Secplicity Blog

Cybersecurity Headlines & Trends Explained

The WatchGuard Geopolitical Cyber Report: Iran-Affiliated Cyber-Espionage Against Global High-Value Organizations

TL;DR: Iran-linked MuddyWater, also known as Seedworm, is using trusted software, DLL side-loading, and legitimate tools to quietly spy on high-value organizations across manufacturing, aviation, finance, education, government, and public sector environments.

This campaign is not focused on disruption. It is focused on stealth, credential theft, browser data theft, intelligence gathering, and long-term access. The key takeaway for defenders: do not rely on malware signatures alone. Watch for trusted tools behaving suspiciously, unusual DLL loading, browser credential theft, Node.js launching scripts, registry-based credential dumping, and unexpected use of public file-transfer services.

Region in scope  Global — Asia, Middle East, Latin America, Europe (four continents) 
Threat actor  MuddyWater (a.k.a. Seedworm, Temp Zagros, Static Kitten, Mango Sandstorm, TA450) MOIS-affiliated 
Sectors  Electronics & industrial manufacturing, aviation, financial services, education, professional services, public sector 
Threat level  HIGH — active espionage campaign with confirmed intrusions and credential theft 
Distribution  TLP:CLEAR (suitable for public communications) 

1. Geopolitical context 

These days, spying isn't like something out of a John Le Carré novel or a James Bond movie anymore; it's become more subtle, but no less dangerous for that. In fact, within the current geopolitical landscape, beyond attacks on critical infrastructure as seen in the previous report, one of the greatest concerns for governments, organizations, and industries is cyber espionage. Cyberespionage refers to the malicious theft of data, information, or intellectual property from or through computer systems and network. The objective? There can be many, such as a company’s internal information, intellectual property, market and competitor intelligence, and gaining firsthand access to sensitive information to anticipate an enemy’s next moves during a conflict. Essentially, it involves “infiltrating” an organization, company, or government agency to access and steal information of great importance to the attacker. 

As is evident, the current conflict between Iran and the coalition composed of the United States and Israel has exacerbated this type of attack; however, in this case, we want to discuss a specific attack that began before the current conflict: in the first quarter of 2026, that is, in January of this year. 

With sanctions prohibiting Iran from obtaining normal, legal access to advanced technology, particularly in the field of weapons, cyberespionage has become a key means of acquiring data, information, and know-how on the latest engineering developments at major international companies. 

Given these circumstances, one of the most active groups in the field of cyberespionage is MuddyWater (Seedworm). This APT has been linked to the MOIS (Ministry of Intelligence and Security of Iran) and has been active since 2017, targeting a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America.  

At WatchGuard, we monitor and assess the global cyber landscape to provide proactive responses to existing threats. 

2. The threat and its targets 

MuddyWater (Seedworm) group 

Attribute  Detail 
Primary alias  MuddyWater 
Other tracked names  TEMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens, MERCURY, Mango Sandstorm, Earth Vetala, Mercury, Cobalt Ulster, ATK51, T-APT-14, Yellow Nix 
Attribution  Assessed as a subordinate element of Iran's Ministry of Intelligence and Security (MOIS) by MITRE, Symantec and others 
Active since  At least 2017; continuous evolution of tradecraft through 2026 
Motivation  Cyber-espionage: theft of intellectual property, government intelligence, and access to downstream customers and corporate networks 
Traditional targeting  Historically Middle East and South Asia; this campaign marks a notable geographic expansión 

Since early 2026, Muddywater has infiltrated the networks of various industrial companies, government agencies, airports, and educational institutions to carry out its espionage campaign. In this report, we will focus on the best-documented case: a major South Korean electronics manufacturer, inside whose network the attackers maintained a presence for a full week in February 2026. Symantec did not disclose the names of any victim organizations, only their sector and region. 

