HIGH: Iranian MuddyWater APT Hits Nine Countries With Signed-Binary DLL Side-Loading Through SentinelOne and Fortemedia

If you needed a reminder that Iran's intelligence apparatus has not been slowed down by sanctions, sabotage, or the ongoing regional turmoil, MuddyWater has obligingly provided one. Symantec's Threat Hunter Team and the Carbon Black Threat Analysis Unit have published a joint analysis of a fresh espionage campaign that the group ran through the first quarter of 2026, and the operation hit nine organisations across nine countries on four continents. The tradecraft is notably quieter than what the group, also known as Seedworm, Static Kitten, Temp Zagros, Cobalt Obelisk, and Cotton Sandstorm in different vendor taxonomies, has used in the past, which is exactly the sort of evolution worth taking seriously.

The headline trick this time is DLL side loading, but with a twist that should make every security tool vendor wince a little. The first sideload chain abuses fmapp.exe, the legitimate signed binary that ships with Fortemedia audio drivers found on millions of laptops, to load a malicious fmapp.dll. That part is standard living off the land tradecraft. The second chain is more pointed. MuddyWater is sideloading a rogue sentinelagentcore.dll through sentinelmemoryscanner.exe, the genuinely signed SentinelOne binary. Symantec assessed that this choice was deliberate, designed to let the implant masquerade as an endpoint protection process and slip past defenders who triage alerts on the basis of which process is doing the talking. There is a certain dark humour in using a signed EDR binary to hide a state actor's implants, and it is the kind of detail that will end up in red team training decks for years.

The victimology paints a picture of a campaign tuned for strategic value rather than mass disruption. Industrial and electronics manufacturing took the heaviest hit, including a major South Korean electronics maker where the operators camped out inside the network for roughly a week in February 2026. An international airport somewhere in the Middle East was compromised, as were Southeast Asian industrial manufacturers and a Latin American financial services provider. Education and public sector entities round out the target list, along with professional services firms that often sit upstream of much larger corporate clients. The geographic spread tells you that this is not a regional operation, it is global collection, and the sector mix is consistent with Iranian MOIS priorities around supply chain intelligence, transportation infrastructure, and economic targeting.

What the operators do once they land is where the campaign earns its keep. The South Korean intrusion in particular gives Symantec a clear forensic window. After the initial foothold, which Symantec could not definitively pin to a single technique on that engagement, the operators used PowerShell extensively for reconnaissance, then repeatedly re executed the two sideloading binaries to maintain access if they were disrupted. The implant suite includes a Node.js based tool that drops PowerShell scripts to handle reconnaissance, screen capture, theft of the SAM registry hive for offline credential cracking, privilege escalation, and SOCKS5 tunnelling for pivoting deeper into the network. They also brought along ChromElevator, an open source utility that pulls saved passwords, session cookies, and payment card data out of Chromium based browsers, and which has been updated to circumvent Google's App Bound Encryption protections that were supposed to stop exactly this category of theft. The final piece is FileFiend, a bespoke C++ collector with built in SMB share enumeration that walks file shares and exfiltrates whatever the operators flag as interesting.

Command and control infrastructure for the operation centred on the IP address 157.20.182.49, and the operators staged stolen data through sendit.sh, a public file transfer service. The use of legitimate consumer file sharing for exfiltration is not new for MuddyWater or for state sponsored actors broadly, and it is genuinely awkward to defend against because blocking the entire service breaks legitimate user behaviour. Detection at the file sharing service layer requires content inspection, behavioural baselining of which endpoints are sending large outbound transfers to which destinations, and a willingness to investigate uploads that fall outside business hours or that come from systems that have no business uploading data to anywhere.

The big strategic note from the Symantec analysis is the explicit acknowledgement that MuddyWater's tradecraft has matured. The team wrote that the group's campaign history shows a clear move towards quieter and more disciplined operations, which is intelligence community language for "they are getting harder to catch." That maturation has been visible across multiple Iranian APT clusters over the past two years, and it tracks with the wider trend of state aligned threat actors investing in operational security after a string of high profile burns from western intelligence services and private threat intelligence vendors. The days when MuddyWater would spray macro laden Word documents at a target list and call it a day are behind us. What you get now is patient, signed binary abuse, careful credential collection, and exfiltration through services that look like noise on a NetFlow report.

For defenders, this campaign delivers several concrete priorities. Endpoint detection rules need to inspect not just whether a process is signed but whether the DLL it loaded comes from an expected directory and whether the parent path matches the vendor's documented install location. Sideloading detection has been a solved problem in principle for years, but in practice most organisations still run signature heavy detection that trusts any process whose binary is signed by a reputable vendor. Hunt for fmapp.exe and sentinelmemoryscanner.exe executing from unexpected directories or with parent processes that should not be invoking them. Audit your SentinelOne deployment paths to understand exactly where the legitimate sentinelmemoryscanner.exe lives, then alert on copies of it executing from anywhere else. Block or aggressively monitor sendit.sh uploads at the proxy layer, treat large outbound flows to 157.20.182.49 as a hard indicator, and pull the SAM hive access events from your endpoint telemetry to look for off baseline reads.

Network detection should focus on PowerShell encoded command execution from contexts that are not running deployment tooling, on Node.js processes spawning powershell.exe, and on SMB enumeration patterns sourced from endpoints that do not normally browse file shares at scale. Credential hygiene is the other half of the equation. ChromElevator scoops up everything a Chromium browser has cached, which means once an endpoint is compromised, the blast radius extends to every cloud service the user has logged into and every SaaS application that holds onto a session cookie. Rotating browser credentials and forcing reauthentication after any incident, even a suspected one, is the only reliable way to shrink that radius after the fact.

For managed service providers, this is a useful conversation starter with any client in manufacturing, transportation infrastructure, finance, or professional services that has not had a serious threat hunt in the past twelve months. The MuddyWater playbook is replicable by lower tier actors and increasingly by ransomware affiliates who borrow APT tradecraft, so the relevance is not just to clients who think a nation state would care about them. A focused threat hunt engagement priced between eight thousand and twenty thousand dollars, with explicit deliverables around DLL sideloading detection, browser credential exposure, and outbound exfiltration baselining, is the natural upsell. Pair it with a tabletop exercise that walks the leadership team through what an APT intrusion looks like from initial access to data theft, and the conversation around managed detection and response contracts gets a lot easier. Iranian state activity is one of the few threat narratives that lands consistently with executive audiences, and Symantec just handed the entire industry fresh material to work with.