MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries

MuddyWater, an Iranian state-sponsored hacking group, has launched a fresh espionage campaign using DLL side-loading techniques against at least nine organizations spread across nine countries and four continents during the first quarter of 2026.

The Symantec and Carbon Black Threat Hunter Team identified the operation targeting five distinct sectors. Industrial and electronics manufacturing firms faced the highest exposure, alongside educational institutions, public-sector agencies, financial services providers, and professional services companies.

DLL side-loading represents a legitimate-code execution method that exploits Windows application loading behavior. Attackers place malicious dynamic-link libraries alongside trusted applications, causing the legitimate software to load the attacker's code instead. This technique bypasses security controls that focus on blocking suspicious executables, since the host application carries legitimate digital signatures.

MuddyWater operates as part of Iran's Ministry of Intelligence and Security infrastructure. The group has conducted cyber espionage operations since at least 2016, targeting government entities, financial institutions, and critical infrastructure across the Middle East, North Africa, and beyond.

The geographic spread of this campaign indicates escalating operational maturity. Targeting nine countries across four continents demonstrates either expanded resources or coordinated operations with other Iranian units. The sectoral diversity suggests reconnaissance-phase activity rather than directed sabotage, typical of MuddyWater's intelligence-gathering missions.

Organizations in affected sectors should implement strict application whitelisting controls and monitor for unsigned or mismatched DLL loading. Restricting DLL search paths and enabling Windows Defender Attack Surface Reduction rules can limit DLL side-loading exploitation vectors.

Symantec and Carbon Black did not publicly disclose the nine targeted nations or organizations, likely to protect victim institutions while allowing defensive measures. Threat intelligence sharing through CISA and international law enforcement channels typically follows such discoveries.

The campaign undersc