An espionage campaign conducted by the Iran-associated hacking group Seedworm has been detected, impacting at least nine organizations across four continents during early 2026. The group cleverly concealed its operations within legitimate, signed software to stealthily introduce malicious code, effectively disguising their activities as normal system behavior.
Seedworm’s Deceptive Techniques
Identified also as MuddyWater, Temp Zagros, and Static Kitten, Seedworm is believed to operate under Iran’s Ministry of Intelligence and Security. The campaign targeted diverse sectors, including industrial manufacturing, government entities, financial services, educational institutions, and a Middle Eastern international airport.
Symantec’s report highlights a significant breach involving a South Korean electronics manufacturer, where the attackers navigated the network undetected for a week in February 2026. This broad range of targets suggests an effort to gather intelligence valuable to Iran, ranging from manufacturing secrets to government details.
Advanced Sideloading Techniques
A distinguishing feature of this campaign is Seedworm’s method of blending in with legitimate system activities. Instead of utilizing conspicuous malware, they employed signed binaries to deploy malicious code alongside them. This method, known as DLL sideloading, exploits the inherent trust security tools place in signed software, making detection challenging.
The group also utilized the public file transfer service sendit[.]sh to extract stolen data from target networks, camouflaging their activity within regular cloud traffic to avoid security alerts. This approach demonstrates Seedworm’s meticulous planning and execution.
Operational Precision and Recommendations
The attackers misused two signed executables: Fortemedia Inc.’s fmapp.exe and SentinelOne’s sentinelmemoryscanner.exe, to sideload malicious files fmapp.dll and sentinelagentcore.dll, respectively. These files contained ChromElevator, a tool designed to steal sensitive information like passwords and cookies from web browsers.
Node.js played a crucial role in driving the sideloading chain, with an embedded script silently controlling the attack. This marks a departure from Seedworm’s previous reliance on PowerShell, adopting a more covert runtime environment.
To maintain persistence, the attackers modified the Windows registry to restart the loader chain upon user login. They deployed credential theft tools in stages, capturing password hashes and using fake login dialogs to deceive users. A privilege escalation tool enabled unauthorized access to high-privilege accounts.
Security experts recommend monitoring for unsigned DLLs accompanying signed executables and unexpected Node.js activity. Restricting outbound traffic to unfamiliar file-transfer services and enforcing strict startup registry policies can mitigate exposure to such threats.
Indicators of compromise include specific SHA256 hashes and IP addresses associated with attacker-controlled infrastructure. Organizations are advised to remain vigilant and update security protocols to counter these sophisticated tactics.
