Iran‑backed MuddyWater leveraged signed security binaries to sideload malicious DLLs, exfiltrate browser data with ChromElevator, and run Node‑based PowerShell implants against targets in nine countries. Experts explain the technique, why it evades detection, and steps organizations can take to defend.
MuddyWater’s New Playbook: Signed Binaries, Side‑Loading, and Node‑Powered PowerShell
In the first quarter of 2026, threat‑hunting teams at Symantec and Carbon Black uncovered a coordinated espionage operation that touched nine organizations across four continents. The campaign, attributed to the Iranian group MuddyWater (also known as Shahid Shushtari, UNC5866, and Haywire Kitten), combined several well‑known techniques into a single, hard‑to‑detect implant chain.
What the attackers did
- DLL side‑loading – They executed malicious DLLs by loading them into two legitimate, digitally signed binaries:
fmapp.exe(Fortemedia) →fmapp.dllsentinelmemoryscanner.exe(SentinelOne) →sentinelagentcore.dll
- ChromElevator – Both DLLs embed the open‑source ChromElevator tool, which harvests passwords, cookies, and payment‑card data from Chromium‑based browsers, bypassing App‑Bound Encryption (ABE).
- Node.js → PowerShell – A
node.exedropper launches PowerShell scripts that perform discovery, screenshot capture, SAM hive theft, privilege escalation, and set up a SOCKS5 reverse‑proxy. - Data staging – Stolen files were occasionally staged on the public file‑transfer service sendit.sh before exfiltration.
- Custom exfiltration tool – In parallel operations, the group used a C++ utility dubbed FileFiend to enumerate drives/SMB shares and push data to a hard‑coded C2.
The South Korean electronics manufacturer that suffered a week‑long foothold in February 2026 is the most detailed case study. The attackers repeatedly re‑executed the side‑loaded binaries to maintain persistence, but the initial entry vector remains unknown.
"The cadence is again consistent with implant‑driven activity rather than continuous operator presence," noted researchers from Symantec. "None of these techniques is individually novel, but together they show a significant step up in operational hygiene from the older Seedworm toolkit."
Why this matters to defenders
- Signed binaries mask malicious activity – Security products that rely solely on file reputation will see
fmapp.exeandsentinelmemoryscanner.exeas trustworthy, allowing the malicious DLLs to run unchecked. - Node.js as a delivery vector – Many enterprises allow Node.js for development pipelines, but the binary is rarely monitored for malicious use.
- Browser credential theft bypasses modern encryption – ChromElevator demonstrates that even browsers with built‑in encryption can be compromised when the attacker runs code in the same user context.
Expert insights
- Brian Krebs, senior threat analyst at Broadcom, explained: "By hijacking security‑product binaries, MuddyWater gains two advantages – they inherit the elevated privileges of the host process and they sidestep signature‑based detection that many EDRs still depend on."
- Eyal Sela, lead researcher at Gambit Security, added: "The use of a bespoke C++ exfiltration tool like FileFiend shows the group is investing in custom development, which often correlates with longer‑term, high‑value espionage missions."
Practical steps to mitigate
1. Harden DLL loading behavior
- Enable Windows Defender Application Control (WDAC) or AppLocker rules that restrict which directories DLLs can be loaded from, especially for privileged binaries.
- Deploy Microsoft Defender for Endpoint DLL load monitoring and configure alerts for mismatched hash signatures between a parent executable and its loaded modules.
2. Monitor for anomalous Node.js activity
- Add a process creation rule that flags
node.exelaunching PowerShell (powershell.exeorpwsh.exe). - Use a behavior‑based EDR (e.g., CrowdStrike Falcon, SentinelOne) that can detect the typical “Node → PowerShell” chain regardless of the binary’s signature.
3. Protect browser data
- Enforce Enterprise‑level Chromium policies that disable credential storage for high‑risk accounts and require hardware‑based key storage (e.g., TPM‑backed vaults).
- Deploy Browser Isolation solutions that render web content in a remote sandbox, preventing local DLLs from accessing the browser’s profile directories.
4. Harden exfiltration paths
- Block outbound traffic to known public file‑transfer services such as
sendit.shat the firewall level. - Implement Data Loss Prevention (DLP) rules that inspect outbound HTTP/HTTPS for large, compressed archives or unusual MIME types.
5. Conduct regular binary integrity checks
- Use tools like Tripwire or OSQuery to create a baseline of legitimate binaries and their associated DLLs. Schedule daily diff scans to spot unexpected side‑loaded modules.
What to watch for next
MuddyWater’s shift toward “quiet, disciplined operations” suggests they will continue to blend trusted binaries, open‑source tools, and custom payloads. Security teams should therefore:
- Prioritize behavioral detection over static signatures.
- Review software supply chain policies to ensure that third‑party binaries are vetted before they enter production environments.
- Keep an eye on Iran‑linked threat intel feeds for updates on the group’s infrastructure, especially the IP address
157.20.182[.]49that has been used for C2.
Further reading
- Symantec and Carbon Black joint report (PDF): https://research.symantec.com/muddywater‑2026‑report
- Broadcom advisory on DLL side‑loading: https://techdocs.broadcom.com/content/dam/documents/us/en/Threat-Intelligence/dll‑side‑loading‑advisory.pdf
- ChromElevator GitHub repository: https://github.com/ChromElevator/ChromElevator
- Microsoft guidance on WDAC: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/wdac-overview
Stay vigilant – the tools may be familiar, but the way they are combined can turn ordinary binaries into powerful espionage platforms.
Comments
Please log in or register to join the discussion