Full Report
The Iran-linked hacking group MuddyWater (a.k.a. Seedworm, Static Kitten) launched a broad cyber-espionage campaign targeting at least nine high-profile organizations across multiple sectors and countries. [...]
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Name:** MuddyWater
* **Aliases:** Seedworm, Static Kitten
* **Affiliation:** Linked to Iranian intelligence services.
* **Known Associations:** Characterized by Symantec as an intelligence-driven group focusing on industrial espionage and government surveillance.
## Activity Summary
In February 2026, MuddyWater executed a broad cyber-espionage campaign characterized by a shift toward more discreet operations. A primary focus of this activity was a week-long intrusion into a major South Korean electronics manufacturer (February 20–27, 2026). The campaign demonstrated geographic expansion and operational maturity, leveraging legitimate signed binaries to side-load malware and utilizing public file-sharing services for exfiltration.
## Tactics, Techniques & Procedures
* **DLL Sideloading:** Abuse of legitimate, signed software to load malicious DLLs (fmapp.dll and sentinelagentcore.dll).
* **Credential Theft:** Use of fake Windows prompts, registry hive theft (SAM/SYSTEM/SECURITY), and Kerberos ticket abuse.
* **Persistence:** Registry modifications and repetitive relaunching of sideloaded binaries.
* **Reconnaissance & Enumeration:** Host/domain reconnaissance and Antivirus enumeration via WMI.
* **Execution:** Heavy use of PowerShell, controlled through Node.js loaders.
* **Data Exfiltration:** Abuse of public file-sharing services to blend with normal traffic.
* **Post-Exploitation:** Browser data theft using "ChromElevator."
**MITRE ATT&CK Techniques Mentioned:**
* T1574.002 - Hijack Execution Flow: DLL Side-Loading
* T1059.001 - Command and Scripting Interpreter: PowerShell
* T1047 - Windows Management Instrumentation
* T1113 - Screen Capture
* T1003 - OS Credential Dumping
* T1112 - Modify Registry
* T1558 - Steal or Forge Kerberos Tickets
* T1567 - Exfiltration Over Web Service
## Targeting
* **Sectors:** Electronics Manufacturing, Government Agencies, Aviation/Transportation, Industrial Manufacturing, and Education.
* **Geography:** South Korea, Middle East, and broader Asia.
* **Victims:** A major (unnamed) South Korean electronics manufacturer, an international airport in the Middle East, and at least nine other high-profile organizations.
## Tools & Infrastructure
* **Malware/Tools:**
* **ChromElevator:** Commodity tool for stealing Chrome-based browser data.
* **Node.js loaders:** Used to manage PowerShell payloads.
* **SOCKS5 Tunnels:** For network pivoting.
* **Legitimate Binaries Abused:**
* `fmapp.exe` (Foremedia audio utility)
* `sentinelmemoryscanner.exe` (SentinelOne component)
* **Infrastructure:**
* **Exfiltration:** sendit[.]sh (Public file-sharing service)
* **Beaconing:** 90-second automated interval cadence.
## Implications
This campaign signals an evolution in MuddyWater's operational security. By moving away from direct PowerShell execution to Node.js loaders and leveraging "Living off the Land" techniques (like DLL sideloading and public cloud services), the actor is becoming harder to detect through traditional signature-based tools. Their focus on the South Korean electronics sector suggests a strategic shift toward intellectual property theft and supply chain access to downstream customers.
## Mitigations
* **DLL Sideloading Protection:** Implement strictly enforced Application Control policies (e.g., AppLocker or Windows Defender Application Control) to prevent the execution of unauthorized DLLs.
* **Credential Guard:** Enable Windows Defender Credential Guard to protect registry hives and LSASS from memory scraping.
* **Monitor Scripting:** Audit PowerShell and Node.js execution; specifically look for unusual parent-child process relationships (e.g., an audio utility spawning a shell).
* **Network Filtering:** Block or alert on traffic to public file-sharing sites like `sendit[.]sh` within corporate environments where they serve no business purpose.
* **Browser Security:** Ensure App-Bound Encryption and other browser hardening features are active to mitigate tools like ChromElevator.