The Iran-linked hacking group MuddyWater targeted at least nine organizations across several countries in a cyberespionage campaign that included a major South Korean electronics manufacturer, government agencies, an airport and industrial firms, according to a technical analysis by Symantec. Researchers said the group spent a week inside the South Korean company’s network in February 2026.
KEY FACTS
- Scope At least nine high-profile organizations were targeted across multiple sectors and countries.
- Victims Targets included a South Korean electronics maker, government agencies, an airport in the Middle East, industrial manufacturers in Asia and schools.
- Access The intruders remained in the South Korean network from Feb. 20 to Feb. 27, 2026.
- Methods The group used DLL sideloading, PowerShell, Node.js loaders and public file-sharing services.
The campaign relied on legitimate signed software to load malicious DLLs, including fmapp.exe, a Fortemedia audio utility, and sentinelmemoryscanner.exe, a SentinelOne component. The malicious files were used to run Chrome data theft tooling and other post-exploitation activity.
PowerShell was used for screenshots, reconnaissance, credential theft, persistence and SOCKS5 tunneling. The attackers also used fake Windows prompts, registry hive theft and Kerberos ticket abuse tools to collect credentials, while beacons ran at 90-second intervals.
The report said the attackers likely used sendit.sh for data exfiltration in a way that could blend in with normal traffic. The researchers did not name the South Korean company.
WHY IT MATTERS
The activity shows a shift toward quieter intrusions that use legitimate tools and services to stay hidden. That makes detection harder for defenders and raises the risk of industrial and government data theft across several regions.