top of page
Buscar

MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 27 may
  • 4 min de lectura

Modern cyber-espionage operations increasingly avoid noisy attacks and destructive malware. Instead, they rely on stealth, operational discipline, and legitimate software to quietly remain embedded inside victim environments for extended periods of time.

The latest campaign attributed to the Iranian threat group MuddyWater demonstrates this evolution clearly. Targeting organizations across four continents during the first quarter of 2026, the operation combined DLL side-loading, credential theft, covert tunneling, browser data extraction, PowerShell reconnaissance, and Node.js-based implants to maintain persistent access inside industrial, financial, educational, airport and public-sector environments.

Rather than deploying visibly destructive malware, the attackers focused on remaining invisible.

The result was a disciplined espionage campaign designed to quietly collect intelligence, maintain persistence, and move laterally across networks while blending into legitimate system activity.


Phase 1: Entering Through Trusted Software 


One of the defining characteristics of the campaign was the abuse of legitimate signed binaries to execute malicious code through DLL side-loading.

The attackers leveraged trusted software associated with:

  • Fortemedia (fmapp.exe)

  • SentinelOne (sentinelmemoryscanner.exe)

These binaries were used to sideload malicious DLLs while appearing operationally legitimate to security products and administrators.

This technique allowed the attackers to bypass many traditional detection mechanisms because the parent processes themselves were signed and trusted.

The abuse of the SentinelOne-related binary was particularly strategic. Since the executable was associated with a legitimate security product, its execution was less likely to trigger suspicion or signature-based alerts.

This reflects a growing trend among advanced espionage groups: hiding malicious activity inside software already trusted by the environment.


Phase 2: ChromElevator and Browser Theft 


Both malicious DLL chains deployed an open-source tool known as ChromElevator.

Its objective was highly targeted: extract sensitive data directly from Chromium-based browsers while bypassing App-Bound Encryption protections.

The malware harvested:

  • Browser passwords

  • Authentication cookies

  • Payment card information

  • Stored session data

This approach is especially dangerous because browser environments increasingly contain direct access to:

  • SaaS platforms

  • cloud dashboards

  • administrative consoles

  • corporate VPN sessions

  • collaboration environments

Stealing browser sessions often provides attackers with faster operational access than traditional credential theft alone.

The use of ChromElevator also demonstrates how espionage actors increasingly weaponize publicly available offensive tooling instead of relying entirely on custom malware development.


Phase 3: Node.js and PowerShell Reconnaissance 


After establishing execution, the attackers launched a secondary implant chain based on Node.js and PowerShell.

The Node.js components acted primarily as loaders and orchestrators, silently executing PowerShell scripts responsible for reconnaissance and information gathering.

The implanted scripts performed:

  • System discovery

  • Screenshot capture

  • SAM hive theft

  • Privilege escalation

  • SOCKS5 reverse-proxy tunneling

  • Credential dumping

This modular structure allowed the attackers to operate flexibly while minimizing the visibility of individual payloads.

PowerShell remains one of the most abused administrative tools in modern cyber operations because it already exists natively inside Windows environments and blends naturally into administrative activity.

Combined with Node.js execution chains, the attackers created a lightweight but highly adaptable espionage framework.


Phase 4: Lateral Movement and Persistence 


Once credentials and system information were collected, MuddyWater focused heavily on lateral movement and long-term persistence.

The attackers repeatedly relaunched the malicious DLL side-loading chains to ensure they maintained access to compromised systems even if portions of the activity were disrupted.

Credential dumping operations enabled the operators to move deeper into victim networks and broaden visibility across organizational infrastructure.

In at least one case involving a major South Korean electronics manufacturer, the attackers reportedly remained active inside the environment for approximately one week, continuously performing reconnaissance and re-establishing access.

This persistence model reflects a broader operational shift.

Rather than operating aggressively, MuddyWater increasingly behaves like a long-term intelligence actor prioritizing resilience, stealth and operational continuity.


Phase 5: Covert Exfiltration 


The campaign also leveraged public services to exfiltrate stolen information.

Researchers observed attackers staging collected data on sendit[.]sh, a public file-transfer platform that helped blend exfiltration traffic into otherwise normal internet activity.

This tactic reduces the need for dedicated attacker infrastructure and complicates detection because traffic directed toward public services often appears operationally legitimate.

Separately, related Iranian-linked campaigns observed during the same period relied on additional tooling such as:

  • FileFiend

  • RAR archive staging

  • SMB share enumeration

  • Proxychains tunneling

  • Public web root staging

These operations targeted organizations across:

  • the United States

  • Israel

  • Saudi Arabia

  • Turkey

including sectors such as:

  • media

  • education

  • insurance

  • telecommunications

  • critical infrastructure

The campaigns demonstrate how Iranian threat operations continue expanding both geographically and operationally.


Phase 6: The Evolution of MuddyWater 


Security researchers noted that none of the techniques used individually were especially novel.

What matters is the operational maturity emerging from the combination.

Compared to earlier MuddyWater operations, the group now demonstrates:

  • cleaner execution chains

  • quieter persistence

  • more disciplined reconnaissance

  • reduced operator exposure

  • improved stealth

  • broader use of trusted software

  • modular tooling flexibility

This evolution reflects how state-aligned espionage groups continuously adapt operational hygiene to remain effective against increasingly mature defensive environments.

The campaign also reinforces a difficult reality: modern espionage operations rarely depend on one sophisticated exploit.

Instead, they combine legitimate tools, trusted binaries, open-source malware, native scripting environments and operational patience to quietly remain inside networks for extended periods.


Measures to Fend Off DLL Side-Loading Espionage Campaigns


  • Monitor DLL side-loading behavior involving signed binaries.

  • Audit unexpected execution of security-related executables.

  • Restrict unnecessary PowerShell and Node.js execution.

  • Monitor browser credential access and unusual cookie extraction activity.

  • Hunt for reverse-proxy and SOCKS tunneling behavior.

  • Rotate credentials after suspicious lateral movement activity.

  • Detect repeated persistence re-establishment attempts.

  • Monitor uploads to public file-sharing services.

  • Segment critical infrastructure environments.

  • Deploy behavioral detection beyond signature-based security controls.

  • Audit browser-stored credentials across privileged environments.

  • Continuously validate endpoint integrity after remediation efforts.


Conclusion


The MuddyWater campaign demonstrates how modern espionage operations increasingly prioritize stealth, persistence and operational discipline over noisy malware deployment.

By abusing trusted software, leveraging DLL side-loading, stealing browser sessions, and quietly tunneling through legitimate tools, the attackers maintained covert access across organizations spanning multiple continents and critical sectors.

The campaign also highlights a broader trend shaping modern cyber operations: the line between legitimate administrative activity and malicious behavior continues to blur.

And as threat actors increasingly weaponize trusted software already present inside enterprise environments, visibility and behavioral monitoring become just as important as traditional prevention itself.


The Hacker News


 
 
 

Comentarios

bottom of page