MuddyWater’s Seedworm campaign used DLL sideloading, Chrome data theft, and stealthy persistence to hit major organizations, including a South Korean electronics firm.
A wave of quiet, intelligence-driven cyber-espionage activity has been linked to Iran-linked hackers, with victims spanning countries and industries, including a major South Korean electronics manufacturer.
The Iran-linked hacking group MuddyWater. also known under aliases including Seedworm and Static Kitten. launched a broad campaign targeting at least nine high-profile organizations across multiple sectors and regions.. The reported targets include a large South Korean electronics manufacturer. government agencies. an international airport in the Middle East. industrial manufacturers across Asia. and educational institutions.
In the latest findings. Symantec researchers said the threat actor “spent a week inside the network of a major South Korean electronics manufacturer” during February 2026. though the organization’s name was not disclosed.. Symantec’s Threat Hunter Team assessed that the intrusion was aimed at intelligence collection—particularly industrial and intellectual property theft—alongside government espionage and attempts to reach downstream customers or corporate networks.
What stands out in the campaign is the methodical use of legitimate software to mask malicious behavior.. Seedworm’s approach leaned heavily on DLL sideloading. a technique where trusted. signed applications are made to load malicious dynamic-link libraries.. Two examples highlighted by Symantec are ‘fmapp.exe. ’ described as a legitimate Foremedia audio utility. and ‘sentinelmemoryscanner.exe. ’ described as a legitimate SentinelOne component.
Those binaries were paired with malicious DLLs—specifically fmapp.dll and sentinelagentcore.dll—that carried a post-exploitation capability known as ChromElevator.. Symantec said ChromElevator targets data stored in Chrome-based browsers. pointing to a focus on harvesting sensitive information from end-user environments rather than limiting activity to network-level access.
PowerShell also remained a key tool in the chain, continuing patterns seen in earlier Seedworm activity.. Researchers noted that while PowerShell was heavily used in the recent incidents. the payload delivery relied on Node.js loaders rather than being executed directly in the same way. suggesting a layered workflow designed to complicate detection and analysis.
In Symantec’s description, PowerShell wasn’t limited to simple command execution.. It was used to capture screenshots, run reconnaissance, retrieve additional payloads, establish persistence, steal credentials, and set up SOCKS5 tunnels.. Together, these functions reflect a campaign built to support both visibility into the environment and practical pathways for continued access.
The intrusion against the South Korean electronics manufacturer, based on Symantec observations, ran from February 20 to February 27.. Symantec said the activity began with host and domain reconnaissance. then moved through antivirus enumeration using WMI. screenshot capture. and the download of additional malware.
Credential theft mechanisms were described as multi-pronged.. Seedworm used fake Windows prompts. stole registry hives including SAM/SECURITY/SYSTEM. and carried out Kerberos ticket abuse using dedicated tooling.. This combination indicates an effort to overcome the common limits of single-method credential access. enabling broader account and privilege options once internal visibility improved.
Persistence was established through registry modifications, while beaconing occurred on a 90-second interval.. Symantec also said the sideloaded binaries were repeatedly relaunched to maintain access. and that the timing and structure of the behavior were consistent with implant-driven activity rather than continuous operator presence.
To further reduce the appearance of abnormal behavior. the attackers leveraged sendit.sh. described as a public file-sharing service used for exfiltration.. Symantec indicated that the choice of such a service likely helped obscure data movement and make the activity resemble ordinary traffic patterns.
Beyond the operational tactics. Symantec characterized the campaign as notable for geographic expansion. operational maturity. and an apparent shift toward “quieter” attacks.. In practical terms. quieter operations tend to focus on long-enough dwell time to accomplish goals while minimizing noisy actions that could trigger faster detection.
For organizations. the reported combination of DLL sideloading with legitimate-signed executables. browser-focused data theft. and credential harvesting via both browser and system-level artifacts underscores how attackers can blend into everyday software ecosystems.. It also highlights why endpoint monitoring. identity security. and controls around signed binaries and DLL loading behavior are increasingly central to defense. not just network perimeter measures.
The broader spread of victims—stretching from government entities and industrial firms to an international airport and universities—also suggests the threat actor is pursuing opportunities across different levels of critical infrastructure and proprietary technology.. That breadth. paired with the specific focus on intellectual property and downstream access. raises the stakes for companies connected to larger supply chains and customer networks. where a single compromised foothold can quickly translate into wider exposure.
MuddyWater Seedworm Static Kitten DLL sideloading Chrome data theft PowerShell loaders cyber-espionage