Iranian Hackers Targeted South Korean Electronics Company

Iranian hackers linked to the MuddyWater cyber-espionage group reportedly targeted a major South Korean electronics manufacturer during a broader global intrusion campaign. Security researchers stated that the operation affected organizations across several industries, including government agencies, financial institutions, industrial companies, airports, and educational organizations.

Researchers at Symantec attributed the activity to MuddyWater, an Iran-linked threat group also tracked under names including Seedworm and Static Kitten. The group has previously been connected to cyber-espionage campaigns targeting critical infrastructure, telecommunications providers, and government systems.

According to investigators, the attackers remained inside the South Korean company’s network for roughly one week during February 2026.

Attackers Relied on Legitimate Software

Researchers stated that the campaign relied heavily on DLL sideloading techniques designed to avoid detection by security tools.

The attackers reportedly abused legitimate signed applications to load malicious DLL files inside trusted processes. According to Symantec, the campaign involved software components connected to Fortemedia and SentinelOne products.

Investigators said the attackers used the compromised processes to deploy additional malware, maintain persistence, and collect information from infected systems.

The operation also involved ChromElevator, a post-exploitation tool capable of extracting data stored inside Chromium-based browsers.

Researchers observed extensive PowerShell activity throughout the intrusion. According to reports, the attackers used scripts for:

• System reconnaissance
• Screenshot collection
• Credential theft
• Persistence creation
• Malware delivery
• SOCKS5 tunneling

The campaign also relied on Node.js-based loaders to execute payloads and manage communications inside compromised environments.

South Korean Company Faced Espionage Activity

Symantec researchers stated that the intrusion involving the South Korean electronics company took place between February 20 and February 27, 2026. The affected organization was not publicly identified.

Investigators reported that the attackers initially focused on reconnaissance before moving toward credential theft and long-term persistence techniques.

According to researchers, the operation involved:

• Fake Windows credential prompts
• Theft of registry hive data
• Kerberos ticket abuse
• Registry-based persistence
• Scheduled beaconing activity

The attackers reportedly relaunched sideloaded binaries multiple times to maintain access inside compromised systems.

Researchers also stated that the group used sendit.sh, a legitimate file-sharing service, for data exfiltration. The tactic likely helped the attackers blend malicious traffic into normal cloud-related activity and reduce detection risks.

MuddyWater Continues Expanding Its Operations

Researchers described the campaign as notable because of its broad international targeting and increasingly stealth-focused techniques.

Historically, MuddyWater operations concentrated heavily on Middle Eastern government entities and telecommunications infrastructure. However, investigators stated that the latest campaign expanded into additional industries and regions.

The operation reportedly targeted:

• Government organizations
• Industrial manufacturers
• Airports
• Financial institutions
• Educational organizations

Security researchers believe the campaign focused heavily on cyber-espionage, industrial intelligence gathering, and long-term access opportunities.

The intrusion also demonstrated how state-linked threat actors increasingly rely on legitimate software, cloud services, and trusted enterprise tools to bypass security defenses.

Conclusion

The latest campaign involving Iranian hackers highlights how state-linked cyber-espionage groups continue refining stealth-focused intrusion techniques. By abusing legitimate software and trusted applications, the attackers reportedly maintained access inside multiple organizations while reducing the likelihood of detection.

The attack targeting a major South Korean electronics manufacturer also reflects growing concerns around industrial espionage and supply-chain intelligence gathering. As threat groups continue evolving their tactics, organizations may face increasing challenges detecting long-term compromise activity across enterprise networks.