The Iranian hacking group MuddyWater was linked to a campaign that hit at least nine organizations in nine countries across four continents in the first quarter of 2026, with victims spanning manufacturing, education, public sector, financial services and professional services.
KEY FACTS
- Victims At least nine organizations across nine countries were affected.
- Targets The campaign reached industrial and electronics manufacturing, education, public-sector bodies and financial services.
- Technique Attackers used DLL side loading with signed binaries to run malicious code.
- Data theft The malware targeted Chromium browser passwords, cookies and payment card data.
- Unknowns The initial access vector in the South Korean case was not identified.
A technical analysis by Broadcom’s cybersecurity teams said the attackers used legitimately signed Fortemedia and SentinelOne binaries to sideload malicious DLLs while posing as benign software. One DLL was previously tied to another MuddyWater operation, while the other was designed to bypass signature-based detection.
The report said both DLLs embedded ChromElevator, an open-source tool used to steal passwords, cookies and payment card data from Chromium-based browsers. It also said the group used Node.js scripts to launch PowerShell for reconnaissance, screenshot capture, SAM hive theft, privilege escalation and SOCKS5 reverse-proxy tunneling.
In at least one case, stolen data was staged on sendit.sh, a public file-transfer service. The South Korean electronics manufacturer was reportedly accessed for about a week in February 2026, and the attackers repeatedly ran PowerShell-based reconnaissance and re-executed the two binaries to maintain access.
The report described the activity as more disciplined than earlier MuddyWater operations. It said the pattern pointed to implant-driven activity rather than continuous operator presence, and noted that no single technique was new on its own.
WHY IT MATTERS
The campaign shows how attackers can combine signed software, side loading and browser data theft to reduce detection and expand access inside networks. The mix of reconnaissance, credential dumping and lateral-movement preparation can make intrusions harder to spot and contain.