Cyber Group MuddyWater Sideloads Malware in Nine-Country Campaign
On 26 May 2026, new analysis revealed that Iran-linked hacking group MuddyWater has recently targeted organizations in nine countries using DLL side-loading techniques. Reporting around 15:52 UTC details attacks leveraging signed Fortemedia and SentinelOne binaries to steal Chrome data and maintain persistent network access.
Key Takeaways
- Iran‑associated threat actor MuddyWater has conducted a cyber campaign against organizations in nine countries.
- The group used DLL side‑loading via signed Fortemedia and SentinelOne binaries to deploy malware.
- Objectives included stealing Google Chrome data and maintaining covert access for at least a week in some cases.
- One documented intrusion persisted for a full week inside a major South Korean electronics company.
- The campaign underscores continued evolution of Iranian cyber tradecraft and risks to supply chains and endpoint tools.
On 26 May 2026, cybersecurity researchers disclosed details of a recent campaign attributed to MuddyWater, a long‑identified Iranian state‑linked advanced persistent threat (APT) actor. According to analysis reported around 15:52 UTC, the group targeted organizations in nine different countries, employing DLL side‑loading techniques that misuse legitimately signed binaries from vendors such as Fortemedia and SentinelOne to execute malicious code.
In this operation, MuddyWater reportedly bundled its malicious DLLs alongside trusted, signed executables. When launched, these legitimate binaries loaded the attacker‑controlled DLLs, allowing malware to run under the guise of signed software and evade certain security checks. Once installed, the malware focused on stealing data from victims’ Google Chrome browsers—including credentials, cookies, and other session artifacts—and on establishing persistence to maintain silent access to compromised systems.
One case cited in the reporting involved a major South Korean electronics company, where intruders were able to remain inside the network for a full week before detection and eviction. The identities of other targeted organizations and the full list of affected countries have not been publicly disclosed, but prior MuddyWater activity has frequently focused on government agencies, telecoms, and energy sector entities across the Middle East, Europe, and Asia.
Key actors in this campaign are MuddyWater and its Iranian state sponsors, the affected organizations spanning nine jurisdictions, and software vendors whose binaries were abused. While there is no indication that Fortemedia or SentinelOne were themselves compromised, the misuse of their signed executables highlights the growing challenge defenders face when attackers repurpose legitimate tools and certificates for malicious ends.
Strategically, this campaign fits a broader pattern of Iranian cyber operations that blend espionage, data theft, and potential pre‑positioning for future disruptive activity. By stealing browser data, attackers can gain access to web‑based email, cloud services, and internal portals without necessarily needing to crack strong passwords directly. Persistent footholds inside major industrial or technology firms may also enable follow‑on actions, such as intellectual property theft or supply‑chain attacks impacting downstream customers.
The use of DLL side‑loading is not new, but its persistence as a favored technique reflects its effectiveness. Many endpoint security solutions place a high degree of trust in signed binaries and may not adequately scrutinize associated DLLs, especially if they reside in expected directories. This creates an enduring opportunity for APT actors willing to invest in carefully crafted payloads and patient lateral movement.
Outlook & Way Forward
In the immediate future, organizations should expect continued activity from MuddyWater and similar groups leveraging software trust chains for intrusion. Key defensive actions include inventorying and monitoring the use of signed third‑party binaries known to be abused, enforcing application control policies, and deploying behavioral analytics capable of detecting anomalous DLL loading and process behavior, rather than relying solely on signature‑based detection.
Security vendors and certificate authorities are likely to face renewed pressure to tighten code‑signing processes, improve revocation mechanisms for abused certificates, and provide clearer guidance on hardening against side‑loading. Incident‑response teams should incorporate specific hunting queries related to Fortemedia, SentinelOne, and other high‑risk binaries into their playbooks and prioritize auditing Chrome data access and exfiltration patterns.
At the strategic level, Western and regional governments will continue to weigh cyber responses and sanctions options against Iran in light of ongoing campaigns like this, especially when they impact critical industries or government systems. Given concurrent tensions over U.S. strikes in Iran and maritime incidents near the Strait of Hormuz, cyber operations may remain an attractive tool for Tehran to exert pressure below the threshold of open kinetic conflict. Analysts should monitor for any escalation from primarily espionage‑oriented activity to more disruptive operations, particularly against energy, transportation, or communications infrastructure in states seen as aligned with U.S. policy toward Iran.
Sources
- OSINT