Just in:
CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // Afogreen Build Highlights Growing Adoption of Building Performance Modelling in Australia’s Sustainability-Driven Construction Sector // Binzhou’s Leap from Manufacturing to Intelligent Manufacturing // Beijing widens Japan curbs as Takaichi row deepens // Masdar starts Kazakh wind power push // Most UAE expats under-insured, reveals survey // Construction Management Awards 2026 – Now open for nomination Introduction of the Inaugural “Excellent Construction Safety Culture Award” Guides the Construction Industry Toward a New Milestone in Safety // China’s digital hub Hangzhou hosts conference on AI, OPC // Bid To Rebuild Bengal To Its Old Glory Is Welcome, Though Difficult // This summer will never stop us from our wellness routine // PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // Abu Dhabi starts new Saadiyat arts landmark // Anthropic reopens Mythos 5 for cyber defenders // OpenAI limits Sol launch amid cyber risks // XRG and Eni deepen Argentina LNG push // Bracell Welcomes Fernando Branco’s Appointment to Lead ABAF and Reinforces Commitment to Sustainable Forestry Development in Bahia // Dubai advances Gold Line contractor race // Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success // Tehran blocks French role in Hormuz clearance // World’s First Commercial Multimodal LLM for Cultural Tourism Enters Broad Application //

Seedworm widens stealth attacks on global targets

Iran-linked cyber-espionage operators have used trusted, digitally signed software components to breach organisations across four continents, widening concerns over state-backed campaigns that hide inside legitimate enterprise tools.

Seedworm, also tracked as MuddyWater, Temp Zagros, Static Kitten and Mango Sandstorm, has been linked to intrusions affecting at least nine organisations in early 2026. The victims included a major South Korean electronics manufacturer, public-sector bodies, an international airport in the Middle East, industrial manufacturers in Southeast Asia, a financial services provider in Latin America and educational institutions.

The campaign marks a sharp escalation in the group’s use of living-off-the-land methods, where attackers rely on trusted software, legitimate binaries and native system tools to avoid detection. Investigators found that the operators abused signed Fortemedia and SentinelOne binaries to trigger malicious dynamic-link library files through DLL sideloading, a technique that exploits the way Windows applications search for and load supporting files.

ADVERTISEMENT

By placing a malicious DLL beside a legitimate executable, the attackers were able to make trusted software load hostile code. That approach gives intruders a better chance of bypassing security controls because the initial executable may appear genuine, signed and expected within an enterprise environment.

The South Korean breach, detected in February 2026, appears to have been one of the most significant cases in the campaign. Electronics and industrial manufacturing targets are valuable because they hold intellectual property, supplier information, operational data and customer records. Access to such networks can also provide routes into wider supply chains, including technology, aviation, defence and infrastructure-linked businesses.

Seedworm’s activity has long been associated with intelligence collection rather than immediate financial gain. The group is assessed to operate in support of Iran’s Ministry of Intelligence and Security and has targeted government, telecommunications, finance, energy, defence and infrastructure organisations since at least 2017. Its operations have spanned the Middle East, Asia, Africa, Europe and North America.

The latest campaign shows a more layered operational model. Alongside DLL sideloading, the attackers used scripting and command-execution methods to move through compromised systems, gather credentials and identify high-value data. PowerShell remains a preferred tool because it is widely available on Windows networks and can be used for reconnaissance, persistence and remote command execution without immediately raising alarms.

The group has also used remote management utilities, cloud services and publicly accessible infrastructure in previous operations, reflecting a broader trend among state-backed actors. Instead of relying only on custom malware, threat groups increasingly blend ordinary business tools with bespoke payloads. This complicates attribution and makes defensive action slower, particularly when activity resembles routine administration or criminal intrusion.

The campaign comes amid heightened cyber tensions linked to the Middle East, where intelligence gathering, disruption planning and influence operations have increasingly overlapped. Cybersecurity teams have been watching Iran-aligned groups closely after a series of operations against airports, banks, software suppliers, government-linked entities and non-governmental organisations.

MuddyWater-linked operations in 2026 have also shown signs of using cybercrime methods as cover. Separate activity attributed to the same wider threat cluster involved Microsoft Teams social engineering, remote access tools and data theft framed as ransomware activity. That pattern suggests an effort to blur the line between espionage and financially motivated attacks, making it harder for victims to judge the strategic intent behind an intrusion.

For defenders, the use of signed binaries is a particular challenge. Code signing is designed to establish trust, but attackers can exploit that trust by pairing legitimate executables with malicious supporting files. Security teams are therefore being urged to monitor unusual parent-child process relationships, suspicious DLL load paths, unexpected execution from temporary directories and abnormal use of signed third-party utilities.

Organisations in manufacturing, transport, finance, education and government face the highest exposure when attackers combine stealthy execution with credential theft. Once valid accounts are obtained, intruders can move laterally, access file shares, query directory services and maintain persistence with fewer obvious malware indicators.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com