Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: muddywater (3 articles)Clear

MuddyWater (Seedworm) 'Operation Olalampo' espionage hits 9 countries with DLL sideloading via sentinelmemoryscanner.exe and ChromElevator browser theft

Symantec and Carbon Black, working with Huntress, have documented Operation Olalampo, a new MuddyWater (also tracked as Seedworm) espionage campaign that has hit at least nine countries. The Iran-linked actor uses DLL sideloading by abusing two trusted binaries - sentinelmemoryscanner.exe sideloads sentinelagentcore.dll - to deploy the open-source ChromElevator tool, which steals passwords, cookies, and payment-card data from Chromium browsers while bypassing App-Bound Encryption. The campaign also uses Node.js-based implants that drop PowerShell scripts for reconnaissance, SAM-hive theft, screenshot capture, and SOCKS5 reverse-proxy tunneling. Stolen data has been staged on the public file-transfer service sendit[.]sh.

Check
Hunt Windows endpoints for sentinelmemoryscanner.exe with a sideloaded sentinelagentcore.dll. Check outbound traffic to 157.20.182[.]49 and sendit[.]sh. Watch for Node.js execution on non-developer hosts.
Affected
Organizations in MuddyWater's typical target sectors (telecom, government, defense, energy) across nine countries. Symantec/Carbon Black/Huntress confirm at least one South Korean electronics manufacturer hit.
Fix
Block 157.20.182[.]49 and sendit[.]sh at egress. Apply Huntress and Symantec IoCs. Hunt for ChromElevator browser-credential theft. Restrict Node.js execution on non-developer endpoints.

Iran-linked MuddyWater (Seedworm) spent a week inside a major South Korean electronics maker - DLL sideloading off Fortemedia audio and SentinelOne binaries, ChromElevator credential theft

Symantec's Threat Hunter Team detailed a global cyber-espionage campaign by MuddyWater (a.k.a. Seedworm, Static Kitten, Temp Zagros), an APT linked to Iran's Ministry of Intelligence and Security. The group hit at least nine organizations on four continents in Q1 2026 - including a major unnamed South Korean electronics manufacturer where attackers maintained access from February 20 to 27. They abused signed legitimate binaries fmapp.exe (a Fortemedia audio utility) and sentinelmemoryscanner.exe (a SentinelOne component) to sideload malicious DLLs called fmapp.dll and sentinelagentcore.dll, both carrying the ChromElevator post-exploitation tool that lifts data from Chrome-based browsers. Stolen files were staged through public file-transfer service sendit[.]sh to blend in.

Check
Hunt endpoints for fmapp.exe or sentinelmemoryscanner.exe loading non-standard DLLs, search proxy and DNS logs for connections to sendit[.]sh from non-IT users, and review Chrome profile access patterns from sideloaded DLL contexts.
Affected
High-tech manufacturing, electronics, industrial firms, financial services, and government agencies with intellectual-property or downstream-customer value to Iran. Operations in Asia and the Middle East are most exposed, but victims span four continents.
Fix
Add detection rules for fmapp.dll and sentinelagentcore.dll in unexpected paths, block sendit[.]sh outbound where it has no business need, watch for unusual Node.js process trees spawning cmd.exe, and review LSASS access events around the 90-second beaconing window.

Iranian hackers used Microsoft Teams chat to social-engineer victims, then dressed up their espionage as a Chaos ransomware attack to throw off blame

Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.

Check
Search Microsoft Teams logs for external chat invitations from unknown Entra tenants since January. Hunt endpoints for DWAgent, AnyDesk, ms_upd.exe, or Game.exe processes installed without IT approval.
Affected
Organizations allowing external Microsoft Teams chats by default - the campaign starts with chat invitations from attacker-controlled tenants. Acute risk for sectors MuddyWater historically targets: government, defense, telecoms, energy, and Israeli organizations. The 'IT Support' impersonation pattern works against any helpdesk-heavy enterprise. Iranian APT activity has been increasing through early 2026.
Fix
Restrict external Microsoft Teams chat to allowlisted partner tenants only. Block external screen-sharing requests by default. Brief staff that real IT support never asks them to type passwords into local files or read out MFA codes during a Teams call. Block Rapid7's published Stagecomp/Darkcomp code-signing certificate at the EDR layer.