MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries

The Iranian hacking group known as MuddyWater has been linked to a new campaign affecting at least nine organizations across nine countries on four continents in the first quarter of 2026. The activity targeted industrial and electronics manufacturing, education and public-sector bodies, financial services, and professional services, per the Threat Hunter Team from Symantec and Carbon Black.

The article reports that Iranian state-linked group MuddyWater is conducting an espionage campaign across nine organizations in nine countries using DLL side-loading with signed Fortemedia and SentinelOne binaries to execute malicious DLLs, steal browser passwords, cookies, and payment card data, and evade detection.[1] This includes abusing an open-source tool, ChromElevator, and script-based tooling (Node.js, PowerShell) for discovery and data theft, spanning industrial, electronics manufacturing, financial services, education, and public-sector targets.[1] From a CyberSE.AI perspective, this demonstrates how adversaries weaponize legitimate binaries and open-source tools in complex kill chains that could increasingly incorporate AI-assisted components (for example, automated credential harvesting, lateral movement decisioning, or adaptive evasion). Organizations using or building AI-enabled security or automation should continuously red-team their environments and agent workflows to test resilience against living-off-the-land techniques, signed-binary abuse, and stealthy data exfiltration that AI systems might misclassify or overlook.