The WatchGuard Geopolitical Cyber Report: Iran-Affiliated Cyber-Espionage Against Global High-Value Organizations
TL;DR: Iran-linked MuddyWater, also known as Seedworm, is using trusted software, DLL side-loading, and legitimate tools to quietly spy on high-value organizations across manufacturing, aviation, finance, education, government, and public sector environments.
This campaign is not focused on disruption. It is focused on stealth, credential theft, browser data theft, intelligence gathering, and long-term access. The key takeaway for defenders: do not rely on malware signatures alone. Watch for trusted tools behaving suspiciously, unusual DLL loading, browser credential theft, Node.js launching scripts, registry-based credential dumping, and unexpected use of public file-transfer services.
| Region in scope | Global — Asia, Middle East, Latin America, Europe (four continents) |
| Threat actor | MuddyWater (a.k.a. Seedworm, Temp Zagros, Static Kitten, Mango Sandstorm, TA450) MOIS-affiliated |
| Sectors | Electronics & industrial manufacturing, aviation, financial services, education, professional services, public sector |
| Threat level | HIGH — active espionage campaign with confirmed intrusions and credential theft |
| Distribution | TLP:CLEAR (suitable for public communications) |
1. Geopolitical context
These days, spying isn't like something out of a John Le Carré novel or a James Bond movie anymore; it's become more subtle, but no less dangerous for that. In fact, within the current geopolitical landscape, beyond attacks on critical infrastructure as seen in the previous report, one of the greatest concerns for governments, organizations, and industries is cyber espionage. Cyberespionage refers to the malicious theft of data, information, or intellectual property from or through computer systems and network. The objective? There can be many, such as a company’s internal information, intellectual property, market and competitor intelligence, and gaining firsthand access to sensitive information to anticipate an enemy’s next moves during a conflict. Essentially, it involves “infiltrating” an organization, company, or government agency to access and steal information of great importance to the attacker.
As is evident, the current conflict between Iran and the coalition composed of the United States and Israel has exacerbated this type of attack; however, in this case, we want to discuss a specific attack that began before the current conflict: in the first quarter of 2026, that is, in January of this year.
With sanctions prohibiting Iran from obtaining normal, legal access to advanced technology, particularly in the field of weapons, cyberespionage has become a key means of acquiring data, information, and know-how on the latest engineering developments at major international companies.
Given these circumstances, one of the most active groups in the field of cyberespionage is MuddyWater (Seedworm). This APT has been linked to the MOIS (Ministry of Intelligence and Security of Iran) and has been active since 2017, targeting a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America.
At WatchGuard, we monitor and assess the global cyber landscape to provide proactive responses to existing threats.
2. The threat and its targets
MuddyWater (Seedworm) group
| Attribute | Detail |
| Primary alias | MuddyWater |
| Other tracked names | TEMP.Zagros, Seedworm, Static Kitten, SectorD02, TA450, Boggy Serpens, MERCURY, Mango Sandstorm, Earth Vetala, Mercury, Cobalt Ulster, ATK51, T-APT-14, Yellow Nix |
| Attribution | Assessed as a subordinate element of Iran's Ministry of Intelligence and Security (MOIS) by MITRE, Symantec and others |
| Active since | At least 2017; continuous evolution of tradecraft through 2026 |
| Motivation | Cyber-espionage: theft of intellectual property, government intelligence, and access to downstream customers and corporate networks |
| Traditional targeting | Historically Middle East and South Asia; this campaign marks a notable geographic expansión |
Since early 2026, Muddywater has infiltrated the networks of various industrial companies, government agencies, airports, and educational institutions to carry out its espionage campaign. In this report, we will focus on the best-documented case: a major South Korean electronics manufacturer, inside whose network the attackers maintained a presence for a full week in February 2026. Symantec did not disclose the names of any victim organizations, only their sector and region.
Targeted organizations
| Organization type | Region | Note |
| Major electronics manufacturer | South Korea | Primary case — one week inside the network (20–27 Feb 2026) |
| Government agencies | Middle East | Government espionage |
| International airport | Middle East | Aviation sector |
| Industrial manufacturers | Southeast Asia | Industrial IP theft |
| Financial-services provider | Latin America | Downstream customer access |
| Educational institutions | Multiple countries | Research / data |
| Professional services & public sector | Multiple countries | Access and espionage |
Why this attack matters
Cyberespionage is an increasingly prevalent activity because, in today’s world, data is gold. The goal is not to cause disruption, but to monitor, copy credentials, and remain undetected for as long as possible. Thanks to this type of criminal activity, a company can gain a competitive advantage by obtaining, for example, sensitive and confidential data on a product to be launched on the market in the near future. Governments, too, by accessing the networks of other states' governments and militaries, can obtain valuable information and thereby gain a strategic military advantage, allowing spies to anticipate their adversaries’ actions or understand their defense capabilities. All of this without considering the reputational damage to a company, government, or organization resulting from the theft of data and privileged information.
