Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries in Espionage Campaign

Iran-linked threat actor Seedworm, also known as MuddyWater, used signed Fortemedia and SentinelOne binaries to sideload malicious DLLs during an espionage campaign that hit at least nine organizations across nine countries in early 2026.

The campaign targeted organizations in manufacturing, government, education, financial services, professional services, and transportation. According to Symantec and Carbon Black researchers, one major South Korean electronics manufacturer had attackers inside its network for about a week in February.

The activity stands out because the attackers relied on legitimate signed executables to load malicious files. That technique, known as DLL sideloading, can help malware blend into normal software activity and reduce the chance of early detection.

Seedworm Used Legitimate Software to Hide Malicious DLLs

Seedworm’s operators abused two signed binaries during the campaign. One was fmapp.exe, a Fortemedia audio utility. The other was sentinelmemoryscanner.exe, a legitimate SentinelOne component.

In both cases, attackers placed malicious DLLs next to trusted executables. When the legitimate program ran, it loaded the attacker-controlled DLL from the same directory. The Hacker News reported that the malicious DLLs included fmapp.dll and sentinelagentcore.dll.

Both DLLs carried ChromElevator, a tool used to steal data from Chromium-based browsers. That includes passwords, cookies, and payment card data stored in browsers, which can help attackers move laterally or access cloud accounts.

Campaign Details at a Glance

Detail	Information
Threat actor	Seedworm, also known as MuddyWater, Static Kitten, TEMP.Zagros, and Mango Sandstorm
Reported activity window	First quarter of 2026
Known victim count	At least nine organizations
Geographic scope	Nine countries across four continents
Key technique	DLL sideloading through signed Fortemedia and SentinelOne binaries
Data theft method	Browser credential theft, registry hive theft, screenshots, and file exfiltration
Exfiltration route	Public file-transfer service sendit.sh

Why the Fortemedia and SentinelOne Abuse Matters

DLL sideloading is not new, but the choice of binaries matters. Attackers often pick trusted software because defenders may allow signed executables to run without deeper inspection of the DLLs they load.

BleepingComputer reported that the campaign used fmapp.exe and sentinelmemoryscanner.exe to load malicious DLLs while appearing to run legitimate software. The SentinelOne component is especially notable because abusing a security-product binary can create extra confusion during detection and triage.

The campaign shows why allowlisting based only on a signed executable is not enough. Security teams also need to watch what files signed programs load, where those files came from, and whether the execution path matches normal software behavior.

Node.js Helped Orchestrate the Attack Chain

Seedworm has long been associated with PowerShell-heavy tradecraft, but this campaign added another layer. Researchers found a Node.js-based implant chain used to launch PowerShell scripts and manage activity on compromised hosts.

On at least one infected system, a Node.js script was hidden inside an XML file. The script helped trigger PowerShell activity for reconnaissance, screenshot capture, credential theft, privilege escalation, and SOCKS5 tunneling.

The use of Node.js does not make the attack invisible, but it can change what defenders need to hunt for. Unexpected node.exe execution on a non-developer workstation or server should raise attention, especially when it launches PowerShell or touches unusual staging paths.

How Seedworm Stole Credentials and Data

Once inside a target network, Seedworm operators worked through several collection steps. They ran discovery commands, captured screenshots, dumped registry hives, and used fake Windows login prompts to collect credentials.

Symantec and Carbon Black also observed the use of a privilege escalation tool designed to collect Kerberos tickets from high-privilege accounts. That would help attackers expand access without needing the account password directly.

The group used multiple credential theft methods in the same intrusion. That redundancy suggests the operators expected some tools to fail or be blocked and wanted several chances to collect usable access material.

Observed Techniques and Defensive Focus

Technique	Observed behavior	What defenders should monitor
DLL sideloading	Signed binaries loaded malicious DLLs from nearby paths	Unexpected DLL loads beside trusted executables
Browser credential theft	ChromElevator targeted Chromium-based browser data	Access to browser credential stores and cookie databases
PowerShell staging	Payloads were downloaded and executed through scripts	PowerShell launched by unusual parent processes
Node.js orchestration	node.exe helped drive the implant chain	Unexpected node.exe activity on non-developer systems
Registry persistence	Startup registry keys kept the loader chain running	New or modified Run key entries
File exfiltration	sendit.sh was used to stage stolen data	Outbound traffic to unknown file-transfer services

Targets Point to Intelligence Collection

The victimology points to espionage rather than quick financial gain. The campaign touched industrial and electronics manufacturing, government agencies, education, financial services, professional services, and transportation infrastructure.

BleepingComputer’s report said the attackers spent February 20 to February 27 inside the network of a major South Korean electronics manufacturer. During that time, they performed host and domain reconnaissance, collected screenshots, and deployed credential theft tools.

MITRE ATT&CK tracks MuddyWater as an Iran-linked threat group active since at least 2017 and notes its use of discovery, credential access, PowerShell, and system binary proxy execution techniques. The latest campaign fits that broader pattern while showing more disciplined operational tradecraft.

What Organizations Should Do Now

Organizations should not assume that a signed executable is safe by default. In sideloading attacks, the trusted file can become the loader for an attacker’s DLL.

• Hunt for fmapp.exe and sentinelmemoryscanner.exe running from unusual directories.
• Check whether fmapp.dll or sentinelagentcore.dll appears beside those binaries outside expected install paths.
• Monitor signed executables that load unsigned or recently created DLLs.
• Flag node.exe activity on systems where Node.js is not expected.
• Review PowerShell execution launched by node.exe, curl, or unusual parent processes.
• Block or review outbound traffic to unknown file-sharing and transfer services.
• Audit registry Run keys for new persistence entries.
• Search for signs of browser credential store access and registry hive dumping.
• Review access from accounts whose Kerberos tickets may have been stolen.

Why This Campaign Signals a More Careful Seedworm

Seedworm has historically relied on noisy tools and repeated PowerShell activity. This campaign still used PowerShell, but it wrapped parts of the chain in Node.js and relied more heavily on legitimate software, public transfer services, and redundant credential theft.

The Hacker News coverage quoted Broadcom’s researchers as saying the campaign reflects quieter and more disciplined operations from Seedworm compared with its older activity. None of the techniques are new by themselves, but their combination makes the campaign harder to spot quickly.

For defenders, the lesson is clear. Trusted software can become part of an intrusion chain, especially when attackers control the DLL search path. Security teams need detection rules that look at process context, DLL load paths, parent-child process relationships, and outbound destinations together.

Seedworm Remains a Long-Running Espionage Threat

Seedworm’s latest activity shows that the group continues to refine its approach while keeping its focus on intelligence collection. The abuse of signed binaries, credential theft tools, Node.js orchestration, and public transfer services gives the campaign a lower profile inside busy enterprise environments.

MITRE’s MuddyWater profile lists multiple aliases and techniques associated with the group, including PowerShell use, discovery, credential access, and system binary proxy execution. Those older patterns remain useful for defenders, but they now need to be combined with newer sideloading and Node.js-based hunting logic.

Organizations in manufacturing, government, finance, education, and transportation should treat this campaign as a reminder to monitor trusted tools as closely as unknown binaries. In modern intrusions, the suspicious part is often not the signed executable itself, but what it loads and what it does next.

FAQ