Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Seedworm Exploits Signed Software for Covert Attacks

Seedworm Exploits Signed Software for Covert Attacks

Posted on May 27, 2026 By CWS

An espionage campaign conducted by the Iran-associated hacking group Seedworm has been detected, impacting at least nine organizations across four continents during early 2026. The group cleverly concealed its operations within legitimate, signed software to stealthily introduce malicious code, effectively disguising their activities as normal system behavior.

Seedworm’s Deceptive Techniques

Identified also as MuddyWater, Temp Zagros, and Static Kitten, Seedworm is believed to operate under Iran’s Ministry of Intelligence and Security. The campaign targeted diverse sectors, including industrial manufacturing, government entities, financial services, educational institutions, and a Middle Eastern international airport.

Symantec’s report highlights a significant breach involving a South Korean electronics manufacturer, where the attackers navigated the network undetected for a week in February 2026. This broad range of targets suggests an effort to gather intelligence valuable to Iran, ranging from manufacturing secrets to government details.

Advanced Sideloading Techniques

A distinguishing feature of this campaign is Seedworm’s method of blending in with legitimate system activities. Instead of utilizing conspicuous malware, they employed signed binaries to deploy malicious code alongside them. This method, known as DLL sideloading, exploits the inherent trust security tools place in signed software, making detection challenging.

The group also utilized the public file transfer service sendit[.]sh to extract stolen data from target networks, camouflaging their activity within regular cloud traffic to avoid security alerts. This approach demonstrates Seedworm’s meticulous planning and execution.

Operational Precision and Recommendations

The attackers misused two signed executables: Fortemedia Inc.’s fmapp.exe and SentinelOne’s sentinelmemoryscanner.exe, to sideload malicious files fmapp.dll and sentinelagentcore.dll, respectively. These files contained ChromElevator, a tool designed to steal sensitive information like passwords and cookies from web browsers.

Node.js played a crucial role in driving the sideloading chain, with an embedded script silently controlling the attack. This marks a departure from Seedworm’s previous reliance on PowerShell, adopting a more covert runtime environment.

To maintain persistence, the attackers modified the Windows registry to restart the loader chain upon user login. They deployed credential theft tools in stages, capturing password hashes and using fake login dialogs to deceive users. A privilege escalation tool enabled unauthorized access to high-privilege accounts.

Security experts recommend monitoring for unsigned DLLs accompanying signed executables and unexpected Node.js activity. Restricting outbound traffic to unfamiliar file-transfer services and enforcing strict startup registry policies can mitigate exposure to such threats.

Indicators of compromise include specific SHA256 hashes and IP addresses associated with attacker-controlled infrastructure. Organizations are advised to remain vigilant and update security protocols to counter these sophisticated tactics.

Cyber Security News Tags:ChromElevator, credential theft, cyber espionage, Cybersecurity, data exfiltration, DLL Sideloading, file-transfer services, Fortemedia, Iran hacking group, network intrusion, Node.js, Seedworm, SentinelOne, signed binaries, Symantec

Post navigation

Previous Post: Join AI Risk Summit 2026 at Ritz-Carlton, Half Moon Bay
Next Post: Key SOC Steps to Minimize Incident Risks

Related Posts

Conducting Risk Assessments That Drive Business Value Conducting Risk Assessments That Drive Business Value Cyber Security News
Vulnerable Codes in Legacy Python Packages Enables Attacks on Python Package Index Via Domain Compromise Vulnerable Codes in Legacy Python Packages Enables Attacks on Python Package Index Via Domain Compromise Cyber Security News
Palo Alto Networks Firewall Vulnerability Allows Unauthenticated Attackers to Trigger Denial of Service Palo Alto Networks Firewall Vulnerability Allows Unauthenticated Attackers to Trigger Denial of Service Cyber Security News
FBI and CISA Alert on Russian Phishing Targeting Signal FBI and CISA Alert on Russian Phishing Targeting Signal Cyber Security News
GitGuardian Ends 2025 with Strong Enterprise Momentum GitGuardian Ends 2025 with Strong Enterprise Momentum Cyber Security News
Microsoft Investigating Teams and Exchange Online Services Disruption Impacting Users Microsoft Investigating Teams and Exchange Online Services Disruption Impacting Users Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark