The Iran-linked hacking team MuddyWater (a.okay.a. Seedworm, Static Kitten) introduced a vast cyber-espionage marketing campaign concentrated on a minimum of 9 high-profile organizations throughout a couple of sectors and nations.
A few of the sufferers are a big South Korean electronics producer, govt companies, a world airport within the Heart East, commercial producers in Asia, and academic establishments.
Researchers at Symantec say that the risk actor “spent every week throughout the community of a big South Korean electronics producer in February 2026.”
Symantec’s Danger Hunter Crew believes the attacker used to be intelligence-driven, specializing in commercial and highbrow belongings robbery, govt espionage, and get right of entry to to downstream shoppers or company networks.
Fortemedia and SentinelOne abuse
Seedworm’s marketing campaign relied closely on DLL sideloading, a commonplace method during which reliable, signed tool rather a lot malicious DLLs.
Two of the binaries leveraged within the assault are ‘fmapp.exe,’ a sound Foremedia audio application, and ‘sentinelmemoryscanner.exe,’ a sound SentinelOne element.
The malicious DLLs (fmapp.dll and sentinelagentcore.dll) contained ChromElevator, a commodity post-exploitation instrument that steals information saved in Chrome-based browsers.
Symantec additionally discovered that PowerShell, utilized in earlier Seedworm assaults, used to be nonetheless closely used within the fresh incidents, even if the payloads had been managed via Node.js loaders relatively than at once.
PowerShell used to be used to seize screenshots, habits reconnaissance, fetch further payloads, determine patience, thieve credentials, and create SOCKS5 tunnels.
Assault on a Korean company
In line with Symantec’s observations, the assault at the South Korean electronics producer lasted between February 20 and 27. The researchers didn’t reveal the title of the focused group.
Within the first level, Seedworm carried out host and area reconnaissance, adopted by way of antivirus enumeration by way of WMI, screenshot seize, and the obtain of extra malware.
Credential robbery befell by way of pretend Home windows activates, registry hive robbery (SAM/SECURITY/SYSTEM), and Kerberos price tag abuse gear.
Endurance used to be established via registry adjustments, beaconing befell at 90-second periods, and sideloaded binaries had been again and again relaunched to take care of get right of entry to.
“The cadence is once more in keeping with implant-driven job relatively than steady operator presence,” the researchers mentioned.
The attackers leveraged sendit.sh, a public file-sharing carrier for information exfiltration, more likely to difficult to understand the malicious job and make it seem as customary site visitors.
General, Symantec has discovered the most recent Seedworm marketing campaign notable for the risk actors’ geographic enlargement, operational adulthood, and the abuse of reliable gear and services and products, which mark a shift towards quieter assaults.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Self sustaining Validation Summit (Might 12 & 14), see how self sustaining, context-rich validation unearths what is exploitable, proves controls dangle, and closes the remediation loop.
Declare Your Spot
