-proxy tunneling,” Symantec and Carbon Black said.
The above two DLL side-loading pairs are also distributed to provide attackers with a covert tunnel to relay traffic and launch chrome elevator. The attacks are also characterized by attempts to dump credentials that would allow them to be transferred laterally across the network.
In the intrusion that targeted the South Korean electronics manufacturer, Muddywater is believed to have repeatedly executed PowerShell-based reconnaissance, as well as re-executed two binaries to ensure it maintained access to the compromised host. The initial access vector used to breach the organization is unknown.
“The rhythm is again consistent with implant-driven activity rather than the presence of a sustained operator,” the researchers said. “Its campaign history shows a clear move toward quieter, more disciplined operations. None of these techniques are individually innovative, but in combination they provide more evidence of a significant step up in operational cleanliness from the sideworms that we knew about two or three years ago.”
The development comes as the European Council imposed sanctions against Iranian company Emennet Pasargadh for hacking a Swedish SMS service, accessing the contents of a French customer database and putting it up for sale, and spreading misinformation through compromised advertising hoardings during the 2024 Paris Olympic Games.
According to the US State Department, the company is named Shahid Shushtari and is affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). It is tracked under the aliases Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (formerly ChaoticOrchestra), Marnanbridge, and UNC5866.
In December 2025 the State Department noted, “members of Shahid Shushtari have caused significant financial damage and disruption to U.S. businesses and government agencies through coordinated cyber and cyber-enabled information operations.” “These campaigns have targeted a number of critical infrastructure sectors in the United States, Europe and the Middle East, including news, shipping, travel, energy, financial and telecommunications.”
Iran-backed hackers have also been linked to an infiltration campaign aimed at organizations in the US, Israel, Saudi Arabia and Turkey between late March and early April 2026, with at least two US victims also being targeted by destructive campaigns such as partitioning and deleting data backups.
Although the events were claimed by a pro-Iranian man named Ababil of Minab, a new analysis from Gambit Security has linked the infrastructure of the campaign to Iran’s Ministry of Intelligence and Security (MOIS).
Other targets include an Israeli organization in the media sector, an Israeli higher education institution, a Turkish insurance brokerage and several additional websites in the restaurant, culture, digital services and news sectors.
No destructive activity has been observed against these victims. In these cases, the adversary has been found to be using a special C++ file collection and exfiltration tool internally codenamed FileFiend.
“The binary can enumerate local drives and SMB shares, run on file systems, and send files over hard-coded C2 [command-and-control] Server,” Gambit Security researchers Eyal Sela and Nir Varon said in a report published today.
Alternatively, the data of interest are compressed into RAR archives on a host inside the victim environment and uploaded to the organization’s public website at the web root, from where they are extracted using the Excel command-line download accelerator and tunneled through the proxychain.
