Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
Published
Key Takeaways
- Global scope: Iran-linked APT MuddyWater hit almost 10 organizations across four continents in Q1 2026, among which is an unnamed electronics maker.
- DLL sideloading: The threat actor abused signed, legitimate Fortemedia and SentinelOne executables in its attacks.
- Focus: Implants focused on reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling.
MuddyWater, an Iran-linked advanced persistent threat (APT) group, compromised at least nine organizations across nine countries on four continents. Widely believed to be linked to the Iranian Ministry of Intelligence and Security (MOIS), the threat actor, also known as Seedworm, Temp Zagros, and Static Kitten, carried out a sprawling cyberespionage campaign in the first quarter of 2026.
DLL Sideloading and Malicious Implants
The targeted sectors spanned industrial and electronics manufacturing, education, public-sector bodies, financial services, and professional services. Notably, the threat actors breached an unnamed major South Korean electronics manufacturer and Southeast Asian industrial manufacturers.
The APT maintained unauthorized access to the electronics manufacturer’s network for approximately a week in February 2026, according to a new report from Broadcom’s Symantec. While the initial infection vector is unknown, the first observed malicious activity on the targeted host occurred on February 20, 2026.
To evade endpoint detection, MuddyWater utilized DLL sideloading by abusing legitimate, signed binaries – Fortemedia's fmapp.exe and SentinelOne's sentinelmemoryscanner.exe.
Both sideloaded malicious DLLs contained ChromElevator, a publicly available post-exploitation utility designed for covert credential extraction from Chromium-based browsers.
Payload Delivery and Data Exfiltration
Reflecting a tactical shift in operational tradecraft, the group utilized a Node.js runtime environment to deliver advanced PowerShell scripts that executed system reconnaissance, automated screenshot capture, SAM hive credential theft, privilege escalation, and SOCKS5 reverse-proxy tunneling.
To finalize the operation without triggering network perimeter alarms, the operators exfiltrated the stolen data utilizing sendit.sh, a public file-transfer service, effectively blending their malicious traffic with standard consumer cloud operations.
Broadcom’s Symantec and Carbon Black security researchers, in March, attributed cyberattacks on U.S., Canadian, and Israeli networks and critical infrastructure to MuddyWater, which maintained persistence since at least early February. Around the same time, Trellix released a report on Iranian-linked threat activity from 2024 onward.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular