A sophisticated and expansive cyber espionage campaign, attributed to the Iranian hacking group MuddyWater, has impacted at least nine organizations across nine countries on four continents during the first quarter of 2026, marking a significant escalation in state-sponsored cyber activities. This global offensive, detailed by cybersecurity researchers from Symantec and Carbon Black, targeted a diverse array of sectors including industrial and electronics manufacturing, education, public-sector bodies, financial services, and professional services, underscoring the broad strategic interests of the threat actor.
MuddyWater’s Global Reach and Tactical Evolution
The intelligence-gathering operation by MuddyWater, also known by aliases such as Seedworm and Static Kitten, demonstrates a notable evolution in the group’s operational methodology. Researchers from Broadcom’s cybersecurity teams highlighted the group’s reliance on advanced evasion techniques, primarily focusing on DLL side-loading. This method involves using legitimately signed binaries, specifically "fmapp.exe" from Fortemedia and "sentinelmemoryscanner.exe" associated with SentinelOne security products, to execute malicious DLLs while masquerading as benign software. This tactic allows the attackers to bypass conventional signature-based detection mechanisms, making their presence within compromised networks harder to detect.
One of the most high-profile victims identified in this campaign was a major South Korean electronics manufacturer, whose network was infiltrated for a full week in February 2026. This prolonged presence indicates a deep-seated interest in intellectual property, industrial secrets, or strategic access. Beyond East Asia, the campaign extended its reach to critical infrastructure in the Middle East, compromising an international airport. Industrial manufacturers in Southeast Asia and a financial-services provider in Latin America were also among the targets, showcasing the group’s truly global and multi-sectoral ambition.
The use of "fmapp.exe" to sideload "fmapp.dll" had been previously documented by Group-IB in connection with "Operation Olalampo," another MuddyWater campaign. According to analysis by Huntress, the malicious "fmapp.dll" contains code designed to establish connections with attacker-controlled infrastructure, specifically referencing an IP address like "157.20.182[.]49." The abuse of "sentinelmemoryscanner.exe," a binary linked to legitimate security software, is particularly insidious. This binary is leveraged to sideload "sentinelagentcore.dll," a rogue dynamic-link library designed to exploit the trust placed in endpoint security solutions.
Both malicious DLLs incorporate an open-source tool named ChromElevator. This tool is specifically engineered to siphon sensitive data, including passwords, cookies, and payment card information, from Chromium-based web browsers. Its efficacy lies in its ability to circumvent App-Bound Encryption (ABE) protections, a security feature Google Chrome introduced to enhance data security. The successful bypass of ABE highlights MuddyWater’s technical prowess and their commitment to extracting high-value information.
Further technical analysis reveals the attackers’ use of Node.js scripts to initiate PowerShell commands. These scripts are instrumental in conducting extensive reconnaissance and information-gathering operations within the victim’s network. In a concerning development, researchers observed that the stolen data was often staged on "sendit[.]sh," a public file-transfer service, before exfiltration. Symantec and Carbon Black’s report elaborated on the Node.js-based implant chain, noting its role in deploying PowerShell scripts for reconnaissance, capturing screenshots, stealing SAM (Security Account Manager) hive data, escalating privileges, and establishing SOCKS5 reverse-proxy tunnels. These tunnels provide a covert channel for attackers to relay traffic and launch tools like ChromElevator. The campaign also heavily featured credential dumping techniques, crucial for lateral movement and maintaining persistent access within compromised environments.
In the case of the South Korean electronics manufacturer, MuddyWater repeatedly executed PowerShell-based reconnaissance and re-launched the DLL side-loading binaries. This persistence ensured sustained access to the compromised host, although the initial access vector used to breach the organization remains unknown. Researchers noted that "the cadence is again consistent with implant-driven activity rather than continuous operator presence," suggesting a more automated and stealthy approach. This marks a significant shift from their earlier, more overt "Seedworm" operations, indicating "a significant step up in operational hygiene" and a move towards quieter, more disciplined cyber espionage.
International Response: EU Sanctions Against Iranian Entities
The revelation of MuddyWater’s global campaign coincides with heightened international efforts to counter Iranian state-sponsored cyber threats. In March 2026, the European Council imposed sanctions against Emennet Pasargad, an Iranian company, for its involvement in a series of malicious cyber activities. These sanctions underscore the growing global consensus on holding state-backed actors accountable for disruptive cyber operations.
The specific activities leading to the EU sanctions included hacking a Swedish SMS service, illicitly accessing and offering for sale the contents of a French subscriber database, and engaging in disinformation campaigns via compromised advertising billboards during the 2024 Paris Olympic Games. These actions demonstrate a broad spectrum of capabilities, ranging from direct data theft to sophisticated influence operations designed to sow discord and manipulate public perception.
