A new threat intelligence report from WatchGuard is warning organisations worldwide to strengthen behavioural detection capabilities after uncovering an espionage campaign by the Iran-linked threat group MuddyWater that successfully targeted high-value organisations across four continents. The report details how the group, also known as Seedworm, targeted organisations across manufacturing, aviation, financial services, education, professional services and the public sector during the first quarter of 2026. The campaign coincides with escalating geopolitical tensions involving Iran, although researchers note the activity began before the latest conflict between Iran, Israel and the United States intensified.
WatchGuard describes the campaign as a high-risk espionage operation designed to steal credentials, intellectual property and sensitive organisational data while remaining hidden inside victim networks for extended periods.
One of the best documented intrusions saw attackers maintain access to a major South Korean electronics manufacturer for an entire week in February, carrying out reconnaissance, stealing credentials, capturing screenshots and repeatedly exfiltrating data without being detected. Other confirmed targets included government agencies, airports, industrial manufacturers, financial services providers and educational institutions across multiple regions.
Unlike traditional malware campaigns, MuddyWater relied heavily on legitimate software to disguise its activity. The attackers abused trusted applications, including signed Fortemedia and SentinelOne binaries, to load malicious code through DLL side-loading techniques. They also used Node.js to orchestrate malicious scripts, avoiding the PowerShell activity that many security products monitor more closely.
The campaign also deployed ChromElevator, a publicly available tool capable of extracting passwords, browser cookies and payment information from Chromium-based browsers by bypassing Google’s App-Bound Encryption protections. Rather than using dedicated attacker infrastructure, stolen data was transferred through the legitimate file-sharing service sendit.sh, helping malicious traffic blend into normal network activity.
“The technique relies on trusted software and public services, so it does not appear to be classic malware,” said Corey Nachreiner, Chief Security Officer at WatchGuard Technologies. “Detection depends on behavioural monitoring, not signatures. Organisations should adopt behavioural detection for living-off-the-land and trusted-binary abuse because signature-only controls will not catch this tradecraft.”
The report warns that organisations using Chromium-based browsers, including Chrome, Microsoft Edge, Brave, Opera and Vivaldi, should consider themselves potential targets, particularly where endpoints contain valuable corporate or intellectual property data. Traditional signature-based detection alone is unlikely to identify this activity because many of the tools involved are legitimate and widely used.
Instead, WatchGuard recommends organisations prioritise behavioural monitoring, hunt for indicators of compromise across at least six months of endpoint and network logs, monitor for suspicious DLL side-loading activity and investigate unusual process chains involving Node.js launching PowerShell or command-line processes. Organisations are also advised to reset passwords and browser sessions where compromise is suspected, enforce multi-factor authentication and review outbound connections to public file transfer services that may be used for data exfiltration.
“Within the current geopolitical landscape, beyond attacks on critical infrastructure, one of the greatest concerns for governments, organisations and industries is cyber espionage. Data is gold. The goal is not to cause disruption, but to monitor, copy credentials and remain undetected for as long as possible,” Nachreiner continued.
The report concludes that geopolitical tensions are increasingly translating into sustained cyber espionage campaigns against commercial organisations, with intellectual property and sensitive business information becoming valuable strategic targets alongside government intelligence. As a result, organisations should prepare for stealthy, long-duration attacks that prioritise persistence and credential theft over immediate disruption.




