The Iranian threat collective Seedworm maintained a clandestine presence within the infrastructure of a prominent South Korean electronics manufacturer for nearly a week. During this tenure, the adversaries systematically harvested telemetry, purloined credentials, and exfiltrated sensitive files via a ubiquitous document-sharing platform utilized by millions globally.
The campaign afflicted at least nine organizations across nine distinct nations, encompassing industrial conglomerates, governmental entities, financial institutions, academic bodies, and even an international airport in the Middle East. Analysts attribute Seedworm—alternatively identified as MuddyWater or Temp Zagros—to the Iranian Ministry of Intelligence and Security (MOIS).
To obfuscate their presence, the attackers leveraged legitimate software components, utilizing digitally signed libraries from Fortemedia and SentinelOne to execute their payloads. This methodology facilitates the circumvention of defensive measures and complicates forensic reconstruction, as the malicious artifacts masquerade as benign system utilities.
Within the South Korean manufacturer’s network, the adversaries operated through Node.js and PowerShell scripts. Initially, the malware conducted reconnaissance to catalog system details, user accounts, domain structures, and active security solutions. Subsequently, the collective commenced capturing screenshots, exfiltrating Windows system databases containing password hashes, and attempting to escalate their operational privileges.
To harvest credentials, Seedworm deployed a multifaceted toolkit. One utility summoned a standard Windows authentication prompt to deceive users into disclosing their usernames and passwords, which were then recorded locally. Concurrently, another instrument requested Kerberos tickets, enabling the adversaries to hijack high-privilege accounts without requiring administrative passwords.
The hackers also employed DLL sideloading, invoking malicious libraries through the legitimate executables fmapp.exe and sentinelmemoryscanner.exe. These libraries harbored ChromElevator, a tool engineered to exfiltrate passwords, session cookies, and financial data from Chromium-based browsers.
For persistence, Seedworm modified the Windows registry to ensure the malware’s automatic execution upon every user login. The adversaries routinely monitored the infected host’s external IP address and maintained an active conduit via a SOCKS5 tunnel. Purloined data was exfiltrated through the sendit.sh service; by utilizing a public file-sharing platform rather than a proprietary command-and-control infrastructure, the group effectively disguised its traffic as routine user activity.
Symantec specialists observe that Seedworm has profoundly refined its operational tradecraft in recent years. The group has transitioned from conspicuous PowerShell scripts to stealthy Node.js-based chains, increasingly relying on signed third-party binaries and redundant credential-harvesting tools to ensure resilience against defensive interventions. Furthermore, their geographic reach has expanded beyond the Middle East and South Asia into East Asia. Experts posit that Iran is intensifying its efforts to acquire technological intellectual property and industrial intelligence amidst the enduring geopolitical tensions surrounding its nuclear program.
