"spent a week inside the network of a major South Korean electronics manufacturer in February 2026," Symantec reported.
Who MuddyWater (Seedworm) targeted
Researchers at Symantec’s Threat Hunter Team attribute a recent, broad cyber-espionage campaign to the Iran-linked group MuddyWater (also tracked as Seedworm and Static Kitten). Symantec says the operation touched at least nine high-profile organizations across multiple sectors and countries, including a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions.
DLL sideloading, ChromElevator, and PowerShell
Symantec’s analysis shows the campaign relied heavily on DLL sideloading: legitimate, signed software was used to load malicious DLLs. Two of the binaries leveraged in the attacks were fmapp.exe (a legitimate Foremedia audio utility) and sentinelmemoryscanner.exe (a legitimate SentinelOne component). The malicious DLLs—fmapp.dll and sentinelagentcore.dll—contained ChromElevator, a commodity post-exploitation tool designed to steal data stored in Chrome-based browsers.
PowerShell remained a core capability in the incidents, but Symantec observed a change in how payloads were controlled: instead of direct PowerShell-delivered payloads used in prior Seedworm operations, the recent activity used Node.js loaders to control payloads. PowerShell activity was still observed for tasks including screenshot capture, reconnaissance, fetching additional payloads, establishing persistence, credential theft, and creation of SOCKS5 tunnels.
Inside the South Korean electronics manufacturer's compromise (Feb 20–27)
Symantec says the offensive foothold at the unnamed major South Korean electronics manufacturer spanned February 20–27, 2026. Early-stage activity included host and domain reconnaissance, antivirus enumeration via WMI, screenshot capture, and the download of additional malware. Credential theft techniques reported by Symantec included fake Windows prompts, registry hive theft (SAM/SECURITY/SYSTEM), and the use of Kerberos ticket abuse tools.
Persistence was achieved through registry modifications. The attackers established beaconing behavior at 90‑second intervals, and the sideloaded binaries were repeatedly relaunched to maintain access. Symantec noted operational tempo consistent with intermittent implant-driven activity rather than a continuous human operator presence, writing, “The cadence is again consistent with implant-driven activity rather than continuous operator presence.”
To move data out of the environment while attempting to mask the traffic, the adversary used sendit.sh, a public file‑sharing service, likely to obscure exfiltration by making it resemble normal network activity.
Operational shifts: geographic expansion and quieter tradecraft
Symantec characterizes the campaign as notable for geographic expansion and increasing operational maturity. The researchers highlight the deliberate abuse of legitimate tools and services—signed binaries, commercial endpoint components, public file-sharing platforms—and the move toward quieter, implant-driven approaches. Those choices, Symantec says, are consistent with an intelligence-driven mission focused on industrial and intellectual property theft, government espionage, and gaining access to downstream customers or corporate networks.
What this means for technologists, procurement leaders, and policymakers
- Technologists and security teams: The campaign underscores the need to examine signed binaries and uncommon load paths for DLL sideloading, monitor PowerShell activity even when payload control is mediated by Node.js loaders, and hunt for registry-hive access patterns (SAM/SECURITY/SYSTEM) and Kerberos ticket abuse signatures. Beaconing at short, regular intervals (90 seconds in this case) can be an indicator of implant-driven persistence.
- Procurement and enterprise IT leaders: The attacks leveraged legitimate third-party components—Foremedia and SentinelOne binaries were abused—so procurement teams should consider how third-party signed tools are validated and monitored in production environments. Use of public file-sharing services like sendit.sh for exfiltration shows adversaries will blend with expected business traffic.
- Policymakers and regulators: Symantec’s assessment that the operation is intelligence-driven and aimed at industrial and IP theft points to cross-border implications for critical infrastructure and commercial espionage. The described tactics—abuse of legitimate software, public services, and short-interval beaconing—raise questions about supply-chain oversight and norms for forensic telemetry sharing across borders.
Symantec’s findings weave together a familiar set of techniques—DLL sideloading, credential theft, PowerShell-based actions—with an operational choice to be quieter and to hide within legitimate tools and services. The immediate, concrete result recorded by the researchers is a week-long foothold inside a major South Korean electronics manufacturer's network between February 20 and 27, 2026; the broader question is whether similar implants are quietly present in other networks before discovery.
Source: BleepingComputer — Iranian hackers targeted major South Korean electronics maker