Bottom line for our customers
Any organization that runs Chromium-based browsers (Chrome, Edge, Brave,Opera and Vivaldi) on endpoints with valuable data should treat itself as potentially in scope. The technique relies on trusted software and public services, so it does not appear to be classic malware. Detection depends on behavioral monitoring, not signatures. Mitigation guidance is provided in Section 5.
3. Campaign analysis – Symantec / Broadcom report
3.1 Campaign at a glance
Symantec's Threat Hunter Team observed the activity at the beginning of 2026 and published its findings in May 2026. The intrusion into the South Korean electronics manufacturer ran from 20 to 27 February 2026.
The initial access vector, so how the attackers first got in, remains unknown until now. Once inside, the group performed reconnaissance, stole credentials, captured screenshots, established persistence, and exfiltrated data, repeatedly re-executing its tools to keep its foothold.
3.2 The attack, step by step
Step 1 — Getting in disguised (DLL side-loading). A DLL (Dynamic Link Library) is like a small instruction manual containing code and functions that multiple programs share to execute themselves. When a program starts up, it references these DLLs in order to function properly. In this attack, Muddywater replaced legitimate DLLs with malicious DLLs, that is, DLLs containing malicious code. The programs started up using these malicious DLLs.
Basically, the attackers placed a malicious DLL with the name the program expected, so the trusted program loaded the fake file without realizing it. They used two pairs:
- fmapp.exe → a legitimate Fortemedia audio utility, which side-loaded the malicious fmapp.dll.
- sentinelmemoryscanner.exe → a signed SentinelOne security component, which side-loaded the malicious sentinelagentcore.dll.
Step 2 — Stealing from the browser (ChromElevator). Both malicious DLLs contained ChromElevator, a publicly available tool that steals passwords, cookies, and payment card data from Chromium-based browsers.
Now, there are two important points here. Google saves passwords, session cookies, and payment details so it doesn't have to ask the user every time. ChromElevator steals this saved data. A reader might legitimately ask whether this tool is legal or not. The tool itself is legal, but its use may or may not be: many of these tools start out as proof-of-concept (PoC) projects: a researcher demonstrates that a security measure (in this case, Chrome’s App-Bound Encryption) has a flaw, to pressure the manufacturer into fixing it. Publishing security research is generally legal in most jurisdictions.
ChromeElevator defeats “App-Bound Encryption,” the protection Google added in Chrome 127+ to stop exactly this kind of theft.
Step 3 — The hidden brain (Node.js). In earlier attacks MuddyWater abused PowerShell directly. But today, PowerShell is under close scrutiny. EDR (Endpoint Detection and Response) systems that monitor devices log every command executed via PowerShell. But Node.js isn't monitored to the same extent; visibility is much lower.
So, this time APT used Node.js (node.exe) as the engine to launch its scripts. Node is a legitimate program that developers around the world use every day to run code. Because it's a trusted, everyday tool, security defenses are far less likely to flag it as suspicious. In the process tree, node.exe sat at the root of the malicious activity, a sign that an automated script, not a person typing, was driving the attack. So, an automated script running on its own, quietly and quickly carrying out each step of the intrusion without human intervention.
The Node.js script acted as the control center of the attack. It launched the trusted programs that secretly loaded the malicious files (DLLs mentioned before), and it dropped and ran further scripts to spy on the system.
How those malicious files first arrived on the computer, however, is unknown.
Step 4 — Recon, credential theft and persistence. Within minutes the attackers:
- Ran reconnaissance commands to map the host and the domain, with commands like:
- Whoami
- whoami /all
- hostname
- ipconfig /all
- net session
- net user /domain
- net group [REMOVED] /domain
- Checked which antivirus was installed (via WMI) to know what to evade, using the command: wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get *
- Captured screenshots of the victim's desktop.
- Dumped the SAM / SECURITY / SYSTEM registry hives (reg save) to steal credentials. Windows stores user credentials in these three parts of the registry. The attackers used the “reg save” command to save these credentials to C:\Windows\Temp\. In other words, they used a legitimate, harmless command like “reg save” rather than a tool that would have set off all the alarms, such as Mimikatz.
