Seedworm APT Abuses Fortemedia & SentinelOne Signed Binaries
A recent campaign by Iran-linked threat actors reveals a significant evolution in their methods. These adversaries have been subtly infiltrating global networks, demonstrating a level of calculated...
A recent campaign by Iran-linked threat actors reveals a significant evolution in their methods. These adversaries have been subtly infiltrating global networks, demonstrating a level of calculated precision not previously observed.
The group known as Seedworm, also tracked as MuddyWater, spent the first quarter of 2026 targeting at least nine organizations across nine countries on four continents, leaving a trail of stolen data and compromised credentials.
The targets ranged widely, touching industrial and electronics manufacturing firms, educational institutions, government agencies, financial services providers, and even an international airport in the Middle East.
One of the most striking intrusions took place in February 2026, when the group spent a full week inside the network of a major South Korean electronics manufacturer, a region far outside its traditional hunting ground.
Analysts from Symantec’s Threat Hunter Team identified the campaign and linked it to Seedworm, a group widely believed to operate on behalf of Iran’s Ministry of Intelligence and Security.
The researchers noted that every targeted organization likely held information of direct intelligence value to Tehran, whether that was intellectual property, government data, or access to downstream customers.
Abusing Signed Binaries for DLL Sideloading
What stands out is not just the range of victims, but how the attackers moved through their targets. Rather than relying on noisy, easily detected methods, Seedworm showed a level of operational discipline that signals real maturity in its tradecraft. The attackers blended their techniques to stay hidden, move quietly, and extract data without triggering obvious alarms.
The group also updated its tooling, mixing familiar tools with new delivery methods and choosing exfiltration paths that are harder to detect. This campaign is a clear reminder that state-linked espionage actors are constantly refining their approach, and defenders need to stay ahead.
The most striking technique in this campaign was how the attackers turned trusted software against the organizations it was supposed to protect. They dropped pairs of files on targeted systems: one legitimate, signed executable, and one malicious DLL crafted to be secretly loaded by it.
The first pair used fmapp.exe, a legitimate audio-driver utility, to load a malicious file called fmapp.dll. The second pair was more provocative: sentinelmemoryscanner.exe, a legitimate component from a well-known security product, was used to sideload a malicious file called sentinelagentcore.dll. By sheltering behind trusted, signed software, the attackers made their activity look benign at a glance, defeating both path-based and signature-based detection.
Both malicious DLLs carried ChromElevator, a post-exploitation tool capable of stealing passwords, cookies, and payment card data from Chromium-based browsers. In every observed case, the parent process launching these files was node.exe, meaning a Node.js script was driving the entire sideloading chain rather than a human operator at a keyboard.
Credential Theft, Exfiltration, and Defensive Steps
Once inside a network, the attackers wasted no time collecting credentials and locking in their access. They used registry changes to ensure their loader chain would restart every time the affected user logged in. They also dumped Windows registry hives containing password hashes, giving them offline material for cracking and lateral movement.
Multiple credential-theft tools were deployed in rapid succession, showing the attackers wanted redundancy in case any single method was caught. One tool triggered a fake Windows login prompt to harvest a password and saved it to a plaintext file on disk. Another automated Kerberos ticket extraction without ever needing a domain administrator’s password.
For exfiltration, the group used sendit[.]sh, a public file-transfer service, to move stolen files off the network. Routing data through a consumer cloud platform is a deliberate tactic to blend malicious traffic with ordinary internet activity. Organizations should monitor for unexpected use of public file-sharing services and audit all outbound transfers from sensitive directories.
Defenders should also watch for unusual node.exe process trees, unexpected DLL loads from signed third-party binaries, and PowerShell pulling content from external staging servers. Keeping endpoint detection rules current and reviewing registry run keys regularly can reduce the window attackers have to maintain their foothold.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b | fmapp.exe (legitimate sideloading binary) |
| SHA256 | c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde | fmapp.dll (malicious sideloaded DLL) |
| SHA256 | 128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 | sentinelmemoryscanner.exe (legitimate sideloading binary) |
| SHA256 | 0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 | sentinelagentcore.dll (malicious sideloaded DLL) |
| SHA256 | 74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f | Privilege escalation tool |
| SHA256 | 3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a | SAM hive credential extractor |
| SHA256 | bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7 | SAM hive credential extractor |
| SHA256 | d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc | Credential harvester |
| SHA256 | b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a | SOCKS5 proxy tool |
| IP Address | 179.43.177[.]220 | Attacker-controlled staging server |
| IP Address | 178.128.233[.]36 | Network IOC |
| IP Address | 172.67.156[.]47 | Network IOC |
| IP Address | 104.21.48[.]205 | Network IOC |
| IP Address | 37.187.78[.]41 | Network IOC |
| IP Address | 34.117.59[.]81 | Network IOC |
| Domain | timetrakr[.]cloud | Attacker-owned staging domain |
| Domain | sendit[.]sh | Public file-transfer service used for exfiltration |
| Domain | svc.wompworthy[.]com | Network IOC |
| URL | http://179.43.177[.]220:8080/nm.ps1 | PowerShell payload download URL |
| URL | http://179.43.177[.]220:8080/a.dat | Encoded payload download URL |
| URL | http://179.43.177[.]220:8080/a.exe | Binary download URL |
| URL | http://ipinfo[.]io/json | Used to identify host’s public IP |
| URL | https://svc.wompworthy[.]com | Network IOC |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.