Symantec researchers disclosed that Iran-linked threat actor Seedworm breached a major South Korean electronics manufacturer in February 2026 as part of a broader espionage campaign that targeted at least nine organizations across four continents during the first quarter of the year. The campaign affected organizations across industrial and electronics manufacturing, education, financial services, professional services, and the public sector. Victims included government agencies and an international airport in the Middle East, industrial manufacturers in Southeast Asia, a financial services provider in Latin America, and educational institutions in multiple countries.
The attackers relied extensively on DLL sideloading techniques, abusing legitimately signed Fortemedia and SentinelOne binaries, including fmapp[dot]exe and sentinelmemoryscanner[dot]exe, to load malicious DLLs while disguising their activity as legitimate software operations. Researchers also observed a node[dot]exe-based implant chain that deployed PowerShell scripts for reconnaissance, screenshot capture, Security Account Manager (SAM) hive theft, privilege escalation, and SOCKS5 reverse-proxy tunneling.
The attackers reportedly remained inside the South Korean manufacturer’s network for nearly a week before detection, using public file-transfer services to exfiltrate stolen data.
“The attacks were carried out by the espionage group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten), which is widely believed to be linked to the Iranian Ministry of Intelligence and Security (MOIS),” according to a Tuesday post by the Symantec and Carbon Black Threat Hunter team. “The common thread in the campaign is that every targeted organization may hold material that would be of intelligence value to Tehran, from intellectual property on high-tech manufacturing, research, intelligence on rival governments, or downstream access to customers of services companies.”
The research detailed that the toolkit used in the campaign aligns with known Seedworm tradecraft and includes several tools previously linked to the Iran-associated threat group. The attackers repeatedly deployed paired files consisting of a legitimate, validly signed third-party executable alongside a malicious DLL designed for sideloading. One technique abused fmapp[dot]exe, a legitimate audio-driver utility developed by Fortemedia, to load a malicious fmapp[dot]dll. The same fmapp[dot]exe and fmapp[dot] dll combination has been documented in earlier Seedworm activity by Group-IB.
The second technique involved sentinelmemoryscanner[dot]exe, a legitimate signed component of the SentinelOne endpoint security platform, which was used to sideload a malicious DLL named sentinelagentcore[dot]dll. Researchers said the use of a trusted security-product binary was likely intended to evade signature- or path-based detection mechanisms while also complicating incident triage.
Both malicious DLLs contained ChromElevator, a publicly available post-exploitation tool capable of covertly stealing and exfiltrating sensitive data, including passwords, browser cookies, and payment card information from Chromium-based browsers. In both intrusion chains, the parent process during execution was node[dot]exe, indicating that the DLL sideloading activity was likely orchestrated through a Node[dot]js script rather than direct user interaction.
Symantec highlighted that rather than building bespoke exfiltration channels, the attackers, in at least one intrusion, staged stolen data through sendit[dot]sh, a public file-transfer service. “While the service advertises itself as a legitimate file-sharing service, VirusTotal records show it has been associated with malicious activity, and its use in an Iranian state-sponsored intrusion underlines a continuing trend of state-aligned actors blending operational traffic with consumer cloud services to evade network-based detection.”
The post mentioned that a major electronics manufacturer was compromised in an attack beginning February 20, 2026, where the initial infection vector remains unknown. The attackers used a Node[dot]js runtime already present on the host to drive automated reconnaissance, enumerating users, domain groups, and antivirus products within minutes. They then downloaded additional payloads via PowerShell and curl, established persistence through a registry Run key, and deployed two DLL sideloading pairs, abusing legitimate signed binaries from Fortemedia and SentinelOne, to run a SOCKS5 proxy and ChromElevator malware.
Credential theft was aggressive and redundant, combining SAM hive extraction with multiple stealer components, one of which matches a tool previously attributed to Seedworm in February 2026 reporting.
Between Feb. 20 and Feb. 22, the host showed periodic beaconing at roughly 90-second intervals consistent with implant activity rather than hands-on operation. On Feb. 22, the attackers returned for deeper domain reconnaissance and ultimately exfiltrated data through the public file-transfer service sendit[dot]sh, deliberately blending their traffic with legitimate-looking outbound connections.
The post added, “On February 23 and February 24, activity on the host largely consisted of repeated short PowerShell reconnaissance commands, periodic checks of the host’s public IP address, and occasional re-executions of fmapp[dot]exe and sentinelmemoryscanner[dot]exe, almost certainly to maintain a live SOCKS5 tunnel and to keep the sideloaded DLLs resident in memory. The cadence is again consistent with implant-driven activity rather than continuous operator presence.”
Symantec identified that there was then a gap of approximately 36 hours during which no malicious activity was observed on the infected host. “Activity resumed on February 26 with a final round of credential dumping, a re-staging of fresh tooling under a newly created random-named directory, and a short window during which the attackers re-ran net group and net localgroup commands against a different set of group names, possibly searching for a path into a more privileged domain group than they had previously identified. The last activity occurred on February 27, when the sideloaded fmapp[dot]exe was re-launched.”
The post identified that the geographic spread is unusual for Seedworm, whose operations have traditionally focused on the Middle East and South Asia. Recent activity, including previously reported targeting of U.S. organizations, suggests the group has expanded both its operational reach and intelligence priorities. The targeting of a major South Korean electronics manufacturer and industrial firms in Southeast Asia points to a broader strategic focus from Tehran.
The intrusions also coincided with ongoing tensions surrounding Iran’s nuclear program and wider regional conflicts. While espionage groups do not typically align operations with the news cycle, the scale and diversity of activity observed in early 2026 are consistent with an intelligence operation under heightened pressure to deliver results.
Recognizing that Seedworm’s tradecraft has matured, the researchers added that while it has long been seen as a competent, if not always sophisticated, threat actor, its campaign history shows a clear move towards quieter, more disciplined operations: orchestration through Node[dot]js rather than raw PowerShell; DLL sideloading using legitimate, signed third-party binaries (including, pointedly, a SentinelOne component); exfiltration through public consumer services, and redundant credential-theft tooling deployed in case any single binary is blocked.
The report noted that while none of the techniques are individually novel, their combined use reflects a significant improvement in operational discipline compared with the Seedworm activity observed two or three years ago.
In March, Symantec researchers uncovered Seedworm intrusions across multiple U.S. organizations, with activity traced back to early February 2026 and continuing into recent days. Targets span a U.S. bank, an airport, NGOs in the U.S. and Canada, and the Israeli operations of a U.S. defense and aerospace software supplier.
