Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
Essential information
- Published
- 12/05/2026 15:58
- Modified
- 12/05/2026 16:59
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- chromelevator credential-theft dll-sideloading espionage iran mois muddywater seedworm
- Tags
- 2026-05-12 chromelevator credential-theft dll sideloading espionage iran mois muddywater seedworm
- Related entities
- 13 indicators, 13 observables, 1 intrusion sets (apt), 24 techniques (mitre), 1 malware, 25 others
Description
Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.