Targeted organizations 

Organization type  Region  Note 
Major electronics manufacturer  South Korea  Primary case — one week inside the network (20–27 Feb 2026) 
Government agencies  Middle East  Government espionage 
International airport  Middle East  Aviation sector 
Industrial manufacturers  Southeast Asia  Industrial IP theft 
Financial-services provider  Latin America  Downstream customer access 
Educational institutions  Multiple countries  Research / data 
Professional services & public sector  Multiple countries  Access and espionage 

Why this attack matters 

Cyberespionage is an increasingly prevalent activity because, in today’s world, data is gold. The goal is not to cause disruption, but to monitor, copy credentials, and remain undetected for as long as possible. Thanks to this type of criminal activity, a company can gain a competitive advantage by obtaining, for example, sensitive and confidential data on a product to be launched on the market in the near future. Governments, too, by accessing the networks of other states' governments and militaries, can obtain valuable information and thereby gain a strategic military advantage, allowing spies to anticipate their adversaries’ actions or understand their defense capabilities. All of this without considering the reputational damage to a company, government, or organization resulting from the theft of data and privileged information. 

Bottom line for our customers 

Any organization that runs Chromium-based browsers (Chrome, Edge, Brave,Opera and Vivaldi) on endpoints with valuable data should treat itself as potentially in scope. The technique relies on trusted software and public services, so it does not appear to be classic malware. Detection depends on behavioral monitoring, not signatures. Mitigation guidance is provided in Section 5. 

3. Campaign analysis – Symantec / Broadcom report 

3.1 Campaign at a glance 

Symantec's Threat Hunter Team observed the activity at the beginning of 2026 and published its findings in May 2026. The intrusion into the South Korean electronics manufacturer ran from 20 to 27 February 2026.  

The initial access vector, so how the attackers first got in, remains unknown until now. Once inside, the group performed reconnaissance, stole credentials, captured screenshots, established persistence, and exfiltrated data, repeatedly re-executing its tools to keep its foothold. 

3.2 The attack, step by step 

Step 1 — Getting in disguised (DLL side-loading). A DLL (Dynamic Link Library) is like a small instruction manual containing code and functions that multiple programs share to execute themselves. When a program starts up, it references these DLLs in order to function properly. In this attack, Muddywater replaced legitimate DLLs with malicious DLLs, that is, DLLs containing malicious code. The programs started up using these malicious DLLs. 

Basically, the attackers placed a malicious DLL with the name the program expected, so the trusted program loaded the fake file without realizing it. They used two pairs: 

  • fmapp.exe  →  a legitimate Fortemedia audio utility, which side-loaded the malicious fmapp.dll
  • sentinelmemoryscanner.exe  →  a signed SentinelOne security component, which side-loaded the malicious sentinelagentcore.dll. 

Step 2 — Stealing from the browser (ChromElevator). Both malicious DLLs contained ChromElevator, a publicly available tool that steals passwords, cookies, and payment card data from Chromium-based browsers.  

Now, there are two important points here. Google saves passwords, session cookies, and payment details so it doesn't have to ask the user every time. ChromElevator steals this saved data. A reader might legitimately ask whether this tool is legal or not. The tool itself is legal, but its use may or may not be: many of these tools start out as proof-of-concept (PoC) projects: a researcher demonstrates that a security measure (in this case, Chrome’s App-Bound Encryption) has a flaw, to pressure the manufacturer into fixing it. Publishing security research is generally legal in most jurisdictions. 

ChromeElevator defeats “App-Bound Encryption,” the protection Google added in Chrome 127+ to stop exactly this kind of theft. 

Step 3 — The hidden brain (Node.js). In earlier attacks MuddyWater abused PowerShell directly. But today, PowerShell is under close scrutiny. EDR (Endpoint Detection and Response) systems that monitor devices log every command executed via PowerShell. But Node.js isn't monitored to the same extent; visibility is much lower. 

So, this time APT used Node.js (node.exe) as the engine to launch its scripts. Node is a legitimate program that developers around the world use every day to run code. Because it's a trusted, everyday tool, security defenses are far less likely to flag it as suspicious. In the process tree, node.exe sat at the root of the malicious activity, a sign that an automated script, not a person typing, was driving the attack. So, an automated script running on its own, quietly and quickly carrying out each step of the intrusion without human intervention.  

The Node.js script acted as the control center of the attack. It launched the trusted programs that secretly loaded the malicious files (DLLs mentioned before), and it dropped and ran further scripts to spy on the system.  

How those malicious files first arrived on the computer, however, is unknown.  

