MuddyWater / Seedworm Q1 2026 — Symantec documents DLL side-loading via signed Fortemedia / SentinelOne binaries; ChromElevator ABE bypass; Node.js orchestration

Symantec's Threat Hunter Team and Broadcom's Carbon Black published findings on 2026-05-12 documenting a Q1 2026 MuddyWater (a.k.a. Seedworm, Static Kitten, MERCURY, TEMP.Zagros — attributed to Iran's Ministry of Intelligence and Security) espionage campaign across at least nine organisations on four continents. The story re-surfaced this run via fresh aggregator coverage on 2026-05-26 (The Hacker News) — included in window on that basis. Named victim categories include industrial and electronics manufacturing, education and public-sector bodies, financial services, and an international airport in the Middle East (Symantec / Broadcom Threat Intelligence, 2026-05-12; The Hacker News, 2026-05-26; Industrial Cyber, 2026-05-13).

The differentiating TTPs from prior MuddyWater coverage are twofold. First, DLL side-loading via two pairs of legitimately signed third-party binaries: Fortemedia audio-driver binary fmapp.exe side-loading a malicious fmapp.dll; SentinelOne's sentinelmemoryscanner.exe side-loading a rogue sentinelagentcore.dll — abuse of a signed security-product binary specifically chosen to bypass signature-based detection. Both malicious DLLs embed ChromElevator, an open-source post-exploitation tool that bypasses Chromium App-Bound Encryption to extract passwords, cookies and payment-card data without triggering AV. Second, orchestration moved to Node.js: node.exe appears as a parent-process ancestor of cmd.exe before any operator commands — i.e. a Node.js script (not a human operator) drives the kill chain. PowerShell scripts pulled from a staging server perform discovery (T1087, T1482), screenshot capture, SAM-hive theft via VSS (T1003.002), and SOCKS5 reverse-proxy tunnelling (T1090.003). A credential harvester calls CredUIPromptForWindowsCredentialsW to display a Windows security dialogue and trick targets into entering credentials. A Kerberos TGT extractor via GSS-API was also observed.

Why it matters to us: signed-binary side-loading abusing a security-product binary is the highest-value evasion class — signature-based controls are bypassed by design. Detection: Sysmon EID 7 image-loads from fmapp.exe or sentinelmemoryscanner.exe outside their expected installation directories; alert on node.exe as a parent of cmd.exe or powershell.exe -enc in non-developer environments; flag CredUIPromptForWindowsCredentialsW calls from non-standard parents. Hardening: AppLocker / WDAC enforcing signed-and-known-path DLL loads; restrict node.exe execution to development OUs.

Current state: refreshed 2026 campaign documented by Rapid7 ("Muddying the Tracks") and corroborated this week by BleepingComputer and SecurityWeek. Per Rapid7 ("Operation Olalampo"), the campaign's observed victimology is construction, manufacturing, and business-services organisations in the U.S. and MENA regions; deploys Chaos ransomware with criminal-group branding to complicate attribution and delay IR triage; uses Microsoft Teams external-chat requests for an interactive screen-sharing helpdesk pretext to harvest credentials and manipulate MFA. Attribution evidence per Rapid7: a "Donald Gay" code-signing certificate, the moonzonet[.]com C2 domain, pythonw.exe process injection of suspended processes, and the Teams MFA-harvest tradecraft — all consistent with prior MuddyWater (Seedworm) operations attributed to Iran's Ministry of Intelligence and Security (Rapid7 — Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware · BleepingComputer — MuddyWater hackers use Chaos ransomware as a decoy · SecurityWeek — Iranian APT intrusion masquerades as Chaos ransomware attack). M-Trends 2026 (§ 6) notes voice phishing surged to the second most prevalent initial-access vector at 11% with IT help-desk impersonation as a primary modality — MuddyWater's Teams variant of that pattern is operationally similar. Outstanding defender question: whether the same false-flag tradecraft expands across additional Chaos-branded incidents now that the attribution is public.

Security researchers documented a refreshed campaign by MuddyWater (attributed to Iran's Ministry of Intelligence and Security, MOIS), targeting government contractors and defence-adjacent organisations in Europe and the Middle East. The campaign deploys Chaos ransomware payloads with branding designed to mimic criminal ransomware groups — a deliberate false-flag technique intended to complicate attribution and delay incident response triage. A parallel social-engineering vector uses Microsoft Teams external-access invitations to gain remote-assistance sessions under a helpdesk pretext, after which credentials are harvested and used for further access via legitimate cloud services. Observed ATT&CK techniques: T1566.004 (Spearphishing via Teams), T1649 (Steal or Forge Authentication Certificates), T1486 (Data Encrypted for Impact). This is a single-source threat-intelligence vendor disclosure.