Iranian Hackers Spent Week Inside Korean Electronics Firm

Key Takeaways

• MuddyWater spent seven days inside a major South Korean electronics firm in February 2026
• Attackers abused legitimate SentinelOne and Foremedia binaries to load malicious code
• Campaign targeted at least nine organizations across Asia, Middle East, and government sectors

Iranian state-linked hackers spent a full week inside the network of a major South Korean electronics manufacturer, according to new research from Symantec's Threat Hunter Team.

The intrusion, which ran from February 20 to February 27, 2026, was part of a broader espionage campaign by MuddyWater (also known as Seedworm or Static Kitten). The group targeted at least nine high-profile organizations across multiple countries and sectors.

Victims included government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions. Symantec did not disclose the name of the Korean electronics firm.

How the Attack Unfolded

The attackers relied heavily on DLL sideloading. This technique uses legitimate, signed software to load malicious code. By hiding inside trusted applications, the malware evades detection tools that flag unknown executables.

MuddyWater abused two specific binaries: fmapp.exe, a legitimate Foremedia audio utility, and sentinelmemoryscanner.exe, a component from cybersecurity vendor SentinelOne. The corresponding malicious DLLs contained ChromElevator, a post-exploitation tool that steals data from Chrome-based browsers.

PowerShell remained a core part of the toolkit. Attackers used it to capture screenshots, run reconnaissance, fetch additional payloads, steal credentials, and create SOCKS5 tunnels for communication. The payloads were controlled through Node.js loaders rather than direct PowerShell execution.

Credential Theft Through Fake Windows Prompts

The Korean intrusion followed a clear pattern. MuddyWater first performed host and domain reconnaissance, then enumerated antivirus software using Windows Management Instrumentation (WMI). They captured screenshots and downloaded additional malware.

For credential theft, the group deployed fake Windows login prompts to trick users into entering passwords. They also stole registry hives containing password hashes (SAM, SECURITY, and SYSTEM files) and abused Kerberos ticket tools for lateral movement.

Persistence came through registry modifications. Sideloaded binaries were repeatedly relaunched to maintain access, with beaconing occurring every 90 seconds.

“The cadence is again consistent with implant-driven activity rather than continuous operator presence.”

— Symantec Threat Hunter Team

This suggests automated tools maintained access while human operators checked in periodically, a hallmark of mature state-sponsored operations.

Data Exfiltration via Public File Sharing

To extract stolen data, MuddyWater used sendit.sh, a public file-sharing service. This approach disguises malicious uploads as normal web traffic, making detection harder for network monitoring tools.

Symantec's researchers noted this campaign stands out for three reasons: geographic expansion beyond the Middle East, operational maturity in tool usage, and systematic abuse of legitimate software and services.

Who Is MuddyWater?

MuddyWater has operated since at least 2017 and is attributed to Iran's Ministry of Intelligence and Security. The group traditionally focused on Middle Eastern targets, particularly in Saudi Arabia, Turkey, and the UAE.

This campaign marks a notable shift. Targeting a major Korean electronics manufacturer suggests an interest in intellectual property theft and potential supply chain access. Korean electronics firms supply components to companies worldwide.

Symantec's Threat Hunter Team believes the operation was intelligence-driven, focusing on industrial secrets, government espionage, and access to downstream customers or corporate networks.

Defense Recommendations

Organizations should monitor for unusual DLL loading behavior, particularly from signed applications. Endpoint detection tools can flag when legitimate binaries load unsigned or unexpected DLLs.

• Monitor for DLL sideloading from signed applications like fmapp.exe and SentinelOne components
• Watch for PowerShell executing with Node.js loaders
• Flag outbound connections to public file-sharing services from corporate endpoints
• Alert on registry hive access (SAM, SECURITY, SYSTEM) outside normal backup operations
• Detect 90-second beaconing patterns in network traffic

Security teams should also treat unexpected Windows authentication prompts with suspicion, particularly if they appear outside normal login contexts.

Frequently Asked Questions

What is DLL sideloading?

DLL sideloading tricks legitimate software into loading malicious code. Attackers place a malicious DLL in the same folder as a trusted application. When the app runs, it loads the malicious file instead of the legitimate library.

Why did MuddyWater target a Korean electronics firm?

Korean electronics manufacturers hold valuable intellectual property and supply components globally. Access could enable industrial espionage or provide entry points to downstream corporate networks.

How can organizations detect this type of attack?

Monitor for unusual DLL loading from signed applications, watch for PowerShell with Node.js loaders, and flag outbound connections to public file-sharing services. Registry hive access outside backup operations is another warning sign.

Is MuddyWater a state-sponsored group?

Yes. MuddyWater is attributed to Iran's Ministry of Intelligence and Security and has operated since at least 2017, primarily targeting Middle Eastern organizations until this recent geographic expansion.

Source: BleepingComputer