Symantec's Threat Hunter Team detailed a global cyber-espionage campaign by MuddyWater (a.k.a. Seedworm, Static Kitten, Temp Zagros), an APT linked to Iran's Ministry of Intelligence and Security. The group hit at least nine organizations on four continents in Q1 2026 - including a major unnamed South Korean electronics manufacturer where attackers maintained access from February 20 to 27. They abused signed legitimate binaries fmapp.exe (a Fortemedia audio utility) and sentinelmemoryscanner.exe (a SentinelOne component) to sideload malicious DLLs called fmapp.dll and sentinelagentcore.dll, both carrying the ChromElevator post-exploitation tool that lifts data from Chrome-based browsers. Stolen files were staged through public file-transfer service sendit[.]sh to blend in.
Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.