MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
Summary
Hide ▲
Show ▼
MuddyWater was tied to a 2026 espionage campaign affecting at least nine organizations across nine countries on four continents, with victims in industrial and electronics manufacturing, education, public-sector bodies, financial services, and professional services. The activity used DLL side-loading with signed Fortemedia and SentinelOne binaries, Node.js scripts and PowerShell for reconnaissance and theft operations, and ChromElevator to steal browser credentials and payment card data from Chromium-based browsers. In at least one intrusion, the attackers spent a week inside a South Korean electronics manufacturer in February 2026 and used sendit[.]sh to stage stolen data.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
Major South Korean electronics manufacturer hit by data theft breach
Incident
H score13
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
How related:
Researchers at Symantec say that the threat actor “spent a week inside the network of a major South Korean electronics manufacturer in February 2026.”
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentHow related: Researchers at Symantec say that the threat actor “spent a week inside the network of a major South Korean electronics manufacturer in February 2026.”
About this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
H score33
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
H score28
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
Iranian-linked PLC targeting campaign against U.S. critical infrastructure
Campaign
H score38
First: 07.04.2026 21:02
Last: 07.04.2026 21:02
Sources 1
About this happening:
Iranian-linked hackers are actively targeting **Internet-exposed Rockwell/Allen-Bradley PLCs** on **U.S. critical infrastructure** networks, increasing the risk of operational dis...
Iranian-linked PLC targeting campaign against U.S. critical infrastructure
CampaignAbout this happening: Iranian-linked hackers are actively targeting **Internet-exposed Rockwell/Allen-Bradley PLCs** on **U.S. critical infrastructure** networks, increasing the risk of operational dis...
Timeline
-
14.05.2026 00:59 4 articles · 1mo ago
MuddyWater broad cyber-espionage campaign targets at least nine organizations
Initial DisclosureMuddyWater (aka Seedworm, Static Kitten), an Iran-linked group, is tied to a broad cyber-espionage campaign against at least nine organizations across multiple sectors and countries, including a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions. The activity used DLL sideloading with legitimate binaries such as fmapp.exe and sentinelmemoryscanner.exe, placed ChromElevator in malicious DLLs, relied on PowerShell and Node.js loaders, and used sendit.sh for data exfiltration while pursuing reconnaissance, credential theft, persistence, and quieter access.
Show sources
- Iranian hackers targeted major South Korean electronics maker — www.bleepingcomputer.com — 14.05.2026 00:59
- Iranian hackers targeted major South Korean electronics maker — www.bleepingcomputer.com — 14.05.2026 00:59
- Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt — thehackernews.com — 20.11.2025 09:35
- MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries — thehackernews.com — 26.05.2026 18:48