Step 4 — Recon, credential theft and persistence. Within minutes the attackers: 

  • Ran reconnaissance commands to map the host and the domain, with commands like: 
  • Whoami 
  • whoami /all 
  • hostname 
  • ipconfig /all 
  • net session 
  • net user /domain 
  • net group [REMOVED] /domain 
  • Checked which antivirus was installed (via WMI) to know what to evade, using the command: wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get * 
  • Captured screenshots of the victim's desktop. 
  • Dumped the SAM / SECURITY / SYSTEM registry hives (reg save) to steal credentials. Windows stores user credentials in these three parts of the registry. The attackers used the “reg save” command to save these credentials to C:\Windows\Temp\. In other words, they used a legitimate, harmless command like “reg save” rather than a tool that would have set off all the alarms, such as Mimikatz. 
  • Used a fake Windows credential prompt (CredUIPromptForWindowsCredentialsW)  to trick users into typing their passwords. CredUIPromptForWindowsCredentialsW is a built-in Windows function. Its normal, legitimate purpose is to display that official gray/blue Windows dialog box that asks for a username and password when a program requires a user to authenticate. 
  • Escalated privileges by abusing Kerberos delegation (GSS-API) to obtain a privileged user's ticket without their password. To put it simply: the attackers obtained a digital “pass” that allowed them to impersonate an administrator, gaining full access without needing to know the administrator's password. 
  • Established persistence with a HKCU\...\CurrentVersion\Run key so the malware re-ran at every logon, and opened SOCKS5 reverse-proxy tunnels for ongoing access. Simply put, the malware ensured that it restarted automatically every time the computer was turned on. It also opened a hidden communication channel to the attackers, allowing them to continue accessing the network from outside without triggering the firewall. 

most of these steps… were done by the script! 

Step 5 — Stealing the data out through a public service. Instead of building their own infrastructure where send the data stolen, the attackers exfiltrated those through sendit[.]sh, a public file-transfer service. Blending theft with traffic to legitimate consumer services makes it far harder to spot on the network. This once again confirms the use of legitimate tools to avoid and minimize detection of their malicious activity within the network. 

3.3 Tactics, Techniques and Procedures (MITRE ATT&CK) 

Tactic  Technique (ID)  Observed behaviour 
Defense Evasion / Persistence  DLL Side-Loading  (T1574.001) (formerly T1574.002 DLL Side-Loading)  Legitimate signed Fortemedia and SentinelOne binaries load malicious DLLs (fmapp.dll, sentinelagentcore.dll) 
Execution  Command & Scripting Interpreter  (T1059.001)  PowerShell payloads launched through a Node.js (node.exe) loader rather than directly 
Discovery  System / Domain / AV discovery  (T1082, T1087, T1518.001)  whoami, hostname, domain queries; antivirus enumeration via WMI 
Collection  Screen Capture  (T1113)  PowerShell-based screenshots of user activity 
Credential Access  OS Credential Dumping: SAM  (T1003.002)  reg save of SAM / SECURITY / SYSTEM registry hives 
Credential Access  GUI Input Capture  (T1056.002)  Fake Windows credential prompt via CredUIPromptForWindowsCredentialsW 
Credential Access  Steal Web Session Cookie  (T1539)  ChromElevator steals browser passwords, cookies and card data; bypasses Chrome App-Bound Encryption 
Privilege Escalation  Steal/Forge Kerberos Tickets  (T1558)  Abuse of Kerberos GSS-API delegation to obtain a privileged TGT 
Persistence  Registry Run Keys  (T1547.001)  HKCU ...\CurrentVersion\Run entry with a long random value name 
Command & Control  Proxy / Internal Proxy  (T1090)  SOCKS5 reverse-proxy tunnels 
Exfiltration  Exfiltration Over Web Service  (T1567)  Data sent out through the public file-transfer service sendit.sh 

3.4 Tools and infrastructure 

  • Signed Fortemedia & SentinelOne binaries — legitimate software abused as a loader. Detection requires watching for unexpected DLLs loaded from user-writable paths, not signature-based controls. 
  • ChromElevator — public post-exploitation tool that defeats Chrome App-Bound Encryption to harvest browser secrets. 
  • Node.js loader — orchestrates PowerShell payloads, reducing reliance on PowerShell-only tradecraft. 
  • sendit.sh — legitimate public file-transfer service used for exfiltration to blend into normal traffic. 

4. Indicators of Compromise 

Important: The IOCs below should be vetted against your operating environment before any blocking action. Some indicators (e.g. ipinfo.io, sendit.sh) are legitimate services that also have benign uses. Recommended use is detection and alerting first; block only after contextual validation. All indicators are drawn from the Symantec / Broadcom report. 

