Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Fake VLC Installer Delivers ValleyRAT Malware
July 2, 2026
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Home/Threats/Seedworm APT Exploits Fortemedia, SentinelOne DLL Sideloading
Threats

Seedworm APT Exploits Fortemedia, SentinelOne DLL Sideloading

Key Takeaways The Iran-linked APT group Seedworm (also known as MuddyWater) conducted a sophisticated campaign in Q1 2026, targeting nine organizations across four continents. Attackers leveraged DLL...

David kimber
David kimber
May 14, 2026 4 Min Read
43 0

Key Takeaways

  • The Iran-linked APT group Seedworm (also known as MuddyWater) conducted a sophisticated campaign in Q1 2026, targeting nine organizations across four continents.
  • Attackers leveraged DLL sideloading by abusing legitimate, signed binaries from Fortemedia and SentinelOne to execute malicious payloads, including the ChromElevator tool.
  • The campaign focused on intelligence gathering, compromising industrial manufacturing, education, government, financial services, and critical infrastructure sectors.
  • Seedworm demonstrated advanced operational security, using automated processes (Node.js scripts), multiple credential theft tools, and public file-sharing services for stealthy exfiltration.

A recent campaign attributed to Seedworm, an advanced persistent threat (APT) group with suspected ties to Iran, reveals a significant escalation in their operational sophistication. Also tracked as MuddyWater, the group executed a series of highly targeted intrusions throughout the first quarter of 2026, compromising at least nine organizations across nine countries spanning four continents. These attacks resulted in the theft of sensitive data and credentials, underscoring a calculated precision previously unobserved from the adversary.

Table Of Content

  • Key Takeaways
  • Abusing Signed Binaries for DLL Sideloading
  • Credential Theft, Exfiltration, and Defensive Steps
  • What You Should Do

The scope of Seedworm’s targets was notably broad, encompassing entities within industrial and electronics manufacturing, educational institutions, government agencies, financial service providers, and even a major international airport in the Middle East. A particularly striking incident occurred in February 2026, when the group maintained a week-long presence within the network of a prominent South Korean electronics manufacturer—a region typically outside their historical operational focus.

Analysts from Symantec’s Threat Hunter Team identified and detailed the campaign, attributing it to Seedworm, a group widely believed to operate under the direction of Iran’s Ministry of Intelligence and Security. Researchers concluded that each targeted organization likely possessed information of direct intelligence value to Tehran, whether in the form of intellectual property, sensitive government data, or access to downstream customers.

Abusing Signed Binaries for DLL Sideloading

Beyond the diversity of victims, the campaign’s most salient feature was the attackers’ refined methodology for navigating compromised networks. Seedworm demonstrated exceptional operational discipline, moving with stealth and extracting data without triggering conventional alarms. This approach signals a significant maturation in their tradecraft, moving away from noisier tactics in favor of covert persistence.

The group also updated its arsenal of tools, integrating new delivery mechanisms with established utilities and employing exfiltration routes designed to evade detection. This campaign serves as a stark reminder that state-sponsored espionage actors are continuously evolving their techniques, necessitating constant vigilance from cybersecurity defenders.

A key technique observed was the abuse of legitimate, signed software binaries for DLL sideloading. Attackers deployed pairs of files onto target systems: a trusted, digitally signed executable alongside a malicious Dynamic Link Library (DLL) specifically crafted to be loaded by the legitimate program. One such pair involved fmapp.exe, a legitimate audio-driver utility, which was manipulated to load a malicious file named fmapp.dll. More concerning was the use of sentinelmemoryscanner.exe, a legitimate component of a widely used security product, to sideload a malicious file called sentinelagentcore.dll. By co-opting these trusted, signed binaries, the attackers could mask their malicious activity, bypassing both path-based and signature-based detection mechanisms.

Both malicious DLLs were found to contain ChromElevator, a post-exploitation tool designed to extract sensitive data such as passwords, cookies, and payment card information from Chromium-based browsers. Notably, in every observed instance, the parent process initiating these files was node.exe, indicating that a Node.js script orchestrated the entire sideloading chain, rather than direct human interaction.

Credential Theft, Exfiltration, and Defensive Steps

Upon establishing a foothold within a network, Seedworm rapidly moved to harvest credentials and solidify their access. They implemented registry modifications to ensure their malicious loader chain would persist across user logins. Furthermore, they extracted Windows registry hives containing password hashes, providing them with material for offline cracking and facilitating lateral movement within the network.

The attackers deployed an array of credential-theft tools in quick succession, demonstrating a strategy of redundancy to ensure success even if one method failed detection. One tool presented a deceptive Windows login prompt to capture user passwords, saving them to an unencrypted file. Another tool automated the extraction of Kerberos tickets, bypassing the need for a domain administrator’s password.

For data exfiltration, the group utilized sendit[.]sh, a public file-transfer service, to transfer stolen data out of compromised networks. This tactic of routing data through consumer cloud platforms is a deliberate attempt to blend malicious traffic with legitimate internet activity, making it harder for security teams to identify. Organizations must therefore intensify monitoring for unauthorized use of public file-sharing services and rigorously audit all outbound data transfers from sensitive directories.

What You Should Do

  • Monitor Process Trees: Scrutinize unusual parent-child process relationships, especially involving node.exe launching unexpected binaries or DLLs.
  • Audit DLL Loads: Implement stringent monitoring for unexpected DLL loads initiated by legitimate, signed third-party binaries.
  • Review Registry Run Keys: Regularly audit and review Windows registry run keys and other persistence mechanisms for unauthorized entries.
  • Enhance Endpoint Detection Rules: Keep endpoint detection and response (EDR) rules updated to identify known Seedworm IOCs and behavioral patterns.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA across all accounts, particularly for privileged access, to mitigate the impact of stolen credentials.
  • Network Traffic Analysis: Monitor network traffic for connections to public file-sharing services (e.g., sendit[.]sh) or known attacker-controlled infrastructure, especially for outbound transfers from sensitive systems.
  • PowerShell Script Monitoring: Watch for PowerShell activity downloading content from external staging servers or executing obfuscated scripts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical Windows DNS Client Bug (CVE-2024-XXXX) Allows RCE Attacks

Next Post

Packagist Composer Update Fixes GitHub Actions Token Leak

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us