Iran-linked espionage group tracked as Seedworm has been linked to a widespread campaign that targeted at least nine organizations across four continents earlier this year, including a major South Korean electronics manufacturer where attackers reportedly maintained access for a week in February 2026.
According to a new report from Symantec, the campaign also struck government agencies and an international airport in the Middle East, industrial manufacturers in Southeast Asia, a Latin American financial-services company, and educational institutions in several countries.
Researchers said the victims were likely selected for their potential intelligence value to Tehran, ranging from high-tech intellectual property and research data to government intelligence and customer access.
The operation has been attributed to Seedworm, also known as MuddyWater, Temp Zagros, and Static Kitten, a threat group widely believed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS). The attackers utilized a toolkit previously observed in Seedworm operation, including DLL sideloading using legitimate signed software.
Researchers observed the group abusing two trusted binaries to load malicious DLLs. One involved fmapp.exe, a legitimate Fortemedia audio-driver utility, which sideloaded a malicious fmapp.dll. The second used the signed component of the SentinelOne security platform (sentinelmemoryscanner.exe) to load sentinelagentcore.dll.
Both malicious DLLs deployed the publicly available post-exploitation ChromElevator designed to steal passwords, cookies, and payment-card data from Chromium-based browsers. In both cases, the malware execution chain was launched through node.exe, indicating that Node.js scripts orchestrated the attack activity rather than direct user interaction.
The campaign also leveraged PowerShell scripts delivered through Node.js. Symantec said the attackers used the scripts for reconnaissance, screenshot capture, credential theft, and privilege escalation while moving through victim networks. In at least one intrusion, stolen data was exfiltrated through sendit[.]sh, a public file-transfer service previously associated with malicious activity.
The initial infection vector remains unknown. Researchers said the earliest confirmed malicious activity in the South Korean intrusion began on February 20, 2026, with PowerShell reconnaissance commands, and continued on and off until February 27, with the attackers conducting various tasks, including reconnaissance and data exfiltration.
“The early PowerShell process tree was unusual in that node.exe, the Node.js runtime, appeared as an ancestor of cmd.exe, suggesting that a Node.js script was already running on the host at the time and that it, rather than a human operator, was driving the activity. How node.exe came to be on the host is unknown,” the researchers noted.