An aggressive Seedworm campaign linked to Iranian state-sponsored hackers has compromised organizations across multiple continents, including a major South Korean electronics manufacturer, government entities, and critical infrastructure providers.
Security researchers observed the activity during the first quarter of 2026. The espionage-focused operation impacted at least nine organizations spanning Asia, the Middle East, Latin America, and other regions. Victims included industrial manufacturers, educational institutions, financial services companies, and a Middle Eastern airport operator.
The threat group behind the attacks is widely tracked as Seedworm, also known as MuddyWater and Temp Zagros. The actor is believed to operate in support of Iran’s Ministry of Intelligence and Security (MOIS).
DLL Sideloading Used to Evade Detection
The attackers relied heavily on DLL sideloading, a technique that abuses legitimate signed applications to secretly load malicious code. In this campaign, the hackers used trusted binaries from Fortemedia and SentinelOne to disguise malware execution.
Researchers identified two primary file combinations:
fmapp.exeloadingfmapp.dllsentinelmemoryscanner.exeloadingsentinelagentcore.dll
Because the binaries were digitally signed and legitimate, the malicious activity appeared less suspicious to security tools. Meanwhile, both DLLs reportedly contained components capable of stealing browser credentials, cookies, and payment information from Chromium-based browsers.
Additionally, the attackers used Node.js-based loaders to orchestrate PowerShell scripts and malware deployment. This marks another evolution in Seedworm’s tradecraft, as the group increasingly moves away from traditional PowerShell-heavy attacks.
Credential Theft and Persistence
During the intrusion, attackers conducted extensive reconnaissance using common Windows commands such as:
whoami
hostname
ipconfig /all
net user /domainThe hackers also captured screenshots, enumerated antivirus products, and harvested credentials from compromised systems.
Furthermore, the operation included theft of Windows SAM, SECURITY, and SYSTEM registry hives. These files can expose password hashes and cached credentials for offline cracking.
Researchers also observed privilege escalation attempts involving Kerberos Ticket Granting Ticket (TGT) extraction. Consequently, attackers may have attempted to obtain elevated access without directly stealing administrator passwords.
Persistence was maintained through Windows registry Run keys, allowing malicious tools to relaunch automatically after user logins.
Public File-Sharing Services Used for Data Theft
Instead of relying solely on attacker-controlled infrastructure, the operators exfiltrated stolen files through the public transfer platform sendit[.]sh.
This tactic helps malicious traffic blend into legitimate cloud activity. As a result, detecting data exfiltration becomes significantly harder for defenders monitoring network traffic.
Researchers also identified repeated beaconing behavior every 90 seconds, suggesting automated implant activity rather than continuous hands-on-keyboard operations.
Seedworm Campaign Reflects Growing Cyber Espionage Threat
Security analysts believe the campaign highlights a broader evolution in Iranian cyber espionage operations. Although Seedworm historically focused on Middle Eastern targets, the group now appears to be expanding its intelligence collection efforts globally.
Notably, the attackers combined several stealth techniques:
- DLL sideloading
- Node.js orchestration
- SOCKS5 reverse proxy tunnels
- Credential harvesting
- Public cloud-based exfiltration
Individually, these tactics are not new. However, their coordinated use demonstrates a more disciplined and mature operational approach.
Organizations are advised to monitor for unusual PowerShell activity, suspicious DLL sideloading behavior, and unexpected outbound traffic to public file-transfer services. Additionally, defenders should audit systems for unauthorized registry persistence and credential dumping activity.
The latest Seedworm campaign shows that state-backed espionage groups continue refining their methods to quietly infiltrate high-value targets while avoiding detection.
No Comment! Be the first one.