Skip to main content
Emerging ThreatsMalware & Ransomware

MuddyWater Exploits DLL Side-Loading in Global Espionage Push

Close-up of computer circuit board with exposed casing revealing abstract malicious code in background.

MuddyWater has been tied to a campaign that touched at least nine organizations in nine countries across four continents during the first quarter of 2026 — a concentrated espionage effort that reused legitimate, signed binaries to mask malicious code and quietly harvest credentials and browser data.

DLL side‑loading with fmapp.exe and sentinelmemoryscanner.exe

Broadcom's cybersecurity teams reported that "the attackers relied heavily on DLL side-loading using legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to execute malicious DLLs while masquerading as benign software." The abuse of fmapp.exe to sideload fmapp.dll had been previously documented by Group‑IB in a MuddyWater campaign codenamed Operation Olalampo, and Huntress found that the fmapp.dll contains code to connect to an attacker‑controlled IP address ("157.20.182[.]49").

Researchers assessed the reuse of sentinelmemoryscanner.exe — a binary associated with a security product — as deliberate because it can bypass signature‑based detection. In these intrusions the rogue DLL is named sentinelagentcore.dll; both fmapp.dll and sentinelagentcore.dll embed tooling that enabled further credential harvesting and covert communications.

Node.js, PowerShell, ChromElevator: the observed toolchain

Symantec and Carbon Black described a multi‑stage chain in which "node.exe‑based implant chain was used to drop PowerShell scripts that performed reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse‑proxy tunnelling." The attackers used Node.js scripts to launch PowerShell code that carried out discovery and information‑gathering operations, and in at least one instance staged stolen data on the public file‑transfer service sendit[.]sh.

Both side‑loaded DLLs embedded an open‑source tool called ChromElevator, which the researchers said siphons passwords, cookies, and payment card data from Chromium‑based browsers and thereby circumvents App‑Bound Encryption (ABE) protections. The intrusions were also characterized by credential dumping that supported lateral movement and by the re‑execution of the two signed binaries to maintain access to compromised hosts.

Targets and tactics: a South Korean electronics firm, an airport, and global reach

The Symantec/Carbon Black report links the activity to industrial and electronics manufacturing, education and public‑sector bodies, financial services, and professional services. Among the victims is a major South Korean electronics manufacturer where attackers spent a week inside the network in February 2026 and repeatedly ran PowerShell reconnaissance while re‑executing the signed binaries to retain access; the initial access vector in that intrusion is unknown.

Other victims singled out include an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial‑services provider. Separately reported incidents tied to Iran‑backed actors targeted an Israeli media organization, an Israeli higher‑education institution, a Turkish insurance brokerage, and multiple websites across the restaurant, culture, digital services, and news sectors.

Symantec and Carbon Black noted that "the cadence is again consistent with implant‑driven activity rather than continuous operator presence," and described the cluster of techniques as part of "a significant step up in operational hygiene" from earlier campaigns.

Related Iranian‑linked operations, sanctions, and bespoke tooling

The disclosure arrives alongside European Council sanctions imposed on the Iranian company Emennet Pasargad for hacking a Swedish SMS service, accessing a French subscriber database and offering it for sale, and for spreading disinformation using compromised advertising billboards during the 2024 Paris Olympic Games. The U.S. State Department said the company "goes by the name Shahid Shushtari and is affiliated with Iran's Islamic Revolutionary Guard Corps Cyber‑Electronic Command (IRGC‑CEC)," and that "Shahid Shushtari members have caused significant financial damage and disruption to U.S. businesses and government agencies through coordinated cyber and cyber‑enabled information operations."

Gambit Security researchers Eyal Sela and Nir Varon reported on a related exfiltration campaign and a bespoke C++ collection/exfiltration tool codenamed FileFiend. They wrote that the binary "could enumerate local drives and SMB shares, walk the file system, and send files to a hard‑coded C2 [command‑and‑control] server." Gambit also described alternate exfiltration behavior in which data of interest was compressed into RAR archives on a host, uploaded to the organization's public website web root, extracted using the Axel command‑line download accelerator, and tunneled through proxychains. Between late March and early April 2026, that campaign targeted organizations in the U.S., Israel, Saudi Arabia, and Turkey; at least two U.S. victims were also targeted by destructive operations, including deletion of partitions and data backups.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: watch for signs of DLL side‑loading using legitimately signed binaries — especially fmapp.exe and sentinelmemoryscanner.exe — Node.js/PowerShell implant chains, indicators of ChromElevator activity, unusual outbound connections (including to public file‑transfer services such as sendit[.]sh), and re‑execution of signed binaries that could indicate persistence.
  • Policymakers and regulators: the pattern of activity sits alongside diplomatic and sanction actions already taken (the European Council measures and U.S. State Department findings cited in the reporting), underscoring how attribution and public enforcement are being used in parallel with traditional cyber‑defense.
  • Affected enterprises and procurement leaders: the deliberate abuse of signed security‑product binaries highlights the need to monitor trusted executables for anomalous behavior and to validate assumptions that signed equals benign, especially where signed code is used to load external DLLs.

The campaign illustrates a quiet but methodical shift: rather than flashy, novel exploits, the operators combined legitimate binaries, open‑source tools, and scripted implants to stay under the radar. As researchers flagged the reuse of fmapp.exe and the deliberate targeting of a security product binary, the immediate technical question becomes which detection and control points will best catch such masquerading without disrupting legitimate operations.

https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html