What Happened
Security researchers disclosed a Q1 2026 espionage campaign by MuddyWater, an Iran-linked threat group also tracked as Mango Sandstorm, Earth Vetala, and MERCURY. The group compromised at least nine organizations across nine countries on four continents between January and March 2026.
The campaign relied on DLL side-loading — a technique in which attackers plant a malicious DLL alongside a legitimate, signed executable so the trusted binary loads the malicious code at launch. In this campaign, the signed executables were Fortemedia’s fmapp.exe and SentinelOne’s sentinelmemoryscanner.exe, both of which carry valid digital signatures from trusted vendors. This approach allows the malicious payload to execute in the context of a trusted process, bypassing many endpoint controls that rely on signature validation.
Targeted sectors included industrial and electronics manufacturing, education and public-sector organizations, financial services, and professional services. A major South Korean electronics manufacturer had MuddyWater active inside its network for approximately one week in February 2026. An international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial services provider were also among confirmed victims.
Why This Matters for Canadian Organizations
MuddyWater’s targeting profile for this campaign aligns with Canadian sector exposure. Canada has significant electronics and advanced manufacturing operations, a large financial services sector, post-secondary institutions with international research ties, and professional services firms operating in MENA and Asia-Pacific markets — all sectors hit in this campaign.
Iran-linked cyber operations have historically targeted NATO-aligned countries and Five Eyes partners for intelligence collection, particularly in sectors connected to critical infrastructure, energy, and financial data. The Canadian Centre for Cyber Security (CCCS) has previously warned Canadian organizations about Iranian state-sponsored threat activity.
The DLL side-loading technique used here is particularly relevant for Canadian security teams because it exploits the trust placed in signed binaries from legitimate vendors. SentinelOne is a widely deployed EDR product in Canadian enterprise and government environments. An attacker who plants a malicious DLL alongside a signed SentinelOne binary on an endpoint is abusing the exact tool organizations rely on for protection. Security teams relying solely on signature-based or process-level trust controls will not catch this without behavioral analytics.
Organizations with operations, supply chains, or joint ventures in the targeted regions — particularly the Middle East and Southeast Asia — should treat this campaign as a threat to their international exposure, not just their domestic networks.
What to Do
Audit your endpoint environments for unexpected DLL files co-located with signed Fortemedia or SentinelOne binaries. Enable behavioral detection rules that flag DLL side-loading activity regardless of the signing status of the parent executable. Review EDR telemetry for fmapp.exe and sentinelmemoryscanner.exe process launches that initiate unexpected network connections or child processes.
Apply the principle of least privilege to limit the damage any compromised trusted process can do. Ensure application whitelisting policies account for the directory from which signed executables launch — an unexpected launch path for a known binary is a reliable detection signal for side-loading.
For full technical details, see the The Hacker News report and the companion coverage from BleepingComputer.
