Blog Details

The Iran-linked hacking neighborhood MuddyWater (a.okay.a. Seedworm, Static Kitten) launched a huge cyber-espionage campaign focusing on not lower than 9 high-profile organizations all the contrivance in which thru just a few sectors and countries.

Amongst the victims are a serious South Korean electronics producer, govt agencies, an international airport within the Center East, industrial manufacturers in Asia, and academic institutions.

Researchers at Symantec pronounce that the risk actor “spent per week contained within the community of a serious South Korean electronics producer in February 2026.”

Symantec’s Risk Hunter Crew believes the attacker used to be intelligence-pushed, specializing in industrial and mental property theft, govt espionage, and entry to downstream customers or company networks.

Fortemedia and SentinelOne abuse

Seedworm’s campaign relied heavily on DLL sideloading, a frequent intention in which respectable, signed system hundreds malicious DLLs.

Two of the binaries leveraged within the attack are ‘fmapp.exe,’ a proper Foremedia audio utility, and ‘sentinelmemoryscanner.exe,’ a proper SentinelOne ingredient.

The malicious DLLs (fmapp.dll and sentinelagentcore.dll) contained ChromElevator, a commodity post-exploitation system that steals files kept in Chrome-primarily based entirely browsers.

Symantec also discovered that PowerShell, worn in outdated Seedworm assaults, used to be mild heavily worn within the brand new incidents, even though the payloads had been controlled thru Node.js loaders in want to at present.

PowerShell used to be worn to take dangle of screenshots, habits reconnaissance, earn extra payloads, build persistence, rob credentials, and design SOCKS5 tunnels.

Attack on a Korean firm

In step with Symantec’s observations, the attack on the South Korean electronics producer lasted between February 20 and 27. The researchers did not disclose the title of the focused organization.

In the first stage, Seedworm achieved host and enviornment reconnaissance, followed by antivirus enumeration by task of WMI, screenshot take dangle of, and the download of extra malware.

Credential theft occurred by task of groundless Windows prompts, registry hive theft (SAM/SECURITY/SYSTEM), and Kerberos ticket abuse tools.

Persistence used to be established thru registry modifications, beaconing occurred at 90-2nd intervals, and sideloaded binaries had been commonly relaunched to wait on entry.

“The cadence is over again per implant-pushed verbalize in want to steady operator presence,” the researchers said.

The attackers leveraged sendit.sh, a public file-sharing provider for files exfiltration, liable to vague the malicious verbalize and dangle it appear as ordinary traffic.

Overall, Symantec has discovered the most contemporary Seedworm campaign necessary for the risk actors’ geographic expansion, operational maturity, and the abuse of respectable tools and products and services, which ticket a shift in direction of quieter assaults.