Mastodawn

Seedworm Launches Global Espionage Campaign Abusing Signed Binaries and Node.js Orchestration

Pulse ID: 6a0954ff8b83b84d3ddeba4f
Pulse Link: https://otx.alienvault.com/pulse/6a0954ff8b83b84d3ddeba4f
Pulse Author: cryptocti
Created: 2026-05-17 05:41:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Espionage #InfoSec #Nodejs #OTX #OpenThreatExchange #RAT #SeedWorm #Worm #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Analyst207 May 13

Iranian Hackers Target Electronics Maker in Global Espionage Push

Iran-linked hackers, known as MuddyWater, infiltrated a major South Korean electronics manufacturer's network for a week in February 2026, as part of a massive global cyber-espionage campaign targeting nine high-profile organizations across multiple sectors and countries.

https://osintsights.com/iranian-hackers-target-electronics-maker-in-global-espionage-push?utm_source=mastodon&utm_medium=social

#Muddywater #Seedworm #CyberEspionage #DllSideloading #Chromelevator

Iranian Hackers Target Electronics Maker in Global Espionage Push

Discover how Iranian hackers MuddyWater use cyber-espionage to target global electronics makers and more - learn how to protect your organization now effectively.

OSINTSights

OTX Bot May 12

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

ITSEC News Oct 6, 2020

Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors - Microsoft warns that the MERCURY APT has been actively exploiting CVE-2020-1472 in campaigns for t... https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/ #netlogonremoteprotocol #nationstateactor #vulnerabilities #activeexploit #cve-2020-1472 #zerologonflaw #statickitten #websecurity #iranianapt #muddywater #microsoft #seedworm #exploit #mercury #windows #hacks

Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors

Microsoft warns that the MERCURY APT has been actively exploiting CVE-2020-1472 in campaigns for the past two weeks.

Threatpost - English - Global - threatpost.com