CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading

Cybersecurity News Archived May 27, 2026 ✓ Full text saved

A well-known Iran-linked hacking group has been caught running a far-reaching espionage campaign that touched at least nine organizations across nine countries and four continents in early 2026. The attackers used a clever trick to hide inside targeted networks: they abused legitimate, signed software to secretly load malicious code, making their activity look like normal […] The post Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading appeared first on Cyber Secur

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Threat intelligence reports Security awareness training Data protection services HomeCyber Security News Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading By Tushar Subhra Dutta May 27, 2026 A well-known Iran-linked hacking group has been caught running a far-reaching espionage campaign that touched at least nine organizations across nine countries and four continents in early 2026. The attackers used a clever trick to hide inside targeted networks: they abused legitimate, signed software to secretly load malicious code, making their activity look like normal system behavior. The group behind this campaign is Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten. Researchers widely believe it operates on behalf of Iran’s Ministry of Intelligence and Security. Targets spanned industrial and electronics manufacturing, government agencies, financial services, educational institutions, and an international airport in the Middle East. Analysts from Symantec identified the campaign and noted that one of the most striking intrusions involved a major South Korean electronics manufacturer, where attackers quietly moved through its network for an entire week in February 2026.  Symantec said in a report shared with Cyber Security News (CSN). The breadth of targets points to a push to collect intelligence of value to Tehran, from manufacturing secrets to details on rival governments. What makes this campaign stand out is how the attackers blended in. Rather than relying on obvious malware, they dropped signed binaries and placed malicious code right next to them. When the signed programs ran, they pulled in the attacker’s files automatically, a technique known as DLL sideloading. Security tools tend to trust signed software, making this approach very hard to detect. The attackers also used a public file-transfer service called sendit[.]sh to move stolen data out of target networks. Rather than building custom infrastructure, they hid the theft inside everyday cloud traffic that often passes through security filters without raising any alarm. This reflects how carefully Seedworm now plans its operations. Seedworm APT Abuses Signed Fortemedia At the heart of this campaign was the abuse of two legitimately signed executables. The first was fmapp.exe, a Fortemedia Inc. audio-driver utility, used to load a malicious file called fmapp.dll. The second was sentinelmemoryscanner.exe, a real component of an endpoint security product, manipulated to sideload a malicious file called sentinelagentcore.dll. Both malicious files carried ChromElevator, a tool capable of stealing passwords, cookies, and payment data from web browsers. The sideloading chain was driven not by a human operator but by node.exe, the Node.js runtime. A Node.js script was found embedded inside an XML file on one of the infected machines, silently orchestrating the entire attack. This marks a shift away from Seedworm’s older habit of running raw PowerShell commands, replacing it with a runtime that is harder to trace. Persistence was established by adding a registry entry under the Windows startup key, ensuring the loader chain restarted each time the user logged in. The attackers deployed credential theft tools in waves, dumping password hashes from registry hives and tricking users with a fake Windows login dialog. A privilege escalation tool was also used to pull Kerberos tickets from high-privilege accounts without needing their passwords. Layered Credential Theft and Data Exfiltration Once inside a network, the attackers worked methodically. They began with discovery commands to map the machine, its user, and the domain, then captured screenshots to confirm what the victim was working on. PowerShell scripts were pulled from a staging server using both PowerShell and the curl tool, with curl helping keep download activity away from script-block logs. Credential theft tools were deployed in multiple rounds, showing the operators tried several methods in case any one was blocked. Stolen registry hives would allow offline cracking of password hashes and recovery of cached domain credentials. Symantec noted this redundancy across a single intrusion is a sign of growing discipline and maturity from this threat actor. Organizations are advised to monitor for unsigned DLLs loaded alongside legitimate signed executables and to flag unexpected Node.js activity. Blocking outbound traffic to unknown file-transfer services and enforcing strict startup registry policies can meaningfully reduce exposure to this type of attack. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b fmapp.exe (legitimate signed binary, abused for sideloading) SHA256 c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde fmapp.dll (malicious sideloaded DLL) SHA256 128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 sentinelmemoryscanner.exe (legitimate signed binary, abused for sideloading) SHA256 0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 sentinelagentcore.dll (malicious sideloaded DLL) SHA256 74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f Privilege escalation tool SHA256 3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a SAM hive credential extractor SHA256 bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7 SAM hive credential extractor SHA256 d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc Credential harvester SHA256 b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a SOCKS5 proxy tool IP Address 179.43.177[.]220 Attacker-controlled staging server (PowerShell payloads served on port 8080) IP Address 178.128.233[.]36 Attacker-controlled infrastructure IP Address 172.67.156[.]47 Attacker-controlled infrastructure IP Address 104.21.48[.]205 Attacker-controlled infrastructure IP Address 37.187.78[.]41 Attacker-controlled infrastructure IP Address 34.117.59[.]81 Attacker-controlled infrastructure Domain timetrakr[.]cloud Attacker-owned staging domain (PowerShell module delivery) Domain sendit[.]sh Public file-transfer service used for data exfiltration Domain svc.wompworthy[.]com Attacker-controlled infrastructure URL http://179.43.177[.]220:8080/nm.ps1 PowerShell payload download URL URL http://179.43.177[.]220:8080/a.dat Encoded payload download URL URL http://179.43.177[.]220:8080/a.exe Windows binary download URL URL http://ipinfo[.]io/json Used to check victim’s public IP address URL https://svc.wompworthy[.]com Attacker-controlled C2 URL Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets Latest News Cyber Security News Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters Press Release Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon Uncategorized ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls Cyber Security News Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways Apple Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