Seedworm APT Exploits Fortemedia, SentinelOne DLL Sideloading
Key Takeaways The Iran-linked APT group Seedworm (also known as MuddyWater) conducted a sophisticated campaign in Q1 2026, targeting nine organizations across four continents. Attackers leveraged DLL...
Key Takeaways
- The Iran-linked APT group Seedworm (also known as MuddyWater) conducted a sophisticated campaign in Q1 2026, targeting nine organizations across four continents.
- Attackers leveraged DLL sideloading by abusing legitimate, signed binaries from Fortemedia and SentinelOne to execute malicious payloads, including the ChromElevator tool.
- The campaign focused on intelligence gathering, compromising industrial manufacturing, education, government, financial services, and critical infrastructure sectors.
- Seedworm demonstrated advanced operational security, using automated processes (Node.js scripts), multiple credential theft tools, and public file-sharing services for stealthy exfiltration.
A recent campaign attributed to Seedworm, an advanced persistent threat (APT) group with suspected ties to Iran, reveals a significant escalation in their operational sophistication. Also tracked as MuddyWater, the group executed a series of highly targeted intrusions throughout the first quarter of 2026, compromising at least nine organizations across nine countries spanning four continents. These attacks resulted in the theft of sensitive data and credentials, underscoring a calculated precision previously unobserved from the adversary.
Table Of Content
The scope of Seedworm’s targets was notably broad, encompassing entities within industrial and electronics manufacturing, educational institutions, government agencies, financial service providers, and even a major international airport in the Middle East. A particularly striking incident occurred in February 2026, when the group maintained a week-long presence within the network of a prominent South Korean electronics manufacturer—a region typically outside their historical operational focus.
Analysts from Symantec’s Threat Hunter Team identified and detailed the campaign, attributing it to Seedworm, a group widely believed to operate under the direction of Iran’s Ministry of Intelligence and Security. Researchers concluded that each targeted organization likely possessed information of direct intelligence value to Tehran, whether in the form of intellectual property, sensitive government data, or access to downstream customers.
Abusing Signed Binaries for DLL Sideloading
Beyond the diversity of victims, the campaign’s most salient feature was the attackers’ refined methodology for navigating compromised networks. Seedworm demonstrated exceptional operational discipline, moving with stealth and extracting data without triggering conventional alarms. This approach signals a significant maturation in their tradecraft, moving away from noisier tactics in favor of covert persistence.
The group also updated its arsenal of tools, integrating new delivery mechanisms with established utilities and employing exfiltration routes designed to evade detection. This campaign serves as a stark reminder that state-sponsored espionage actors are continuously evolving their techniques, necessitating constant vigilance from cybersecurity defenders.
A key technique observed was the abuse of legitimate, signed software binaries for DLL sideloading. Attackers deployed pairs of files onto target systems: a trusted, digitally signed executable alongside a malicious Dynamic Link Library (DLL) specifically crafted to be loaded by the legitimate program. One such pair involved fmapp.exe, a legitimate audio-driver utility, which was manipulated to load a malicious file named fmapp.dll. More concerning was the use of sentinelmemoryscanner.exe, a legitimate component of a widely used security product, to sideload a malicious file called sentinelagentcore.dll. By co-opting these trusted, signed binaries, the attackers could mask their malicious activity, bypassing both path-based and signature-based detection mechanisms.
Both malicious DLLs were found to contain ChromElevator, a post-exploitation tool designed to extract sensitive data such as passwords, cookies, and payment card information from Chromium-based browsers. Notably, in every observed instance, the parent process initiating these files was node.exe, indicating that a Node.js script orchestrated the entire sideloading chain, rather than direct human interaction.
Credential Theft, Exfiltration, and Defensive Steps
Upon establishing a foothold within a network, Seedworm rapidly moved to harvest credentials and solidify their access. They implemented registry modifications to ensure their malicious loader chain would persist across user logins. Furthermore, they extracted Windows registry hives containing password hashes, providing them with material for offline cracking and facilitating lateral movement within the network.
The attackers deployed an array of credential-theft tools in quick succession, demonstrating a strategy of redundancy to ensure success even if one method failed detection. One tool presented a deceptive Windows login prompt to capture user passwords, saving them to an unencrypted file. Another tool automated the extraction of Kerberos tickets, bypassing the need for a domain administrator’s password.
For data exfiltration, the group utilized sendit[.]sh, a public file-transfer service, to transfer stolen data out of compromised networks. This tactic of routing data through consumer cloud platforms is a deliberate attempt to blend malicious traffic with legitimate internet activity, making it harder for security teams to identify. Organizations must therefore intensify monitoring for unauthorized use of public file-sharing services and rigorously audit all outbound data transfers from sensitive directories.
What You Should Do
- Monitor Process Trees: Scrutinize unusual parent-child process relationships, especially involving
node.exelaunching unexpected binaries or DLLs. - Audit DLL Loads: Implement stringent monitoring for unexpected DLL loads initiated by legitimate, signed third-party binaries.
- Review Registry Run Keys: Regularly audit and review Windows registry run keys and other persistence mechanisms for unauthorized entries.
- Enhance Endpoint Detection Rules: Keep endpoint detection and response (EDR) rules updated to identify known Seedworm IOCs and behavioral patterns.
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all accounts, particularly for privileged access, to mitigate the impact of stolen credentials.
- Network Traffic Analysis: Monitor network traffic for connections to public file-sharing services (e.g.,
sendit[.]sh) or known attacker-controlled infrastructure, especially for outbound transfers from sensitive systems. - PowerShell Script Monitoring: Watch for PowerShell activity downloading content from external staging servers or executing obfuscated scripts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.