Emennet Pasargad is widely recognized as "Shahid Shushtari" by the U.S. State Department and is affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). This direct link to a powerful state entity confirms the state-sponsored nature of its operations. The company operates under several other monikers, including Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (formerly ChaoticOrchestra), Marnanbridge, and UNC5866, highlighting the challenge of tracking and attributing cyber attacks to a single, consistent entity.
The U.S. State Department had previously issued warnings in December 2025 regarding Shahid Shushtari, noting that its members "have caused significant financial damage and disruption to U.S. businesses and government agencies through coordinated cyber and cyber-enabled information operations." These campaigns have historically targeted multiple critical infrastructure sectors, including news, shipping, travel, energy, financial, and telecommunications, across the United States, Europe, and the Middle East. The consistency of these targets across various Iranian-backed groups underscores a strategic imperative to gain intelligence, disrupt operations, and potentially inflict economic harm on perceived adversaries.
MOIS-Linked Destructive Operations: The "Ababil of Minab" Campaign
Adding to the complex landscape of Iranian cyber threats, another exfiltration campaign, occurring between late March and early April 2026, targeted organizations in the U.S., Israel, Saudi Arabia, and Turkey. This campaign, initially claimed by a pro-Iranian persona named "Ababil of Minab," escalated with destructive operations against at least two U.S. victims, involving the deletion of partitions and data backups. This shift from espionage to destructive capability represents a dangerous escalation in cyber warfare tactics.
A new analysis by Gambit Security has provided crucial attribution, linking the campaign’s infrastructure directly to Iran’s Ministry of Intelligence and Security (MOIS). This finding is significant as it ties another major Iranian intelligence apparatus to aggressive cyber operations, further illustrating the multi-faceted and coordinated nature of Iran’s state-sponsored hacking efforts.
Beyond the U.S. victims, the "Ababil of Minab" campaign also targeted an Israeli organization in the media sector, an Israeli higher education institution, a Turkish insurance brokerage, and several additional websites across the restaurant, culture, digital services, and news sectors. While destructive activity was not observed against these specific victims, the broad targeting suggests a combination of intelligence gathering and potential disruption.
Gambit Security researchers Eyal Sela and Nir Varon detailed the tools employed in this campaign, including a bespoke C++ file collection and exfiltration tool internally codenamed "FileFiend." This binary is capable of enumerating local drives and Server Message Block (SMB) shares, traversing file systems, and sending collected files to a hard-coded command-and-control (C2) server. Alternatively, data of interest was compressed into RAR archives on a host within the victim’s environment. These archives were then uploaded to the organization’s public website at the web root, from where they were extracted using the Axel command-line download accelerator and subsequently tunneled through proxychains to obscure the exfiltration path. These techniques demonstrate a sophisticated understanding of network operations and a clear intent to cover tracks.
The Evolving Landscape of Iranian Cyber Warfare and Global Implications
The confluence of these distinct but interconnected campaigns – MuddyWater’s stealthy global espionage, Emennet Pasargad’s disruptive actions leading to EU sanctions, and MOIS-linked destructive operations by "Ababil of Minab" – paints a comprehensive picture of Iran’s escalating and diversifying cyber warfare capabilities. These groups, often operating with varying degrees of overtness and technical sophistication, collectively pose a significant threat to global cybersecurity.
The implications are far-reaching. Economically, the targeting of industrial, manufacturing, and financial sectors can lead to substantial financial losses, intellectual property theft, and disruption of critical services. Geopolitically, these state-sponsored operations contribute to an environment of increased tension and distrust, potentially impacting international relations and trade. The use of destructive malware, as seen in the "Ababil of Minab" campaign, signals a willingness to escalate beyond mere espionage, posing a direct threat to the operational integrity of targeted organizations and potentially critical national infrastructure.
Technologically, the consistent abuse of legitimate binaries for DLL side-loading, the development of tools like ChromElevator to bypass advanced security features, and the custom exfiltration tools like FileFiend, underscore the advanced persistent threat capabilities of these Iranian groups. Cybersecurity defenses must continuously evolve to counter these sophisticated tactics, moving beyond signature-based detection to embrace behavioral analysis, advanced threat intelligence, and proactive hunting.
The international community’s response, exemplified by the EU sanctions against Emennet Pasargad, indicates a growing resolve to impose consequences on state-sponsored cyber aggressors. However, the attribution challenges and the constantly evolving nature of these threats mean that vigilance, international cooperation, and robust defensive measures remain paramount. Organizations worldwide, particularly those in critical sectors, must prioritize enhanced cybersecurity postures, implement multi-layered defenses, and engage in continuous threat intelligence sharing to effectively mitigate the persistent and evolving threat posed by state-sponsored cyber actors. The activities of groups like MuddyWater and entities linked to the IRGC-CEC and MOIS serve as a stark reminder of the ever-present and increasing digital battleground.
