MuddyWater Targets Middle East Airport and Nine Global Organisations Via DLL Side-Loading

Iranian threat actor MuddyWater linked to a Q1 2026 espionage campaign targeting nine organizations across four continents, including a Middle East airport. Attackers used DLL side-loading via signed Fortemedia and SentinelOne binaries to evade detection and harvest credentials.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region7 min read
Middle East international airport terminal at dusk with a digital network threat overlay representing the MuddyWater espionage campaign targeting aviation infrastructure

Middle East international airport terminal at dusk with a digital network threat overlay representing the MuddyWater espionage campaign targeting aviation infrastructure

The Iranian hacking group MuddyWater, also tracked as Seedworm and TEMP.Zagros, has been linked to a broad new espionage campaign affecting at least nine organisations across nine countries on four continents during the first quarter of 2026.

MuddyWater is an Iranian state-aligned threat actor with a well-documented history of targeting government, telecommunications, defence, and critical infrastructure organisations across the Middle East, Europe, and North America. The group has previously been connected to Iran's Ministry of Intelligence and Security and operates with a mandate aligned to Iranian strategic intelligence priorities. For the GCC and MENA region, MuddyWater represents one of the most consistently active and operationally sophisticated state-linked threats. The group was previously documented by MENA Cyber Wire targeting an Oman Ministry and a UAE port using Microsoft Teams as a delivery mechanism in a deliberate false flag operation designed to shift attribution.

Campaign Scope and Victims

The Q1 2026 campaign targeted organisations across industrial and electronics manufacturing, education and public sector bodies, financial services, and professional services. The geographic reach is notably broad, spanning four continents in a single campaign cycle.

Among the confirmed victims is a major South Korean electronics manufacturer, where MuddyWorm operators spent a full week inside the network in February 2026 conducting reconnaissance, credential harvesting, and maintaining persistent access. Also confirmed as a target is an international airport in the Middle East, a directly relevant development for GCC aviation security given that aviation infrastructure is among the most sensitive and regulated critical infrastructure categories in the region. Southeast Asian industrial manufacturers and a Latin American financial services provider were also named among the victims.

DLL Side-Loading: Hiding in Plain Sight

The defining technical characteristic of this campaign is the use of DLL side-loading via legitimately signed binaries. DLL side-loading is a technique where attackers place a malicious DLL in a location where a legitimate, trusted application will load it automatically, exploiting the Windows DLL search order rather than requiring code injection or privilege escalation.

MuddyWater used two specific signed binaries as side-loading vehicles. The first was fmapp.exe, an audio application binary from Fortemedia. The second was sentinelmemoryscanner.exe, a binary associated with SentinelOne's endpoint security product. The use of a legitimate security product binary as a side-loading vehicle is a deliberate and operationally sophisticated choice. Security operations tools are routinely excluded from behavioural monitoring and application control policies to prevent interference with endpoint protection, making security product binaries a particularly effective host for malicious DLL loading.

Broadcom's cybersecurity teams confirmed that both binaries were used to execute malicious DLLs while presenting as benign software to endpoint detection and response tools. The use of fmapp.exe for DLL side-loading had been previously documented by Group-IB in connection with another MuddyWater campaign codenamed Operation Olalampo. The Q1 2026 campaign represents continued operational refinement of a known technique, demonstrating the group's disciplined reuse of effective methods. The rogue DLL loaded by fmapp.exe connected to a hardcoded attacker-controlled IP address at 157.20.182.49.

ChromElevator: Browser Credential Theft at Scale

Both DLLs embed an open-source tool called ChromElevator, specifically designed to extract passwords, cookies, and payment card data from Chromium-based browsers. ChromElevator is notable because it circumvents Google Chrome's App-Bound Encryption protections, a security mechanism introduced to prevent exactly this category of credential theft by binding encryption keys to the application rather than the operating system user account.

The ability to bypass App-Bound Encryption means that MuddyWater's credential harvesting capability extends to browser-stored credentials even on fully updated Chrome installations, a significant operational advantage in enterprise environments where browser-based single sign-on is the primary authentication mechanism for cloud platforms and SaaS applications.

