A well-known Iran-linked hacking group has been caught running a far-reaching espionage campaign that touched at least nine organizations across nine countries and four continents in early 2026. The attackers used a clever trick to hide inside targeted networks: they abused legitimate, signed software to secretly load malicious code, making their activity look like normal system behavior.
The group behind this campaign is Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten. Researchers widely believe it operates on behalf of Iran’s Ministry of Intelligence and Security. Targets spanned industrial and electronics manufacturing, government agencies, financial services, educational institutions, and an international airport in the Middle East.
Analysts from Symantec identified the campaign, noting that one of the most striking intrusions involved a major South Korean electronics manufacturer, where attackers quietly moved through its network for an entire week in February 2026. The breadth of targets points to a push to collect intelligence of value to Tehran — from manufacturing secrets to details on rival governments.
The DLL Sideloading Technique
What makes this campaign stand out is how the attackers blended in. Rather than relying on obvious malware, they dropped signed binaries and placed malicious code right next to them. When the signed programs ran, they pulled in the attacker’s files automatically — a technique known as DLL sideloading. Security tools tend to trust signed software, making this approach very hard to detect.
At the heart of this campaign was the abuse of two legitimately signed executables:
- fmapp.exe — a Fortemedia Inc. audio-driver utility, used to load a malicious file called fmapp.dll
- sentinelmemoryscanner.exe — a real component of an endpoint security product, manipulated to sideload a malicious file called sentinelagentcore.dll
Both malicious files carried ChromElevator, a tool capable of stealing passwords, cookies, and payment data from web browsers. The sideloading chain was driven by node.exe, the Node.js runtime — a shift away from Seedworm’s older habit of running raw PowerShell commands, replacing it with a runtime that is harder to trace.
Layered Credential Theft and Data Exfiltration
Once inside a network, the attackers worked methodically. They began with discovery commands to map the machine, its user, and the domain, then captured screenshots to confirm what the victim was working on. PowerShell scripts were pulled from a staging server using both PowerShell and the curl tool, with curl helping keep download activity away from script-block logs.
Credential theft tools were deployed in multiple rounds:
- Dumping password hashes from registry hives (SAM, SYSTEM, SECURITY) for offline cracking
- Deploying a fake Windows login dialog to trick users into entering credentials
- Using a privilege escalation tool to pull Kerberos tickets from high-privilege accounts without needing their passwords
Persistence was established by adding a registry entry under the Windows startup key, ensuring the loader chain restarted each time the user logged in. The attackers also used a public file-transfer service called sendit[.]sh to move stolen data out of target networks — hiding the theft inside everyday cloud traffic that often passes through security filters without raising any alarm.
Detection and Defense Recommendations
Organizations are advised to monitor for unsigned DLLs loaded alongside legitimate signed executables and to flag unexpected Node.js activity. Blocking outbound traffic to unknown file-transfer services and enforcing strict startup registry policies can meaningfully reduce exposure to this type of attack. Key indicators of compromise include the staging domain timetrakr[.]cloud, the exfiltration service sendit[.]sh, and attacker-controlled infrastructure at svc.wompworthy[.]com.