MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
Summary
Hide ▲
Show ▼
MuddyWater was tied to a 2026 espionage campaign affecting at least nine organizations across nine countries on four continents, with victims in industrial and electronics manufacturing, education, public-sector bodies, financial services, and professional services. The activity used DLL side-loading with signed Fortemedia and SentinelOne binaries, Node.js scripts and PowerShell for reconnaissance and theft operations, and ChromElevator to steal browser credentials and payment card data from Chromium-based browsers. In at least one intrusion, the attackers spent a week inside a South Korean electronics manufacturer in February 2026 and used sendit[.]sh to stage stolen data.
Related Happenings
Major South Korean electronics manufacturer hit by data theft breach
Incident
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
How related:
Researchers at Symantec say that the threat actor “spent a week inside the network of a major South Korean electronics manufacturer in February 2026.”
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentHow related: Researchers at Symantec say that the threat actor “spent a week inside the network of a major South Korean electronics manufacturer in February 2026.”
About this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
Iranian-linked PLC targeting campaign against U.S. critical infrastructure
Campaign
First: 07.04.2026 21:02
Last: 07.04.2026 21:02
Sources 1
About this happening:
Iranian-linked hackers are actively targeting **Internet-exposed Rockwell/Allen-Bradley PLCs** on **U.S. critical infrastructure** networks, increasing the risk of operational dis...
Iranian-linked PLC targeting campaign against U.S. critical infrastructure
CampaignAbout this happening: Iranian-linked hackers are actively targeting **Internet-exposed Rockwell/Allen-Bradley PLCs** on **U.S. critical infrastructure** networks, increasing the risk of operational dis...
Torg Grabber browser-extension theft activity
Malware Activity
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Timeline
-
14.05.2026 00:59 4 articles · 13d ago
MuddyWater broad cyber-espionage campaign targets at least nine organizations
Initial DisclosureMuddyWater (aka Seedworm, Static Kitten), an Iran-linked group, is tied to a broad cyber-espionage campaign against at least nine organizations across multiple sectors and countries, including a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions. The activity used DLL sideloading with legitimate binaries such as fmapp.exe and sentinelmemoryscanner.exe, placed ChromElevator in malicious DLLs, relied on PowerShell and Node.js loaders, and used sendit.sh for data exfiltration while pursuing reconnaissance, credential theft, persistence, and quieter access.
Show sources
- Iranian hackers targeted major South Korean electronics maker — www.bleepingcomputer.com — 14.05.2026 00:59
- Iranian hackers targeted major South Korean electronics maker — www.bleepingcomputer.com — 14.05.2026 00:59
- Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt — thehackernews.com — 20.11.2025 09:35
- MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries — thehackernews.com — 26.05.2026 18:48