4.1 File indicators (hash) (SHA-256) 

SHA-256 hash  Description 
e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b  fmapp.exe (legitimate Fortemedia binary) 
c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde  fmapp.dll (malicious DLL) 
128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667  sentinelmemoryscanner.exe (legitimate SentinelOne binary) 
0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139  sentinelagentcore.dll (malicious DLL) 
74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f  Privilege-escalation tool 
3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a  Credential extractor (SAM hive) 
bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7  Credential extractor (SAM hive) 
d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc  Credential harvester (writes to lopa.txt) 
b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a  SOCKS5 proxy tool 

4.2 Network indicators (IPs, domains, URLs) 

Indicator  Type / description 
179.43.177[.]220  IP — staging server (port 8080, plain HTTP) 
178.128.233[.]36  IP 
172.67.156[.]47  IP 
104.21.48[.]205  IP 
37.187.78[.]41  IP 
34.117.59[.]81  IP 
timetrakr[.]cloud  Domain — attacker staging 
svc.wompworthy[.]com  Domain — attacker 
sendit[.]sh  Public file-transfer service used for exfiltration 
http://179.43.177[.]220:8080/nm.ps1  URL — PowerShell payload download 
http://179.43.177[.]220:8080/a.dat  URL — encoded payload 
http://179.43.177[.]220:8080/a.exe  URL — Windows binary 
http://ipinfo[.]io/json  Legitimate service used by the implant to learn its public IP 

4.3 Host-based artifacts 

  • Stolen-password file: C:\ProgramData\lopa.txt 
  • Credential dumps: C:\Windows\Temp\sam.save, security.save, system.save 
  • Persistence key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run (long random value name) 
  • Staging directories with random names under %LOCALAPPDATA% 

5. Mitigation recommendations 

Recommendations are tiered by urgency. Sections 5.1 and 5.2 address the immediate exposure created by this campaign; Section 5.3 addresses the structural posture that makes such campaigns viable. 

5.1 Immediate (within 72 hours) 

  • Hunt for the IOCs in Section 4. Search at least 6 months of EDR, proxy and DNS logs for the listed hashes, IPs, domains and host artifacts (section 4.2) 
  • Watch for DLL side-loading. Alert when legitimate binaries (e.g. fmapp.exe, or security-product components) load DLLs from user-writable paths such as %LOCALAPPDATA% or randomly named folders. 
  • Flag suspicious process trees. Investigate node.exe acting as the parent of cmd.exe or powershell.exe. 
  • Detect credential dumping. Monitor reg save against the sam, security and system hives. 

5.2 Short term (1–2 weeks) 

  • Force a password and session reset for any account whose browser data may have been stolen; invalidate active session cookies (browsers are the primary loot here). 
  • Enforce MFA (Multi-Factor-Authenticator) so that stolen passwords cannot grant access. 
  • Inspect outbound connections to public file-transfer services such as sendit.sh from servers or endpoints that have no business need for them. (Review section 4.2) 
  • Review application allow-listing so that only expected, properly located DLLs load for sensitive signed binaries. 

5.3 Strategic (>30 days) 

  • Adopt behavioural detection for living-off-the-land and trusted-binary abuse; signature-only controls will not catch this tradecraft. 
  • Test the security programme against MITRE ATT&CK with adversary emulation focused on the TTPs in Section 3.3. 
  • Review the incident-response plan for stealthy, long-dwell espionage scenarios, including credential-theft containment and rapid secret rotation. 
  • Brief executive leadership on the geopolitical-cyber linkage as an ongoing risk factor, not a one-off event tied to a specific conflict. 

6. Sources and references 

6.1 Primary threat intelligence 

6.2 Corroborating reporting 

6.3 Frameworks and reference data 

  • MITRE ATT&CK Enterprise — Techniques T1003.002, T1056, T1059, T1082, T1087, T1090, T1113, T1518.001, T1539, T1547.001, T1558, T1567, T1574.002. 
  • ChromElevator / Chrome App-Bound Encryption Decryption — public research tool by @xaitax (GitHub). 

Classification: TLP:CLEAR. Disclosure is not limited. Information is suitable for use in marketing communications, customer-facing publications and public-facing channels. 

Prepared by: Threat Intelligence – SOC.  Review: Paolo Omezzolli, peer review and management sign-off.