An Iranian state-backed hacking group spent days inside the network of a major South Korean electronics manufacturer as part of a wider cyber-espionage campaign targeting organizations across multiple countries, researchers say.
According to Symantec’s Threat Hunter Team, the attacks were carried out by MuddyWater, also known as Seedworm or Static Kitten, a threat group linked to Iran’s Ministry of Intelligence and Security (MOIS). Researchers say the operation targeted at least nine organizations across Asia, the Middle East, Europe, and South America.
The victims reportedly included government agencies, an international airport in the Middle East, industrial manufacturers, financial services companies, educational institutions, and a major South Korean electronics company whose identity was not publicly disclosed.
Symantec says the attackers remained inside the Korean manufacturer’s network for roughly one week between February 20 and February 27, 2026. During that time, the hackers performed reconnaissance, captured screenshots, downloaded additional malware, enumerated antivirus tools, stole credentials, and established persistence within the environment.
The campaign relied heavily on DLL sideloading, a technique where legitimate signed applications are abused to load malicious code. Researchers found the attackers used legitimate binaries, including Fortemedia’s fmapp.exe audio utility and SentinelOne’s sentinelmemoryscanner.exe to execute malicious DLL files without triggering security defenses.
The malicious DLLs contained a post-exploitation tool called ChromElevator, malware designed to steal sensitive information stored in Chromium-based browsers such as Google Chrome and Microsoft Edge.
Researchers also observed extensive PowerShell activity during the attacks. The scripts were used for system reconnaissance, screenshot collection, credential theft, persistence, and the creation of SOCKS5 proxy tunnels that allowed the attackers to route traffic through compromised systems. Unlike some earlier MuddyWater campaigns, the PowerShell payloads were controlled through Node.js-based loaders.
Symantec believes the campaign was intelligence-driven rather than financially motivated. The researchers said the attackers appeared focused on industrial espionage, intellectual property theft, and gaining access to downstream corporate networks connected to the compromised organizations.
Another notable detail was the attackers’ use of public cloud-based file transfer services to blend malicious activity with normal network traffic. Data exfiltration reportedly occurred through sendit.sh, helping the operation avoid detection by appearing similar to legitimate cloud usage.
MuddyWater has previously been linked to espionage campaigns targeting telecommunications firms, defense contractors, government agencies, and infrastructure operators across the Middle East and Asia. US Cyber Command and the FBI have publicly attributed several past operations to the group.