Seedworm, also tracked as MuddyWater, Temp Zagros, Static Kitten and Mango Sandstorm, has been linked to intrusions affecting at least nine organisations in early 2026. The victims included a major South Korean electronics manufacturer, public-sector bodies, an international airport in the Middle East, industrial manufacturers in Southeast Asia, a financial services provider in Latin America and educational institutions.
The campaign marks a sharp escalation in the group’s use of living-off-the-land methods, where attackers rely on trusted software, legitimate binaries and native system tools to avoid detection. Investigators found that the operators abused signed Fortemedia and SentinelOne binaries to trigger malicious dynamic-link library files through DLL sideloading, a technique that exploits the way Windows applications search for and load supporting files.
By placing a malicious DLL beside a legitimate executable, the attackers were able to make trusted software load hostile code. That approach gives intruders a better chance of bypassing security controls because the initial executable may appear genuine, signed and expected within an enterprise environment.
The South Korean breach, detected in February 2026, appears to have been one of the most significant cases in the campaign. Electronics and industrial manufacturing targets are valuable because they hold intellectual property, supplier information, operational data and customer records. Access to such networks can also provide routes into wider supply chains, including technology, aviation, defence and infrastructure-linked businesses.
Seedworm’s activity has long been associated with intelligence collection rather than immediate financial gain. The group is assessed to operate in support of Iran’s Ministry of Intelligence and Security and has targeted government, telecommunications, finance, energy, defence and infrastructure organisations since at least 2017. Its operations have spanned the Middle East, Asia, Africa, Europe and North America.
The latest campaign shows a more layered operational model. Alongside DLL sideloading, the attackers used scripting and command-execution methods to move through compromised systems, gather credentials and identify high-value data. PowerShell remains a preferred tool because it is widely available on Windows networks and can be used for reconnaissance, persistence and remote command execution without immediately raising alarms.
The group has also used remote management utilities, cloud services and publicly accessible infrastructure in previous operations, reflecting a broader trend among state-backed actors. Instead of relying only on custom malware, threat groups increasingly blend ordinary business tools with bespoke payloads. This complicates attribution and makes defensive action slower, particularly when activity resembles routine administration or criminal intrusion.
The campaign comes amid heightened cyber tensions linked to the Middle East, where intelligence gathering, disruption planning and influence operations have increasingly overlapped. Cybersecurity teams have been watching Iran-aligned groups closely after a series of operations against airports, banks, software suppliers, government-linked entities and non-governmental organisations.
MuddyWater-linked operations in 2026 have also shown signs of using cybercrime methods as cover. Separate activity attributed to the same wider threat cluster involved Microsoft Teams social engineering, remote access tools and data theft framed as ransomware activity. That pattern suggests an effort to blur the line between espionage and financially motivated attacks, making it harder for victims to judge the strategic intent behind an intrusion.
For defenders, the use of signed binaries is a particular challenge. Code signing is designed to establish trust, but attackers can exploit that trust by pairing legitimate executables with malicious supporting files. Security teams are therefore being urged to monitor unusual parent-child process relationships, suspicious DLL load paths, unexpected execution from temporary directories and abnormal use of signed third-party utilities.
Organisations in manufacturing, transport, finance, education and government face the highest exposure when attackers combine stealthy execution with credential theft. Once valid accounts are obtained, intruders can move laterally, access file shares, query directory services and maintain persistence with fewer obvious malware indicators.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
