MuddyWater Hackers Spent a Week Inside South Korean Electronics Giant
Iran-linked MuddyWater (Seedworm) conducted a broad cyber-espionage campaign targeting at least nine organizations, including a major South Korean electronics manufacturer where attackers lurked for a week in February 2026.
Iranian state-sponsored hacking group MuddyWater (also known as Seedworm and Static Kitten) has been linked to a widespread cyber-espionage campaign that targeted at least nine high-profile organizations across multiple sectors and countries. According to a report from Symantec's Threat Hunter Team, the attackers spent a full week inside the network of a major South Korean electronics manufacturer in February 2026, focusing on industrial and intellectual property theft.
The campaign leveraged a common technique called DLL sideloading, where legitimate, signed software binaries are abused to load malicious DLLs. Specifically, the attackers used 'fmapp.exe', a legitimate Foremedia audio utility, and 'sentinelmemoryscanner.exe', a legitimate SentinelOne component. The malicious DLLs (fmapp.dll and sentinelagentcore.dll) carried ChromElevator, a commodity post-exploitation tool designed to steal data stored in Chrome-based browsers.
Beyond DLL sideloading, MuddyWater heavily utilized PowerShell for various malicious activities. Unlike previous attacks, the payloads were controlled through Node.js loaders. PowerShell was used to capture screenshots, conduct host and domain reconnaissance, fetch additional payloads, establish persistence via registry modifications, steal credentials through fake Windows prompts and registry hive theft (SAM/SECURITY/SYSTEM), and create SOCKS5 tunnels for internal movement. The beaconing occurred at 90-second intervals, indicating implant-driven activity rather than continuous operator presence.
The attack on the South Korean firm took place between February 20 and 27. Initial stages involved host and domain reconnaissance, antivirus enumeration via WMI, and screenshot capture. The attackers then deployed additional malware and stole credentials using multiple methods. Persistence was maintained by repeatedly relaunching the sideloaded binaries. Data exfiltration was conducted via sendit.sh, a public file-sharing service, likely to blend malicious traffic with normal network activity.
Symantec also noted that MuddyWater's geographic expansion and operational maturity have increased in this latest campaign. The abuse of legitimate tools and services marks a shift toward quieter, more stealthy attacks. Besides the South Korean electronics maker, victims included government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions. The attackers' focus appeared to be intelligence-driven, targeting industrial and intellectual property, government secrets, and access to downstream customers or corporate networks.
No CVE identifiers are associated with this campaign, as it relies on known techniques rather than specific vulnerabilities. The campaign underscores the persistent threat from state-sponsored actors targeting valuable intellectual property and critical infrastructure. Organizations, especially in the electronics, government, and industrial sectors, should review their defenses against DLL sideloading and PowerShell abuse, and monitor for unusual use of legitimate binaries.