Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
In early 2026, the Iranian state-sponsored threat group Seedworm conducted a global espionage campaign targeting at least nine organizations across four continents, including a major South Korean electronics manufacturer. The attackers used DLL sideloading with legitimately signed binaries, Node. js implants, and PowerShell scripts to perform reconnaissance, credential theft, and privilege escalation. Data exfiltration was carried out via the public file-transfer service sendit. sh to blend malicious traffic with legitimate cloud services. This campaign reflects Seedworm's advanced tradecraft and expanded targeting beyond traditional Middle Eastern regions.
AI Analysis
Technical Summary
Seedworm, an Iranian state-sponsored threat actor also known as MuddyWater, executed a widespread espionage campaign in early 2026 compromising organizations in nine countries across four continents. The campaign employed DLL sideloading techniques leveraging legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads. Node.js-based implants were deployed for command and control orchestration, complemented by multiple PowerShell scripts facilitating reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through the public file-transfer service sendit.sh, allowing attackers to mask malicious traffic within legitimate cloud service usage. Targets included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The campaign demonstrates Seedworm's evolved tactics and expanded geographic targeting beyond their traditional Middle Eastern focus.
Potential Impact
The campaign resulted in unauthorized access and espionage across multiple sectors and continents, including industrial, governmental, financial, and educational organizations. The use of DLL sideloading with legitimate binaries and public cloud services for data exfiltration complicates detection and mitigation efforts. Credential theft and privilege escalation increase the risk of persistent access and further compromise within victim networks. Although no known exploits in the wild are reported, the campaign's medium severity reflects significant operational impact on targeted organizations.
Mitigation Recommendations
No specific patch or official remediation is indicated for this campaign. Organizations should focus on detecting and preventing DLL sideloading attacks, monitoring for unusual use of legitimate signed binaries, and scrutinizing PowerShell script execution. Monitoring network traffic for anomalous connections to public file-transfer services like sendit.sh is recommended. Since this is an espionage campaign without a disclosed vulnerability or patch, mitigation relies on enhanced detection and response capabilities tailored to the described tactics. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Indicators of Compromise
- hash: 2533307ec1ef8b0611c8896e1460b076
- hash: 2f5166086da5a57d7e59a767a54ed6fe9a6db444
- hash: 324918c73b985875d5f974da3471f2a0a4874687
- hash: e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b
- hash: d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc
- hash: da52c20a56cca22ad994a1f3baa8b3bd
- hash: 0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139
- hash: 128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667
- hash: 3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a
- hash: 74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f
- hash: b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a
- hash: bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7
- hash: c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde
- url: https://svc.wompworthy.com
- url: https://timetrakr.cloud/sp.ps1'
- domain: timetrakr.cloud
- domain: svc.wompworthy.com
Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
Description
In early 2026, the Iranian state-sponsored threat group Seedworm conducted a global espionage campaign targeting at least nine organizations across four continents, including a major South Korean electronics manufacturer. The attackers used DLL sideloading with legitimately signed binaries, Node. js implants, and PowerShell scripts to perform reconnaissance, credential theft, and privilege escalation. Data exfiltration was carried out via the public file-transfer service sendit. sh to blend malicious traffic with legitimate cloud services. This campaign reflects Seedworm's advanced tradecraft and expanded targeting beyond traditional Middle Eastern regions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Seedworm, an Iranian state-sponsored threat actor also known as MuddyWater, executed a widespread espionage campaign in early 2026 compromising organizations in nine countries across four continents. The campaign employed DLL sideloading techniques leveraging legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads. Node.js-based implants were deployed for command and control orchestration, complemented by multiple PowerShell scripts facilitating reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through the public file-transfer service sendit.sh, allowing attackers to mask malicious traffic within legitimate cloud service usage. Targets included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The campaign demonstrates Seedworm's evolved tactics and expanded geographic targeting beyond their traditional Middle Eastern focus.
Potential Impact
The campaign resulted in unauthorized access and espionage across multiple sectors and continents, including industrial, governmental, financial, and educational organizations. The use of DLL sideloading with legitimate binaries and public cloud services for data exfiltration complicates detection and mitigation efforts. Credential theft and privilege escalation increase the risk of persistent access and further compromise within victim networks. Although no known exploits in the wild are reported, the campaign's medium severity reflects significant operational impact on targeted organizations.
Mitigation Recommendations
No specific patch or official remediation is indicated for this campaign. Organizations should focus on detecting and preventing DLL sideloading attacks, monitoring for unusual use of legitimate signed binaries, and scrutinizing PowerShell script execution. Monitoring network traffic for anomalous connections to public file-transfer services like sendit.sh is recommended. Since this is an espionage campaign without a disclosed vulnerability or patch, mitigation relies on enhanced detection and response capabilities tailored to the described tactics. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/threat-intelligence/iran-seedworm-electronics"]
- Adversary
- MuddyWater
- Pulse Id
- 6a033220a0063c7c2a4f1d8f
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2533307ec1ef8b0611c8896e1460b076 | — | |
hash2f5166086da5a57d7e59a767a54ed6fe9a6db444 | — | |
hash324918c73b985875d5f974da3471f2a0a4874687 | — | |
hashe25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b | — | |
hashd587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc | — | |
hashda52c20a56cca22ad994a1f3baa8b3bd | — | |
hash0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139 | — | |
hash128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667 | — | |
hash3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a | — | |
hash74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f | — | |
hashb21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a | — | |
hashbee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7 | — | |
hashc6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://svc.wompworthy.com | — | |
urlhttps://timetrakr.cloud/sp.ps1' | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaintimetrakr.cloud | — | |
domainsvc.wompworthy.com | — |
Threat ID: 6a035a94cbff5d8610036a3d
Added to database: 5/12/2026, 4:51:32 PM
Last enriched: 5/12/2026, 5:07:47 PM
Last updated: 5/12/2026, 9:05:26 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.