Summary
- WatchGuard says MuddyWater activity targeted sectors including manufacturing, aviation, finance, education, government, and professional services.
- The report describes activity across Asia, the Middle East, Latin America, and Europe.
- The campaign relies on stealth, credential theft, browser data theft, persistence, and exfiltration.
WatchGuard has published a geopolitical cyber report on Iran-linked MuddyWater activity, warning that the group is using trusted software, DLL side-loading, and legitimate tools to conduct espionage against high-value organisations across several regions.
The report, published on 30 June 2026, identifies MuddyWater, also known as Seedworm and several other aliases, as an MOIS-affiliated actor. WatchGuard lists the activity as global in scope across Asia, the Middle East, Latin America, and Europe, with sectors including electronics and industrial manufacturing, aviation, financial services, education, professional services, government, and the public sector.
WatchGuard’s report describes activity focused on stealth, credential theft, browser data theft, intelligence gathering, and long-term access. The company gives the threat level as high and describes active espionage activity with confirmed intrusions and credential theft.
The report discusses a case involving a major South Korean electronics manufacturer, where attackers maintained access for a week in February 2026. WatchGuard, drawing on Symantec and Broadcom analysis, said the initial access vector remains unknown. Once inside, the attackers performed reconnaissance, stole credentials, captured screenshots, established persistence, and exfiltrated data.
The technical pattern is built around tools and behaviours that can blend into legitimate environments. WatchGuard describes DLL side-loading using legitimate Fortemedia and SentinelOne-related binaries, browser credential theft through ChromElevator, Node.js used to launch scripts, registry-based credential dumping, fake Windows credential prompts, Kerberos abuse, registry run keys for persistence, SOCKS5 reverse proxy tunnels, and exfiltration through a public file-transfer service.
That combination places the activity in a difficult operational category. Many controls are tuned to detect known malware, overt command and control, or obvious ransomware behaviour. Espionage activity that uses signed binaries, legitimate scripting engines, public services, and credential theft can remain below that threshold, particularly where monitoring is weak across endpoints, browsers, identity systems, and outbound traffic.
The European relevance comes from the campaign’s listed regional exposure and the sectors involved. Manufacturing, aviation, finance, education, and public-sector organisations in Europe hold intellectual property, credentials, supplier information, and operational data that align with the activity described in the report.
Attribution should be handled carefully, but the practical risk is clear. Credential-led espionage using legitimate tools requires behavioural visibility across endpoints, identity infrastructure, browser data, proxy activity, and exfiltration routes. Unusual DLL loads, browser credential access, Node.js process trees, suspicious registry saves, credential prompts, proxy tunnels, and file-transfer activity should be examined in context rather than dismissed because individual tools appear legitimate.
The report places geopolitical espionage inside ordinary enterprise systems, where browser data, signed binaries, and long-lived access can carry as much operational weight as custom malware.





