**MuddyWater**, an APT group with ties to Iran, is actively engaged in a broad cyber-espionage campaign targeting a diverse range of organizations globally. Victims include a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions. Researchers at **Symantec** report that the threat actor maintained access to a major South Korean electronics manufacturer's network for approximately one week in February 2026. The group's objectives appear to be intelligence-driven, focusing on the theft of industrial and intellectual property, government espionage, and gaining access to downstream customers or corporate networks. ### Fortemedia and SentinelOne Abuse Seedworm's campaign heavily relies on DLL sideloading, a technique where legitimate, signed software is manipulated to load malicious DLLs. This allows attackers to bypass security measures and execute code within a trusted process. Two legitimate binaries abused in this campaign are 'fmapp.exe,' a legitimate **Fortemedia** audio utility, and 'sentinelmemoryscanner.exe,' a component of **SentinelOne**. The malicious DLLs (fmapp.dll and sentinelagentcore.dll) contained **ChromElevator**, a readily available post-exploitation tool designed to steal data stored in Chrome-based browsers. **Symantec** also observed the continued use of PowerShell, consistent with previous Seedworm attacks. However, in these recent incidents, PowerShell payloads are controlled through Node.js loaders rather than direct execution. PowerShell is used for various malicious activities, including capturing screenshots, reconnaissance, fetching additional payloads, establishing persistence, stealing credentials, and creating SOCKS5 tunnels. ### Attack on a Korean Firm According to **Symantec**'s analysis, the attack on the South Korean electronics manufacturer spanned from February 20th to 27th. The name of the targeted organization was not disclosed. The initial stages of the attack involved host and domain reconnaissance, followed by antivirus enumeration via WMI, screenshot capture, and the deployment of additional malware. Credential theft was achieved through fake Windows prompts, registry hive theft (SAM/SECURITY/SYSTEM), and the use of Kerberos ticket abuse tools. Persistence was established through registry modifications, with beaconing occurring at 90-second intervals. Sideloaded binaries were repeatedly relaunched to maintain persistent access. "The cadence is again consistent with implant-driven activity rather than continuous operator presence," the researchers noted. The attackers utilized sendit.sh, a public file-sharing service, for data exfiltration, likely to obfuscate malicious activity and blend it with normal network traffic. Overall, **Symantec** highlights that the latest Seedworm campaign is notable for its geographic expansion, operational maturity, and the abuse of legitimate tools and services, indicating a shift toward stealthier and more sophisticated attack methods.  ## 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)