Iran’s MuddyWater targets global orgs with DLL sideloading and ChromElevator

The Iranian threat group MuddyWater (also known as Seedworm) conducted a large-scale espionage campaign in the first quarter of 2026 that, according to researchers from Symantec and Carbon Black, affected at least nine organizations in nine countries across four continents. Targets included industrial and electronics manufacturing, educational and government institutions, as well as financial and professional services. A key feature of the campaign was the use of signed legitimate binary files to load malicious libraries (DLL sideloading) and the open-source tool ChromElevator to bypass protections in Chromium-based browsers. Organizations operating in the listed sectors should immediately check their networks for the described indicators of compromise.

Victims and attack geography

As reported in a report by Broadcom cybersecurity teams, confirmed victims include a major South Korean electronics manufacturer, in whose network the attackers are believed to have been present for about a week in February 2026. An international airport in the Middle East, industrial enterprises in Southeast Asia, and a financial services provider in Latin America were also affected. The initial intrusion vector into the South Korean company remains unknown.

Technical attack chain

DLL sideloading via signed binary files

The attackers actively used DLL sideloading with two pairs of legitimate executables and malicious libraries:

• fmapp.exe (a signed Fortemedia binary) loads the malicious library fmapp.dll. According to Huntress, this library contains code to connect to the attacker-controlled IP address 157.20.182[.]49. Use of this pair was previously documented by Group-IB in connection with an operation codenamed Operation Olalampo.
• sentinelmemoryscanner.exe (a binary associated with a SentinelOne product) loads the malicious library sentinelagentcore.dll. Researchers assess that the choice of a binary from a security vendor is deliberate: a signed file from a security vendor is more likely to evade signature-based detection.

Stealing browser data via ChromElevator

Both malicious libraries contain the embedded open-source tool ChromElevator, designed to extract passwords, cookies, and payment card data from Chromium-based browsers. The tool is specifically built to bypass the App-Bound Encryption (ABE) mechanism — a protection that Google implemented to prevent theft of browser data by third-party processes.

Node.js-based implant chain

In addition to DLL sideloading, the attackers used a chain of Node.js-based implants to launch PowerShell scripts that performed:

• Reconnaissance and environment information gathering
• Screenshot capture
• Extraction of hashes from the SAM registry
• Privilege escalation
• Setup of a reverse SOCKS5 proxy tunnel

In at least one case, the stolen data was uploaded to the public file transfer service sendit[.]sh. The attackers also performed credential dumping to enable lateral movement across the network.

Indicators of compromise

• C2 IP address: 157.20.182[.]49
• Exfiltration service: sendit[.]sh
• Malicious libraries: fmapp.dll, sentinelagentcore.dll
• Legitimate binaries used for sideloading: fmapp.exe, sentinelmemoryscanner.exe

Evolution of operational discipline

Researchers highlight a characteristic feature of the campaign: the attackers’ activity was burst-like, indicating that operations were conducted through implants rather than with a human operator constantly online. In the South Korean manufacturer case, MuddyWater repeatedly ran reconnaissance via PowerShell and re-executed both binaries to maintain access.

According to Symantec and Carbon Black, none of the techniques used are fundamentally new; however, their combination indicates a significant improvement in operational hygiene compared with what was known about Seedworm two to three years ago. The group is moving toward quieter and more disciplined operations.

Parallel Iranian cyber operations

Against the backdrop of the MuddyWater campaign, other activity linked to Iranian cyber operators has also been observed. The European Council imposed sanctions on the Iranian company Emennet Pasargad for compromising a Swedish SMS service, obtaining access to a French subscriber database and then offering it for sale, as well as for spreading disinformation through compromised advertising billboards during the 2024 Olympic Games in Paris. According to the U.S. State Department, the company is also known as Shahid Shushtari and is linked to the IRGC Cyber Electronic Command (IRGC-CEC).

In addition, according to an analysis by Gambit Security, a separate data exfiltration campaign was observed from late March to early April 2026, targeting organizations in the United States, Israel, Saudi Arabia, and Turkey. At least two U.S. entities were subjected to destructive operations involving deletion of partitions and data backups. Responsibility for the attacks was claimed by the pro-Iran persona Ababil of Minab. In cases without destructive activity, the attackers used a specialized C++ exfiltration tool with the internal codename FileFiend, capable of enumerating local drives and SMB resources, traversing the file system, and sending files to a hardcoded C2 server.

Security recommendations

• Monitoring DLL sideloading: configure detection rules for loading unsigned or non-standard DLLs by the fmapp.exe and sentinelmemoryscanner.exe processes. Legitimate binaries should not be located outside their standard installation directories.
• Blocking IOCs: add the IP address 157.20.182[.]49 and the domain sendit[.]sh to blocklists at the network perimeter and EDR levels.
• Controlling Node.js: restrict execution of node.exe on workstations and servers where Node.js is not required for business processes. Monitor PowerShell launches from Node.js processes.
• Credential protection: enable Credential Guard on Windows systems, restrict access to the SAM registry, and monitor credential dumping attempts (Sysmon Event ID 10 with access to lsass.exe).
• Auditing browser data: consider implementing policies that prohibit storing passwords and payment data in browsers on corporate devices, using centralized password managers instead.
• Network segmentation: limit lateral movement through microsegmentation, especially for systems with access to critical data.

The MuddyWater campaign in the first quarter of 2026 illustrates a persistent trend: the group is not inventing new techniques but is combining known methods — DLL sideloading via signed binaries from security vendors, open tools to bypass browser protections, and a burst-based presence model — into a more disciplined operational approach. The top priority for defense teams is to scan their networks for the listed indicators of compromise and to implement detection rules for anomalous DLL loading by legitimate signed processes, especially in the manufacturing, education, financial, and government sectors.