MuddyWater Used DLL Side-Loading and PowerShell Tooling in Multi-Country Espionage Campaign
Iran-linked MuddyWater (also tracked as Seedworm) was tied to an espionage campaign that compromised at least nine organizations across nine countries and four continents, hitting sectors including manufacturing, education, government, financial services, professional services, telecommunications, and an international airport. Researchers said the group used DLL side-loading with legitimate signed binaries such as fmapp.exe from Fortemedia and sentinelmemoryscanner.exe from SentinelOne to launch malicious DLLs, including the open-source ChromElevator tool for browser-data theft. One confirmed victim was a major South Korean electronics manufacturer, where the attackers reportedly maintained access for about a week, while earlier activity also targeted telecom providers in Egypt, Sudan, and Tanzania.
The operators combined stealthy execution with a broad post-compromise toolkit, using Node.js to launch PowerShell payloads for reconnaissance, screenshot capture, privilege escalation, credential theft, and SOCKS5 reverse-proxy tunneling. Symantec also linked MuddyWater to the MuddyC2Go PowerShell framework, use of legitimate remote-management software SimpleHelp, and the publicly available Venom Proxy to maintain access and move through victim networks. Persistence was established through registry modifications, credentials were harvested through fake login prompts and registry hive dumping, and stolen data was exfiltrated via the public file-transfer service sendit[.]sh, indicating a sustained intelligence-collection effort aligned with Iranian state interests.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Further reporting links campaign to nine-country targeting and victim sectors
On May 26, 2026, additional reporting summarized the same Q1 2026 MuddyWater espionage campaign and reiterated its impact across nine organizations in nine countries. It highlighted reconnaissance, screenshot capture, privilege escalation, and SOCKS5 reverse-proxy tunneling as part of the operation.
Researchers disclose DLL sideloading and ChromElevator tradecraft
By mid-May 2026, Symantec's Threat Hunter Team publicly reported that MuddyWater used legitimate Fortemedia and SentinelOne binaries for DLL side-loading in the Q1 2026 campaign. The disclosure also detailed use of ChromElevator, Node.js-launched PowerShell, credential theft, persistence via registry changes, and exfiltration through sendit[.]sh.
Attackers maintain week-long access at South Korean electronics firm
In February 2026, one confirmed victim—a major South Korean electronics manufacturer—was compromised by MuddyWater, which reportedly maintained access for about a week. The initial access vector was not identified in the reporting.
MuddyWater conducts multi-country espionage campaign in Q1 2026
During the first quarter of 2026, MuddyWater/Seedworm targeted at least nine organizations across nine countries and four continents in sectors including manufacturing, education, government, financial services, professional services, and an international airport. Researchers assessed the activity as espionage-oriented and aligned with Iranian state interests.
MuddyWater targets African telecoms with MuddyC2Go toolset
In November 2023, Symantec observed the Iran-linked group MuddyWater targeting telecommunications companies in Egypt, Sudan, and Tanzania. The campaign used the new PowerShell-based MuddyC2Go toolset along with SimpleHelp and Venom Proxy for persistent remote access and lateral movement.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading
cybersecuritynews.com
Open sourceMuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
thehackernews.com
Open sourceSeedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading
cybersecuritynews.com
Open sourceTelecom organizations in Africa targeted by Iran-linked hackers | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MuddyWater Cyberespionage Campaign Leveraging Snake Game-Inspired Malware
Iranian state-aligned threat group MuddyWater has launched a new cyberespionage campaign targeting organizations in Israel and Egypt, with a focus on technology, engineering, manufacturing, local government, and educational sectors. Researchers from ESET and other security firms have identified that MuddyWater is using a novel loader, dubbed Fooder, which masquerades as the classic Snake video game to deliver a new backdoor called MuddyViper. This loader introduces execution delays, inspired by the Snake game's mechanics, to evade antivirus detection. The campaign also employs spearphishing emails with PDF attachments that link to remote monitoring and management software installers, hosted on free file-sharing services, to gain initial access. The MuddyViper backdoor enables attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additional tools, such as credential stealers and another backdoor named VAX One, have also been deployed. MuddyWater's evolving tactics, including the use of reflective loading for in-memory execution and the impersonation of legitimate software, demonstrate increased sophistication and a continued focus on defense evasion and persistence. Security researchers note the possibility that MuddyWater may be acting as an initial access broker for other Iranian threat actors, given observed overlaps in operations.
Mar 21, 2026
MuddyWater Linked to Iranian MOIS Uses Russian MaaS in ChainShell Campaign
Iran-linked threat group **MuddyWater** has been tied to a **ChainShell** campaign that reportedly uses Russian malware-as-a-service infrastructure, underscoring growing overlap between state-backed espionage and criminal tooling. Reporting on the activity said the operation relied on **blockchain-based command-and-control** and reflected operational links between the Iran-aligned actor and Russian cybercrime services, extending a long-running pattern of MuddyWater adapting external tools and tradecraft for intrusion operations. U.S. and allied agencies have previously attributed MuddyWater to Iran’s **Ministry of Intelligence and Security (MOIS)** and described the group as targeting government and commercial organizations across Asia, Africa, Europe, and North America, including telecommunications, defense, local government, and oil and gas. Public reporting and government advisories say the group has used spearphishing, exploitation of known flaws such as `CVE-2020-0688` and `CVE-2020-1472`, **DLL side-loading**, obfuscated PowerShell, and malware including **PowGoop**, **Mori**, **Small Sieve**, **Canopy/Starwhale**, and **POWERSTATS** to establish access, maintain persistence, exfiltrate data, and in some cases deploy ransomware.
May 25, 2026
MuddyWater Used FakeUpdate and Phoenix Backdoor in Global Phishing Espionage
Group-IB reported that the Iran-linked **MuddyWater** threat actor ran a phishing campaign against international organizations and government targets by abusing a compromised mailbox accessed through **NordVPN**. The emails carried malicious Microsoft Word documents that prompted victims to enable macros; embedded VBA then dropped the **FakeUpdate** injector, which decrypted and launched **Phoenix backdoor v4**. The malware provided persistence, command execution, and communication with the command-and-control domain `screenai[.]online`, enabling continued access after initial compromise. Researchers attributed the activity to MuddyWater with high confidence based on malware overlaps, matching macro logic, shared infrastructure, and targeting patterns aligned with the group’s prior operations. The infrastructure also hosted a custom Chromium credential stealer and remote management tools including **PDQ** and **Action1**, indicating likely credential theft and follow-on access. Additional related samples pointed to concurrent or linked MuddyWater activity, including operations targeting the energy sector in the Middle East and North Africa, while prior reporting has described MuddyWater as an Iranian-linked umbrella of regionally focused subgroups.
May 25, 2026