- Used a fake Windows credential prompt (CredUIPromptForWindowsCredentialsW) to trick users into typing their passwords. CredUIPromptForWindowsCredentialsW is a built-in Windows function. Its normal, legitimate purpose is to display that official gray/blue Windows dialog box that asks for a username and password when a program requires a user to authenticate.
- Escalated privileges by abusing Kerberos delegation (GSS-API) to obtain a privileged user's ticket without their password. To put it simply: the attackers obtained a digital “pass” that allowed them to impersonate an administrator, gaining full access without needing to know the administrator's password.
- Established persistence with a HKCU\...\CurrentVersion\Run key so the malware re-ran at every logon, and opened SOCKS5 reverse-proxy tunnels for ongoing access. Simply put, the malware ensured that it restarted automatically every time the computer was turned on. It also opened a hidden communication channel to the attackers, allowing them to continue accessing the network from outside without triggering the firewall.
most of these steps… were done by the script!
Step 5 — Stealing the data out through a public service. Instead of building their own infrastructure where send the data stolen, the attackers exfiltrated those through sendit[.]sh, a public file-transfer service. Blending theft with traffic to legitimate consumer services makes it far harder to spot on the network. This once again confirms the use of legitimate tools to avoid and minimize detection of their malicious activity within the network.
3.3 Tactics, Techniques and Procedures (MITRE ATT&CK)
| Tactic | Technique (ID) | Observed behaviour |
| Defense Evasion / Persistence | DLL Side-Loading (T1574.001) (formerly T1574.002 DLL Side-Loading) | Legitimate signed Fortemedia and SentinelOne binaries load malicious DLLs (fmapp.dll, sentinelagentcore.dll) |
| Execution | Command & Scripting Interpreter (T1059.001) | PowerShell payloads launched through a Node.js (node.exe) loader rather than directly |
| Discovery | System / Domain / AV discovery (T1082, T1087, T1518.001) | whoami, hostname, domain queries; antivirus enumeration via WMI |
| Collection | Screen Capture (T1113) | PowerShell-based screenshots of user activity |
| Credential Access | OS Credential Dumping: SAM (T1003.002) | reg save of SAM / SECURITY / SYSTEM registry hives |
| Credential Access | GUI Input Capture (T1056.002) | Fake Windows credential prompt via CredUIPromptForWindowsCredentialsW |
| Credential Access | Steal Web Session Cookie (T1539) | ChromElevator steals browser passwords, cookies and card data; bypasses Chrome App-Bound Encryption |
| Privilege Escalation | Steal/Forge Kerberos Tickets (T1558) | Abuse of Kerberos GSS-API delegation to obtain a privileged TGT |
| Persistence | Registry Run Keys (T1547.001) | HKCU ...\CurrentVersion\Run entry with a long random value name |
| Command & Control | Proxy / Internal Proxy (T1090) | SOCKS5 reverse-proxy tunnels |
| Exfiltration | Exfiltration Over Web Service (T1567) | Data sent out through the public file-transfer service sendit.sh |
3.4 Tools and infrastructure
- Signed Fortemedia & SentinelOne binaries — legitimate software abused as a loader. Detection requires watching for unexpected DLLs loaded from user-writable paths, not signature-based controls.
- ChromElevator — public post-exploitation tool that defeats Chrome App-Bound Encryption to harvest browser secrets.
- Node.js loader — orchestrates PowerShell payloads, reducing reliance on PowerShell-only tradecraft.
- sendit.sh — legitimate public file-transfer service used for exfiltration to blend into normal traffic.
4. Indicators of Compromise
Important: The IOCs below should be vetted against your operating environment before any blocking action. Some indicators (e.g. ipinfo.io, sendit.sh) are legitimate services that also have benign uses. Recommended use is detection and alerting first; block only after contextual validation. All indicators are drawn from the Symantec / Broadcom report.
