Recent findings reveal that the Iran-linked hacking group, Seedworm, has been quietly infiltrating global networks in a calculated campaign. Also known as MuddyWater, this group has targeted at least nine organizations across diverse sectors and countries, leaving compromised systems in its wake.
Global Targets and Intrusions
In the first quarter of 2026, Seedworm focused its efforts on organizations in fields ranging from industrial manufacturing to government agencies. Among its notable targets was a South Korean electronics firm, where the group maintained access for an entire week, highlighting its ability to operate beyond its usual regions.
According to Symantec’s Threat Hunter Team, Seedworm’s activities are believed to align with the interests of Iran’s Ministry of Intelligence and Security. The group’s targets were likely chosen for their potential to yield valuable intelligence, such as government data or intellectual property.
Advanced Techniques in Cyber Espionage
Seedworm’s tactics have evolved, showing a high level of discipline and sophistication in avoiding detection. By employing legitimate software components for DLL sideloading, the group has been able to conduct operations under the radar. This method involves using signed binaries to covertly load malicious DLLs, thereby evading standard security measures.
The attackers used fmapp.exe, a legitimate audio-driver utility, and sentinelmemoryscanner.exe, a security product component, to sideload harmful DLLs like fmapp.dll and sentinelagentcore.dll. These DLLs contained ChromElevator, a tool designed to extract sensitive data from browsers, all initiated by Node.js scripts.
Credential Theft and Defensive Strategies
Once inside a network, Seedworm quickly extracted credentials to secure its foothold. Techniques included modifying registry settings to ensure persistence and deploying multiple tools to harvest passwords and other sensitive data.
For data exfiltration, the group used public file-transfer services, blending malicious traffic with ordinary network activity. Organizations are advised to monitor for unexpected file-sharing service usage and audit outbound transfers from sensitive areas.
Security teams should remain vigilant for unusual process activities, such as those involving node.exe, and keep endpoint detection systems updated. Regularly reviewing registry keys and monitoring for unauthorized DLL loads are also recommended to prevent unauthorized access.
This campaign underscores the need for continuous improvement in cybersecurity defenses to counteract evolving threats from state-sponsored actors like Seedworm.
