What happened
Symantec’s Threat Hunter Team has documented a broad cyber-espionage campaign by MuddyWater, the Iranian state-linked group also known as Seedworm and Static Kitten, targeting at least nine high-profile organizations across multiple sectors and countries. Victims include a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions.
The attack on the South Korean electronics manufacturer lasted from February 20 to 27, 2026, with the threat actor maintaining a week-long presence inside the network. Symantec assessed the campaign as intelligence-driven, focused on industrial and intellectual property theft, government espionage, and gaining access to downstream customers and corporate networks.
The campaign relied heavily on DLL sideloading using two legitimate signed binaries: fmapp.exe, a Fortemedia audio utility, and sentinelmemoryscanner.exe, a SentinelOne component. The malicious DLLs loaded through these binaries contained ChromElevator, a commodity post-exploitation tool that steals data from Chrome-based browsers. PowerShell remained central to the operation, used for screenshot capture, reconnaissance, payload delivery, persistence establishment, credential theft, and SOCKS5 tunnel creation, with payloads controlled through Node.js loaders rather than directly. Credential theft methods included fake Windows prompts, registry hive theft across SAM, SECURITY, and SYSTEM hives, and Kerberos ticket abuse tools. Persistence was established through registry modifications with beaconing at 90-second intervals. Data exfiltration used sendit.sh, a public file-sharing service, to blend malicious traffic with normal activity.
Who is affected
The South Korean electronics manufacturer and eight other organizations across government, aviation, industrial manufacturing, and education sectors in multiple countries are confirmed victims. Symantec did not disclose the names of affected organizations. The campaign’s geographic expansion and sector diversity indicate MuddyWater is broadening its targeting scope beyond its traditionally Middle East-focused operations.
Why CISOs should care
MuddyWater’s abuse of legitimate security vendor binaries for DLL sideloading is a deliberate trust exploitation tactic. Using a signed SentinelOne component to load malicious code creates a situation where the very tool organizations rely on for endpoint protection becomes part of the attack chain. Combined with exfiltration through a public file-sharing service that blends with normal traffic, the campaign is specifically engineered to evade the detection layers most enterprises have invested in.
The 90-second beaconing cadence and implant-driven access pattern also suggests long-term collection rather than rapid exfiltration, meaning organizations in affected sectors may have active MuddyWater access they have not yet detected.
3 practical actions
- Hunt for DLL sideloading patterns involving fmapp.exe and sentinelmemoryscanner.exe across your environment: Check for instances of these binaries loading non-standard DLLs, particularly fmapp.dll and sentinelagentcore.dll, and investigate any endpoint where these file combinations appear outside of authorized software deployments.
- Monitor for ChromElevator execution and anomalous Chrome profile access: ChromElevator is a publicly available post-exploitation tool with documented indicators. Add detection rules for its execution patterns and alert on processes accessing Chrome browser profile data outside of authorized browser activity, particularly from sideloaded DLL contexts.
- Flag outbound connections to sendit.sh and similar public file-sharing services from production and corporate systems: MuddyWater used a public file-sharing service specifically to blend exfiltration with normal traffic. Audit whether your network monitoring rules cover outbound data transfers to public file-sharing platforms from servers and workstations that have no legitimate business reason to use them, and apply alerting on unusual volume or timing.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.