Targeted Campaign Across Nine Countries
A sophisticated espionage campaign attributed to the Iranian hacking group MuddyWater has been uncovered, impacting at least nine organizations across nine countries spanning four continents. The attacks occurred during the first quarter of 2026 and targeted a diverse range of sectors including industrial and electronics manufacturing, education, public sector organizations, financial services, and professional services. Researchers from Symantec and Carbon Black identified the victims, which include a major South Korean electronics manufacturer where attackers remained inside the network for an entire week in February 2026. Other targets include an international airport in the Middle East, industrial manufacturers in Southeast Asia, and a Latin American financial services provider.
Attack Methodology and Data Theft
The attackers relied heavily on DLL side loading, a technique that abuses legitimate signed software binaries to execute malicious code. Specifically, they used signed executables from Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) to load rogue DLLs while appearing as benign software. The malicious DLLs contain a tool called ChromElevator, which is designed to extract passwords, cookies, and payment card data from Chromium based browsers, effectively bypassing App Bound Encryption protections. In one observed incident, attackers used Node.js scripts to launch PowerShell code for system discovery and information gathering, subsequently staging stolen data on a public file transfer service.
Source: The Hacker News
