Full Report
Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service.
Analysis Summary
# Threat Actor: Seedworm
## Attribution & Identity
**Seedworm** is an Iran-linked espionage group widely believed to be affiliated with the **Iranian Ministry of Intelligence and Security (MOIS)**.
**Known Aliases:**
* MuddyWater
* Temp Zagros
* Static Kitten
## Activity Summary
In the first quarter of 2026, Seedworm conducted a global spying campaign affecting at least nine organizations across four continents. A primary focus of the report was a week-long breach of a major South Korean electronics manufacturer in February 2026. This activity reflects an evolution in the group's operational hygiene, moving toward quieter, more disciplined methods of execution and exfiltration.
## Tactics, Techniques & Procedures
* **DLL Sideloading (T1574.002):** The actor abused legitimately signed third-party binaries to load malicious DLLs:
* `fmapp.exe` (Fortemedia) was used to load malicious `fmapp.dll`.
* `sentinelmemoryscanner.exe` (SentinelOne) was used to load malicious `sentinelagentcore.dll`.
* **Command and Scripting Interpreter (T1059):** Extensive use of PowerShell for reconnaissance and local operations, orchestrated via `node.exe` (Node.js) runtime.
* **Credential Blending & Harvesting (T1003):**
* Abuse of `CredUIPromptForWindowsCredentialsW` to trick users into entering credentials in a fake Windows dialog.
* Theft of SAM hives and Chromium-based browser data (passwords, cookies, payment cards).
* **Exploitation of Privilege Escalation (T1068):** Automated Kerberos TGT extraction via GSS-API delegation abuse.
* **Network Tunneling:** Use of SOCKS5 reverse-proxy tools for lateral movement and persistent access.
* **Data Exfiltration over Public Service (T1567):** Staging and exfiltrating data via the public file-transfer service `sendit[.]sh`.
## Targeting
* **Sectors:** Industrial and electronics manufacturing, education, public-sector/government agencies, financial services, professional services, and transportation (international airport).
* **Geography:** Global (spanning nine countries across four continents), including South Korea, the Middle East, Southeast Asia, and Latin America.
* **Victims:** Major South Korean electronics manufacturer, Middle Eastern government agency, international airport in the Middle East.
## Tools & Infrastructure
* **Malware/Tools:**
* **ChromElevator:** Post-exploitation tool for Chromium browser data theft.
* **Node.js/Deno:** Runtimes used for executing loaders and PowerShell orchestration.
* **SOCKS5 Proxy Tool:** For tunneling.
* **Infrastructure (Defanged):**
* **C2/Staging IPs:**
* 179.43.177[.]220
* 178.128.233[.]36
* 172.67.156[.]47
* 104.21.48[.]205
* 37.187.78[.]41
* 34.117.59[.]81
* **Domains:**
* timetrakr[.]cloud
* sendit[.]sh (Exfiltration)
* svc.wompworthy[.]com
* ipinfo[.]io/json (Reconnaissance)
* **Payload URLs:**
* http://179.43.177[.]220:8080/nm.ps1
* http://179.43.177[.]220:8080/a.dat
* http://179.43.177[.]220:8080/a.exe
## Implications
Seedworm is demonstrating increased sophistication by moving away from "noisy" raw PowerShell toward script orchestration through legitimate runtimes like Node.js and Deno. Their abuse of security-related binaries (SentinelOne) is a strategic move to undermine trust in EDR tools and complicate incident response triage. The campaign indicates that the group remains a high-tier threat focused on intellectual property theft and geopolitical intelligence gathering.
## Mitigations
* **DLL Sideloading Protection:** Monitor or block the execution of known vulnerable binaries (like older Fortemedia or SentinelOne scanners) from unusual paths, particularly the `%PROGRAMDATA%` or `%TEMP%` directories.
* **Runtime Monitoring:** Monitor `node.exe` and `deno.exe` for child process creation, especially when spawning `powershell.exe` or `cmd.exe`.
* **Credential Guard:** Implement Windows Defender Credential Guard to protect against Kerberos TGT extraction and delegation abuse.
* **Egress Filtering:** Restrict access to public file-sharing sites (e.g., `sendit[.]sh`) from production servers or sensitive environments unless explicitly required for business.
* **User Training:** Educate employees regarding fake credential prompt dialogs that appear unexpectedly.