Unmasking an Attack Chain of MuddyWater
Essential information
- Published
- 07/03/2026 09:44
- Modified
- 09/03/2026 11:00
- Tags
- 2026-03-07 apt dll side-loading fmapp.dll iranian rdp ssh tunnel
- Related entities
- 5 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 1 others
Description
An intrusion attributed to MuddyWater, an Iranian-linked APT, was identified in a customer environment. The attack involved initial access through RDP, establishing an SSH tunnel, and deploying malware via DLL side-loading. The threat actor used FMAPP.exe, a legitimate Fortemedia Inc. application, to load a malicious FMAPP.dll for C2 communications. The timeline of activities revealed typos in commands, suggesting manual typing by the attacker. The intrusion included reconnaissance efforts, attempts to verify tunnel functionality, and issues with initial C2 communication. The attack targeted an Israeli company, aligning with known MuddyWater tactics.