Node.js, PowerShell, and Lateral Movement

Beyond DLL side-loading, the campaign used Node.js scripts to launch PowerShell code responsible for discovery and information gathering operations. Symantec and Carbon Black documented a Node.exe-based implant chain used to drop PowerShell scripts performing reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunnelling.

SAM hive theft extracts the Security Account Manager database from the Windows registry, giving attackers access to local account password hashes that can be cracked offline or used in pass-the-hash attacks for lateral movement. SOCKS5 reverse-proxy tunnelling establishes a covert network path through the compromised host, allowing attackers to route traffic through the victim environment to reach internal systems not directly accessible from the internet.

In at least one instance, attackers staged stolen data on sendit.sh, a public file-transfer service, effectively using a legitimate third-party platform for exfiltration to avoid triggering data loss prevention rules watching for direct connections to attacker-controlled infrastructure. This mirrors the broader pattern of Iranian threat actors leveraging trusted platforms and signed binaries to blend into normal enterprise traffic.

Operational Evolution: Quieter and More Disciplined

Symantec and Carbon Black researchers characterised the Q1 2026 campaign as evidence of a significant step forward in MuddyWater's operational maturity. "Its campaign history shows a clear move towards quieter, more disciplined operations. None of these techniques is individually novel, but in combination they provide more evidence of a significant step up in operational hygiene from the Seedworm that we knew of two or three years ago."

The cadence of activity observed in the South Korean electronics manufacturer intrusion was described as consistent with implant-driven activity rather than continuous operator presence, suggesting that MuddyWater is now operating with greater automation and precision, reducing the operational noise that previously made the group easier to detect through behavioural anomaly analysis.

Related Iranian Activity: FileFiend and Ababil of Minab

Separately, a new analysis from Gambit Security has tied infrastructure associated with a pro-Iranian persona named Ababil of Minab to Iran's Ministry of Intelligence and Security. The campaign, which targeted organisations in the United States, Israel, Saudi Arabia, and Turkey between late March and early April 2026, used a bespoke C++ tool called FileFiend to enumerate local drives and SMB shares, collect files of interest, and exfiltrate them to a hardcoded C2 server. At least two US victims were also subjected to destructive operations including partition deletion and data backup wiping.

Israeli targets included an organisation in the media sector and a higher education institution. A Turkish insurance brokerage was also confirmed as a target. The connection between Ababil of Minab and MOIS infrastructure, if confirmed, would represent a significant attribution development given that the persona was previously treated as an independent hacktivist operation rather than a state-directed campaign.

Recommended Actions for GCC Security Teams

The MuddyWater Q1 2026 campaign presents several specific recommendations for security teams across the GCC and MENA region, particularly those operating in aviation, financial services, and industrial sectors.

First, review endpoint detection configurations for any rules that exclude legitimate security product binaries from behavioural monitoring. The use of sentinelmemoryscanner.exe as a side-loading vehicle demonstrates that security product exclusions can be exploited. Second, audit environments for unexpected Node.js processes executing PowerShell, particularly in environments where Node.js is not an expected part of the standard application stack.

Third, review outbound traffic for connections to file-transfer services such as sendit.sh, particularly where large volumes of data are being transferred to public staging services that would not typically be used by enterprise employees. Fourth, assess browser credential exposure across the environment. ChromElevator specifically targets App-Bound Encryption, meaning that browser-stored credentials for cloud platforms, SaaS applications, and corporate portals are within scope for exfiltration even on fully patched endpoints.

The identity and access management vulnerabilities that make browser-stored credentials so valuable to attackers remain one of the primary risk areas across GCC enterprises. Combining strong MFA, as discussed in MENA Cyber Wire's MFA prompt bombing analysis, with credential theft monitoring and browser security controls provides the most effective layered defence against this category of attack.

The full Symantec and Carbon Black technical analysis is available through Broadcom's security intelligence portal.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Iran Cyber Threat IntelligenceGCC Aviation Sector SecurityCredential Theft and Identity MENADLL Side-Loading TechniquesCritical Infrastructure Threats GCC