#seedworm — Public Fediverse posts

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign

Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.

Pulse ID: 6a033220a0063c7c2a4f1d8f
Pulse Link: https://otx.alienvault.com/pulse/6a033220a0063c7c2a4f1d8f
Pulse Author: AlienVault
Created: 2026-05-12 13:58:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Education #Espionage #Government #ICS #InfoSec #Iran #Korea #LatinAmerica #MiddleEast #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #SeedWorm #SentinelOne #SideLoading #SouthKorea #Worm #bot #AlienVault

Iranian APT Seedworm Targets Global Organizations via Microsoft Teams

Pulse ID: 69e6fb820c2c73386320bce2
Pulse Link: https://otx.alienvault.com/pulse/69e6fb820c2c73386320bce2
Pulse Author: Tr1sa111
Created: 2026-04-21 04:22:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Iran #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #SeedWorm #Worm #bot #Tr1sa111

Iranian APT Seedworm Targets Global Organizations via Microsoft Teams

In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations. The attack demonstrates the group's evolution in using collaboration platforms as initial access vectors while combining dual-use tooling with living-off-the-land techniques to bypass traditional security controls.

Pulse ID: 69e2417dcac9587a626c98a2
Pulse Link: https://otx.alienvault.com/pulse/69e2417dcac9587a626c98a2
Pulse Author: AlienVault
Created: 2026-04-17 14:19:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Iran #Microsoft #MicrosoftTeams #MiddleEast #Military #MuddyWater #Nim #OTX #OpenThreatExchange #RAT #SeedWorm #SocialEngineering #Worm #bot #AlienVault