MuddyWater uses signed DLL side-loading across nine countries

Iran-linked hacking group MuddyWater used DLL side-loading with legitimately signed Fortemedia and SentinelOne binaries to breach at least nine organizations across nine countries in the first quarter of 2026. Targets included industrial and electronics manufacturers, education and public-sector bodies, financial services and professional services on four continents.

Researchers with Broadcom’s Symantec and Carbon Black teams identified two side-loading pairs: Fortemedia’s fmapp.exe loading fmapp.dll and SentinelOne’s sentinelmemoryscanner.exe loading sentinelagentcore.dll. Broadcom’s threat teams wrote, “The attackers relied heavily on DLL side-loading using legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to execute malicious DLLs while masquerading as benign software.” The fmapp pair was previously linked to an earlier campaign tracked as Operation Olalampo.

Both malicious DLLs included an open-source tool called ChromElevator that collects saved passwords, cookies and payment card data from Chromium-based browsers and can bypass App-Bound Encryption protections. Analysts observed Node.js scripts used to drop and run PowerShell code that performed discovery and data collection. Symantec and Carbon Black reported a “node.exe-based implant chain” that delivered PowerShell scripts for reconnaissance, screenshot capture, SAM hive theft, privilege escalation and SOCKS5 reverse-proxy tunneling.

Documented victims include a major South Korean electronics firm where intruders remained in the network for about a week in February 2026, an international airport in the Middle East, several industrial manufacturers in Southeast Asia and a Latin American financial-services provider. For the South Korean incident, researchers did not determine the initial access vector.

Where persistence was observed, operators repeatedly re-executed the signed binaries to maintain access. In at least one case stolen files were uploaded to the public file-transfer service sendit.sh. The intrusions involved credential dumping and lateral movement across target environments. Researchers characterized the campaign’s cadence as implant-driven rather than the result of a continuous live operator presence.

The campaign is part of a wider set of malicious activity attributed to Iranian-linked actors. The European Council has sanctioned Emennet Pasargad, also known as Shahid Shushtari, which authorities associate with Iran’s IRGC Cyber-Electronic Command. A separate series of exfiltration operations in late March and early April 2026, attributed to Iran’s Ministry of Intelligence and Security by analysts, affected organizations in the U.S., Israel, Saudi Arabia and Turkey. Gambit Security researchers reported a custom C++ collection and exfiltration tool they called FileFiend, writing that “The binary could enumerate local drives and SMB shares, walk the file system, and send files to a hard-coded C2 server.” In other incidents, attackers compressed data into RAR archives, uploaded them to a host inside the victim environment, and used command-line download and proxy tools to extract and route the files.

Symantec and Carbon Black and other analysts noted that while individual techniques in the MuddyWater campaign are known, the combination of signed binaries, DLL sideloading and scripted implant chains was repeatedly observed across the intrusions.