**MuddyWater** APT (also known as Seedworm) has been identified as the actor behind a recent campaign affecting organizations across four continents in the first quarter of 2026. The attacks, which targeted a diverse range of industries, showcase the group's evolving tactics and increasing sophistication. ### Targeted Sectors The campaign targeted industrial and electronics manufacturing, education and public-sector bodies, financial services, and professional services. Notably, a major South Korean electronics manufacturer was breached, with attackers maintaining access to its network for a week in February 2026. Other victims included an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial-services provider. ### DLL Side-Loading for Stealth The attackers heavily relied on DLL side-loading techniques to execute malicious code while masquerading as legitimate software. Signed binaries from **Fortemedia** (fmapp.exe) and **SentinelOne** (sentinelmemoryscanner.exe) were abused to load malicious DLLs. According to **Broadcom**'s cybersecurity teams, the use of "sentinelmemoryscanner.exe" is a deliberate choice to bypass signature-based detection. Previously, **Group-IB** documented the use of "fmapp.exe" to sideload "fmapp.dll" in connection with **MuddyWater**'s **Operation Olalampo** campaign. **Huntress** reported that this DLL contains code to connect to an attacker-controlled IP address. ### ChromElevator: Stealing Browser Data Both DLLs embedded an open-source tool called **ChromElevator**, designed to steal passwords, cookies, and payment card data from Chromium-based browsers. This technique allows the attackers to bypass App-Bound Encryption (ABE) protections in browsers like **Google Chrome**. ### Node.js and PowerShell for Reconnaissance A noteworthy aspect of the attacks is the use of Node.js scripts to launch PowerShell code responsible for discovery and information gathering operations. Stolen data was staged on sendit[.]sh, a public file-transfer service. **Symantec** and **Carbon Black** researchers observed that a node.exe-based implant chain was used to drop PowerShell scripts that performed reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling. ### Lateral Movement and Persistence The attacks also involved credential dumping to facilitate lateral movement across the networks. In the intrusion targeting the South Korean electronics manufacturer, **MuddyWater** repeatedly carried out PowerShell-based reconnaissance and re-executed the DLL side-loading pairs to maintain access. ### Iranian Sanctions and Broader Cyber Activity The European Council recently imposed sanctions against the Iranian company **Emennet Pasargad** for hacking a Swedish SMS service, accessing a French subscriber database, and spreading disinformation during the 2024 Paris Olympic Games. **Emennet Pasargad**, also known as Shahid Shushtari and affiliated with Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), has been linked to significant financial damage and disruption to U.S. businesses and government agencies. Iran-backed hackers have also been tied to an exfiltration campaign targeting organizations in the U.S., Israel, Saudi Arabia, and Turkey. Although these incidents were claimed by a pro-Iranian persona named **Ababil of Minab**, analysis from **Gambit Security** has linked the campaign infrastructure to Iran's Ministry of Intelligence and Security (MOIS). ### FileFiend: Exfiltration Tool The campaign utilized a bespoke C++ file collection and exfiltration tool internally codenamed FileFiend. This tool could enumerate local drives and SMB shares, walk the file system, and send files to a hard-coded C2 server. Alternatively, data of interest was compressed into RAR archives and uploaded to the organization's public website, from where it was extracted using the Axel command-line download accelerator and tunneled through proxychains.