4.1 File indicators (hash) (SHA-256)
| SHA-256 hash | Description |
| e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b | fmapp.exe (legitimate Fortemedia binary) |
| c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde | fmapp.dll (malicious DLL) |
| 128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 | sentinelmemoryscanner.exe (legitimate SentinelOne binary) |
| 0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 | sentinelagentcore.dll (malicious DLL) |
| 74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f | Privilege-escalation tool |
| 3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a | Credential extractor (SAM hive) |
| bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7 | Credential extractor (SAM hive) |
| d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc | Credential harvester (writes to lopa.txt) |
| b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a | SOCKS5 proxy tool |
4.2 Network indicators (IPs, domains, URLs)
| Indicator | Type / description |
| 179.43.177[.]220 | IP — staging server (port 8080, plain HTTP) |
| 178.128.233[.]36 | IP |
| 172.67.156[.]47 | IP |
| 104.21.48[.]205 | IP |
| 37.187.78[.]41 | IP |
| 34.117.59[.]81 | IP |
| timetrakr[.]cloud | Domain — attacker staging |
| svc.wompworthy[.]com | Domain — attacker |
| sendit[.]sh | Public file-transfer service used for exfiltration |
| http://179.43.177[.]220:8080/nm.ps1 | URL — PowerShell payload download |
| http://179.43.177[.]220:8080/a.dat | URL — encoded payload |
| http://179.43.177[.]220:8080/a.exe | URL — Windows binary |
| http://ipinfo[.]io/json | Legitimate service used by the implant to learn its public IP |
4.3 Host-based artifacts
- Stolen-password file: C:\ProgramData\lopa.txt
- Credential dumps: C:\Windows\Temp\sam.save, security.save, system.save
- Persistence key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run (long random value name)
- Staging directories with random names under %LOCALAPPDATA%
5. Mitigation recommendations
Recommendations are tiered by urgency. Sections 5.1 and 5.2 address the immediate exposure created by this campaign; Section 5.3 addresses the structural posture that makes such campaigns viable.
5.1 Immediate (within 72 hours)
- Hunt for the IOCs in Section 4. Search at least 6 months of EDR, proxy and DNS logs for the listed hashes, IPs, domains and host artifacts (section 4.2)
- Watch for DLL side-loading. Alert when legitimate binaries (e.g. fmapp.exe, or security-product components) load DLLs from user-writable paths such as %LOCALAPPDATA% or randomly named folders.
- Flag suspicious process trees. Investigate node.exe acting as the parent of cmd.exe or powershell.exe.
- Detect credential dumping. Monitor reg save against the sam, security and system hives.
5.2 Short term (1–2 weeks)
- Force a password and session reset for any account whose browser data may have been stolen; invalidate active session cookies (browsers are the primary loot here).
- Enforce MFA (Multi-Factor-Authenticator) so that stolen passwords cannot grant access.
- Inspect outbound connections to public file-transfer services such as sendit.sh from servers or endpoints that have no business need for them. (Review section 4.2)
- Review application allow-listing so that only expected, properly located DLLs load for sensitive signed binaries.
5.3 Strategic (>30 days)
- Adopt behavioural detection for living-off-the-land and trusted-binary abuse; signature-only controls will not catch this tradecraft.
- Test the security programme against MITRE ATT&CK with adversary emulation focused on the TTPs in Section 3.3.
- Review the incident-response plan for stealthy, long-dwell espionage scenarios, including credential-theft containment and rapid secret rotation.
- Brief executive leadership on the geopolitical-cyber linkage as an ongoing risk factor, not a one-off event tied to a specific conflict.
6. Sources and references
6.1 Primary threat intelligence
- Symantec / Carbon Black Threat Hunter Team (Broadcom): Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
- MITRE ATT&CK: Group G0069: MuddyWater / Seedworm
6.2 Corroborating reporting
- U.S. Department of the Treasury: Treasury Sanctions Iranian Cyber Actors
- The Hacker News: MuddyWater Uses DLL Side-Loading in New Campaign
- BleepingComputer: Iranian Hackers Targeted Major South Korean Electronics Maker
- Industrial Cyber: Symantec Uncovers Iran-Linked Seedworm Espionage Campaign
- GBHackers: Seedworm APT Abuses Signed Binaries
- TechNadu: Iran-Linked MuddyWater Group Breached Organizations in Nine Countries
6.3 Frameworks and reference data
- MITRE ATT&CK Enterprise — Techniques T1003.002, T1056, T1059, T1082, T1087, T1090, T1113, T1518.001, T1539, T1547.001, T1558, T1567, T1574.002.
- ChromElevator / Chrome App-Bound Encryption Decryption — public research tool by @xaitax (GitHub).
Classification: TLP:CLEAR. Disclosure is not limited. Information is suitable for use in marketing communications, customer-facing publications and public-facing channels.
Prepared by: Threat Intelligence – SOC. Review: Paolo Omezzolli, peer review and management sign-off.