Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 July, 2026
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Iran-linked MuddyWater espionage campaign targets organisations across four continents

by Guru Writer
July 1, 2026
in Featured
geopolitical cyber report
Share on FacebookShare on Twitter

A new threat intelligence report from WatchGuard is warning organisations worldwide to strengthen behavioural detection capabilities after uncovering an espionage campaign by the Iran-linked threat group MuddyWater that successfully targeted high-value organisations across four continents. The report details how the group, also known as Seedworm, targeted organisations across manufacturing, aviation, financial services, education, professional services and the public sector during the first quarter of 2026. The campaign coincides with escalating geopolitical tensions involving Iran, although researchers note the activity began before the latest conflict between Iran, Israel and the United States intensified.

WatchGuard describes the campaign as a high-risk espionage operation designed to steal credentials, intellectual property and sensitive organisational data while remaining hidden inside victim networks for extended periods.

One of the best documented intrusions saw attackers maintain access to a major South Korean electronics manufacturer for an entire week in February, carrying out reconnaissance, stealing credentials, capturing screenshots and repeatedly exfiltrating data without being detected. Other confirmed targets included government agencies, airports, industrial manufacturers, financial services providers and educational institutions across multiple regions.

Unlike traditional malware campaigns, MuddyWater relied heavily on legitimate software to disguise its activity. The attackers abused trusted applications, including signed Fortemedia and SentinelOne binaries, to load malicious code through DLL side-loading techniques. They also used Node.js to orchestrate malicious scripts, avoiding the PowerShell activity that many security products monitor more closely.

The campaign also deployed ChromElevator, a publicly available tool capable of extracting passwords, browser cookies and payment information from Chromium-based browsers by bypassing Google’s App-Bound Encryption protections. Rather than using dedicated attacker infrastructure, stolen data was transferred through the legitimate file-sharing service sendit.sh, helping malicious traffic blend into normal network activity.

“The technique relies on trusted software and public services, so it does not appear to be classic malware,” said Corey Nachreiner, Chief Security Officer at WatchGuard Technologies. “Detection depends on behavioural monitoring, not signatures. Organisations should adopt behavioural detection for living-off-the-land and trusted-binary abuse because signature-only controls will not catch this tradecraft.”

The report warns that organisations using Chromium-based browsers, including Chrome, Microsoft Edge, Brave, Opera and Vivaldi, should consider themselves potential targets, particularly where endpoints contain valuable corporate or intellectual property data. Traditional signature-based detection alone is unlikely to identify this activity because many of the tools involved are legitimate and widely used.

Instead, WatchGuard recommends organisations prioritise behavioural monitoring, hunt for indicators of compromise across at least six months of endpoint and network logs, monitor for suspicious DLL side-loading activity and investigate unusual process chains involving Node.js launching PowerShell or command-line processes. Organisations are also advised to reset passwords and browser sessions where compromise is suspected, enforce multi-factor authentication and review outbound connections to public file transfer services that may be used for data exfiltration.

“Within the current geopolitical landscape, beyond attacks on critical infrastructure, one of the greatest concerns for governments, organisations and industries is cyber espionage. Data is gold. The goal is not to cause disruption, but to monitor, copy credentials and remain undetected for as long as possible,” Nachreiner continued.

The report concludes that geopolitical tensions are increasingly translating into sustained cyber espionage campaigns against commercial organisations, with intellectual property and sensitive business information becoming valuable strategic targets alongside government intelligence. As a result, organisations should prepare for stealthy, long-duration attacks that prioritise persistence and credential theft over immediate disruption.

ShareTweet
Previous Post

Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

Recent News

geopolitical cyber report

Iran-linked MuddyWater espionage campaign targets organisations across four continents

July 1, 2026
Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

July 1, 2026
Q&A: Solving Synthetic Media Challenges Before All Trust is Lost

Q&A: Solving Synthetic Media Challenges Before All Trust is Lost

July 1, 2026

Huntress Launches Managed ISPM as Identity Attacks Drive 79% of Severe Security Incidents

June 30, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol