MuddyWater abuses SentinelOne and Fortemedia binaries to side-load nine-country espionage campaign

Symantec's Threat Hunter Team published an attribution on May 26 that should change how every enterprise audits its EDR posture. MuddyWater, the Iran Ministry of Intelligence and Security-affiliated cluster also tracked as Seedworm, Static Kitten, MERCURY, and TA450, ran a Q1 2026 espionage campaign that hit at least nine organisations across nine countries on four continents. The novel TTP is the deliberate abuse of a SentinelOne-signed binary to side-load the implant chain, alongside a Fortemedia binary doing the same job. The attackers are explicitly betting that security-product directories are on every EDR allowlist.

That bet is correct often enough to be operational.

What Symantec attributed

The Threat Hunter Team's report names the victim sectors: industrial and electronics manufacturing, education and public-sector bodies, financial services, professional services. The named victim profiles include a major South Korean electronics manufacturer where MuddyWater maintained a week of access in February 2026, an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial-services provider. Four continents in one quarter is the geographic footprint of a sustained operation, not a smash-and-grab.

The attack chain has matured significantly from prior MuddyWater operations. The legitimate Fortemedia audio-driver binary fmapp.exe side-loads a malicious fmapp.dll. The legitimate SentinelOne memory scanner binary sentinelmemoryscanner.exe side-loads a malicious sentinelagentcore.dll. Both DLLs embed the open-source ChromElevator tool to defeat Chrome App-Bound Encryption and steal passwords, cookies, and payment-card data from Chromium browsers. Per Huntress corroboration, fmapp.dll beacons to 157.20.182.49. A Node.js implant chain executes PowerShell scripts for reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling. Stolen data stages at sendit.sh, a legitimate public file-transfer service that blends exfiltration with normal-looking outbound traffic.

The Group-IB Operation Olalampo writeup from February 2026 had already documented the fmapp.exe side-loading pattern. The Symantec report extends that pattern with the SentinelOne binary and with the Q1 2026 victim list.

Why the SentinelOne-binary choice matters

There is a clean read on why MuddyWater added the SentinelOne binary to its toolkit, and it is structural for every defender. Modern EDR products run with high system trust. Their installation directories are signed, their binary hashes are well-known, and their process trees are routinely excluded from behavioral analytics to avoid noise. An attacker that can side-load through a security-vendor binary inherits that trust without having to forge it.

This is not novel as a concept. DLL side-loading through signed third-party binaries has been a standard APT technique for at least a decade. What is new is the explicit selection of a security-product binary as the side-loading vehicle, against a Q1 2026 EDR baseline that pretends those products are uncompromisable. Every "trusted publisher" allowlist needs to include "but check the DLLs in their directories" as the next rule.

The operational hygiene step-up

Symantec's report calls out a pattern that matches what Rapid7 saw on May 7 (the MuddyWater Teams-chat campaign with the Chaos ransomware false-flag) and what the Langflow KEV addition on May 21 confirmed at scale. The cadence of activity is implant-driven, not continuous operator presence. Reconnaissance and exfiltration happen in disciplined bursts. False-flag patterns hide the cluster's identity. Operations against the South Korean victim included repeated re-execution of the side-loading binaries to maintain access without active operator engagement.

The takeaway is that the MuddyWater of 2026 is operationally quieter and more disciplined than the MuddyWater of 2023 or 2024. None of the individual techniques are novel; the combination, applied with discipline, is what produces a week of dwell inside a Fortune-class electronics manufacturer.

What to do this week

For organisations running SentinelOne or Fortemedia, which is to say most enterprises, the audit is concrete. Look for unsigned DLLs in those product directories. Hash-verify the DLLs against vendor-published values. Treat any DLL in a security-product directory that fails signature verification as a compromise indicator, not a quirk.

Add the network IoCs to detection: block 157.20.182.49 outbound, add sendit.sh to your egress monitoring, instrument for unexpected node.exe process trees on workstations and for node.exe parent processes spawning PowerShell. The Node.js implant chain is the operational signature that distinguishes this MuddyWater wave from prior ones; it is also the easiest single indicator to alert on.

For Tashkent-region defenders specifically, the relevance is direct. Iran-MOIS targeting of fintech, electronics manufacturing, education, and a Middle East airport overlaps directly with the Uzbek banking-sector and Tashkent-airport adversary profiles. The mandatory cybersecurity unit regime that came into force on April 1 puts a formal accountability layer on this kind of attribution; the audit posture in the regulated sector should reflect that MuddyWater is now operationally active against Central Asia-adjacent target profiles.

The cluster status

Three MuddyWater events in 30 days. Rapid7's Teams-chat false-flag (May 7), the Langflow CVE-2025-34291 KEV addition with MuddyWater attribution (May 21), and now the Symantec nine-country DLL side-loading writeup (May 26). The cluster meets the threshold for active rather than watch in any reasonable threat-actor tracker. The next IR disclosure or KEV addition tied to MuddyWater should be treated as a continuation of an ongoing campaign, not a fresh event.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you need a fresh pair of eyes on your EDR allowlist policy and DLL-substitution detection in regulated-sector deployments.

Supply ChainnpmAI SecurityClaude Codecredential-theft

TrapDoor weaponises CLAUDE.md and .cursorrules to turn AI coding assistants into credential thieves

Socket disclosed the TrapDoor campaign on May 25. 34 malicious packages across npm, PyPI, and Crates.io target crypto and AI developers. The novel TTP: PRs that inject hidden zero-width Unicode instructions into .cursorrules and CLAUDE.md to trick AI coding assistants into running security scans that exfiltrate developer secrets.

May 27, 2026

Supply Chaincredential-theftCI/CDopen-source-security

Laravel-Lang Supply Chain Attack: How Git Tag Rewrites Turned Composer into a Credential Stealer

A coordinated supply chain attack on Laravel-Lang rewrote 233 Git tags across multiple repositories, weaponizing Composer installs to deliver a 5,900-line PHP credential stealer. Here’s what happened, why it matters, and how to protect your PHP projects.

May 25, 2026

vulnerabilityCVEopen-source-securityCritical Infrastructure

Drupal CVE-2026-9082: 48 Hours From Advisory to Mass Exploitation

Drupal CVE-2026-9082, a highly-critical SQL injection in the core database abstraction API, went from public advisory to mass exploitation in just 48 hours, with CISA adding it to the KEV catalog three days later. This post breaks down what happened, why it was so fast, and what defenders should do now.