A well-known Iran-linked hacking group has been caught running a far-reaching espionage campaign that touched at least nine organizations across nine countries and four continents in early 2026.
The attackers used a clever trick to hide inside targeted networks: they abused legitimate, signed software to secretly load malicious code, making their activity look like normal system behavior.
The group behind this campaign is Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten. Researchers widely believe it operates on behalf of Iran’s Ministry of Intelligence and Security.
Targets spanned industrial and electronics manufacturing, government agencies, financial services, educational institutions, and an international airport in the Middle East.
Analysts from Symantec identified the campaign and noted that one of the most striking intrusions involved a major South Korean electronics manufacturer, where attackers quietly moved through its network for an entire week in February 2026.
Symantec said in a report shared with Cyber Security News (CSN). The breadth of targets points to a push to collect intelligence of value to Tehran, from manufacturing secrets to details on rival governments.
What makes this campaign stand out is how the attackers blended in. Rather than relying on obvious malware, they dropped signed binaries and placed malicious code right next to them.
When the signed programs ran, they pulled in the attacker’s files automatically, a technique known as DLL sideloading. Security tools tend to trust signed software, making this approach very hard to detect.
The attackers also used a public file-transfer service called sendit[.]sh to move stolen data out of target networks.
Rather than building custom infrastructure, they hid the theft inside everyday cloud traffic that often passes through security filters without raising any alarm. This reflects how carefully Seedworm now plans its operations.
Seedworm APT Abuses Signed Fortemedia
At the heart of this campaign was the abuse of two legitimately signed executables. The first was fmapp.exe, a Fortemedia Inc. audio-driver utility, used to load a malicious file called fmapp.dll.
The second was sentinelmemoryscanner.exe, a real component of an endpoint security product, manipulated to sideload a malicious file called sentinelagentcore.dll.
Both malicious files carried ChromElevator, a tool capable of stealing passwords, cookies, and payment data from web browsers.
The sideloading chain was driven not by a human operator but by node.exe, the Node.js runtime. A Node.js script was found embedded inside an XML file on one of the infected machines, silently orchestrating the entire attack.
This marks a shift away from Seedworm’s older habit of running raw PowerShell commands, replacing it with a runtime that is harder to trace.
Persistence was established by adding a registry entry under the Windows startup key, ensuring the loader chain restarted each time the user logged in.
The attackers deployed credential theft tools in waves, dumping password hashes from registry hives and tricking users with a fake Windows login dialog. A privilege escalation tool was also used to pull Kerberos tickets from high-privilege accounts without needing their passwords.
Layered Credential Theft and Data Exfiltration
Once inside a network, the attackers worked methodically. They began with discovery commands to map the machine, its user, and the domain, then captured screenshots to confirm what the victim was working on.
PowerShell scripts were pulled from a staging server using both PowerShell and the curl tool, with curl helping keep download activity away from script-block logs.
Credential theft tools were deployed in multiple rounds, showing the operators tried several methods in case any one was blocked. Stolen registry hives would allow offline cracking of password hashes and recovery of cached domain credentials.
Symantec noted this redundancy across a single intrusion is a sign of growing discipline and maturity from this threat actor.
Organizations are advised to monitor for unsigned DLLs loaded alongside legitimate signed executables and to flag unexpected Node.js activity.
Blocking outbound traffic to unknown file-transfer services and enforcing strict startup registry policies can meaningfully reduce exposure to this type of attack.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b | fmapp.exe (legitimate signed binary, abused for sideloading) |
| SHA256 | c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde | fmapp.dll (malicious sideloaded DLL) |
| SHA256 | 128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 | sentinelmemoryscanner.exe (legitimate signed binary, abused for sideloading) |
| SHA256 | 0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 | sentinelagentcore.dll (malicious sideloaded DLL) |
| SHA256 | 74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f | Privilege escalation tool |
| SHA256 | 3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a | SAM hive credential extractor |
| SHA256 | bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7 | SAM hive credential extractor |
| SHA256 | d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc | Credential harvester |
| SHA256 | b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a | SOCKS5 proxy tool |
| IP Address | 179.43.177[.]220 | Attacker-controlled staging server (PowerShell payloads served on port 8080) |
| IP Address | 178.128.233[.]36 | Attacker-controlled infrastructure |
| IP Address | 172.67.156[.]47 | Attacker-controlled infrastructure |
| IP Address | 104.21.48[.]205 | Attacker-controlled infrastructure |
| IP Address | 37.187.78[.]41 | Attacker-controlled infrastructure |
| IP Address | 34.117.59[.]81 | Attacker-controlled infrastructure |
| Domain | timetrakr[.]cloud | Attacker-owned staging domain (PowerShell module delivery) |
| Domain | sendit[.]sh | Public file-transfer service used for data exfiltration |
| Domain | svc.wompworthy[.]com | Attacker-controlled infrastructure |
| URL | http://179.43.177[.]220:8080/nm.ps1 | PowerShell payload download URL |
| URL | http://179.43.177[.]220:8080/a.dat | Encoded payload download URL |
| URL | http://179.43.177[.]220:8080/a.exe | Windows binary download URL |
| URL | http://ipinfo[.]io/json | Used to check victim’s public IP address |
| URL | https://svc.wompworthy[.]com | Attacker-controlled C2 URL |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
