Iran-Linked Hackers Target Major South Korean Electronics Manufacturer in Global Espionage Campaign

MuddyWater expands its cyber-espionage operations, targeting government agencies, airports, and major manufacturers using stealthy DLL sideloading and legitimate tools.

MuddyWater Expands Global Cyber Operations

The Iran-linked hacking group MuddyWater, also known as Seedworm and Static Kitten, has launched a large cyber-espionage campaign across several countries.

Researchers from Symantec found that the attackers spent nearly one week inside the network of a major South Korean electronics manufacturer in February 2026.

The company’s name was not revealed. However, researchers believe the attack focused on stealing industrial data, intellectual property, and access to valuable corporate networks.

The campaign also targeted government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions.

This pattern shows that the attackers were focused on intelligence gathering rather than financial crime.

DLL Sideloading Helped Attackers Stay Hidden

One major part of the campaign was DLL sideloading. This technique allows attackers to use trusted software to load malicious files.

In this case, the hackers abused fmapp.exe, a legitimate Fortemedia audio utility, and sentinelmemoryscanner.exe, a trusted component from SentinelOne.

The malicious DLL files delivered ChromElevator, a tool used after system access is gained.

ChromElevator helps attackers steal data stored inside Chrome-based browsers. This includes saved passwords, browser sessions, and access tokens.

Because the software looked legitimate, the malicious activity became harder for security teams to detect.

PowerShell and Node.js Increased Stealth

PowerShell was still heavily used during the attacks. However, the attackers also used Node.js loaders to control the malware.

This approach reduced direct PowerShell execution and helped the attackers avoid security alerts.

PowerShell was used for many tasks. These included screenshot capture, system checks, credential theft, persistence creation, and SOCKS5 tunnel setup.

The attackers also used fake Windows login prompts to steal passwords.

They stole registry files such as SAM, SECURITY, and SYSTEM. They also abused Kerberos tools to gain deeper access.

Public Services Used for Data Theft

To avoid detection, the attackers used sendit.sh, a public file-sharing platform, for data exfiltration.

This made malicious traffic look like normal user activity.

Researchers also found that the malware checked in every 90 seconds. The sideloaded files were relaunched often to maintain access.

This showed a planned and quiet attack style instead of constant manual activity from the attackers.

What Security Leaders Should Learn

Researchers say this campaign shows MuddyWater’s growing operational maturity.

The group is moving away from noisy attacks. Instead, it now uses quieter methods that blend into normal business operations.

For CISOs and security leaders, this is an important warning.

Organizations must monitor trusted applications, restrict PowerShell misuse, and watch for unusual DLL loading behavior.

Traditional security tools alone are no longer enough.

Businesses in the UAE and worldwide must improve visibility across endpoints, identity systems, and outbound traffic.

Early detection remains the best defense against silent cyber-espionage attacks like this one.