The Iranian state-sponsored hacking group MuddyWater has launched a new cyberespionage campaign targeting organizations in nine countries, according to security researchers. The group is using DLL side-loading techniques to bypass security measures and deploy malicious payloads.
Key Details
The campaign, active as of May 2026, focuses on government, telecommunications, and energy sectors across Europe, the Middle East, and North America. MuddyWater, also known as Mango Sandstorm or Seedworm, has consistently used sophisticated tactics to evade detection. This latest operation follows previous attacks where the group posed as ransomware operators.
Security analysts noted that the hackers are leveraging legitimate software vulnerabilities to load malicious DLL files. This method allows them to execute code while appearing as trusted processes. Victims include entities in Israel, Turkey, and several EU nations.
Background
MuddyWater has been active since at least 2017 and is linked to Iran’s Ministry of Intelligence. The group often conducts false flag operations, disguising its activities as ransomware or criminal cyberattacks. DLL side-loading is among its preferred techniques, enabling long-term access to compromised systems.
Recent arrests, including the alleged Kimwolf botmaster Dort, have highlighted global efforts to counter cyber threats. However, state-sponsored groups like MuddyWater remain persistent.
What’s Next
Security firms recommend organizations update software, monitor DLL loading behavior, and implement strict application whitelisting. MuddyWater’s operations are expected to continue, with potential shifts in tactics.
