[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUF81Sa7iK6K8lB3zJpZwvsbL2r4lpzNLGqVJ2cCv8z4":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"12fcfa1e-7378-4515-a3b1-e25d6a2b882a","Iranian hackers targeted major South Korean electronics maker","iranian-hackers-targeted-major-south-korean-electronics-maker-b0773e","The Iran-linked hacking group MuddyWater (a.k.a. Seedworm, Static Kitten) launched a broad cyber-espionage campaign targeting at least nine high-profile organizations across multiple sectors and countries. [...]","The Iran-linked threat group MuddyWater (Seedworm\u002FStatic Kitten) conducted a broad cyber-espionage campaign targeting at least nine organizations including a major South Korean electronics manufacturer, government agencies, and industrial firms across multiple countries. The attackers employed DLL sideloading of legitimate tools (Fortemedia, SentinelOne binaries) to deploy ChromElevator and PowerShell-based payloads for reconnaissance, credential theft, and persistent access, demonstrating increased operational maturity and geographic expansion.","Iran-linked MuddyWater targets South Korean electronics maker and 8+ orgs in espionage campaign.","Iranian hackers targeted major South Korean electronics maker By Bill Toulas May 13, 2026 05:59 PM 0 The Iran-linked hacking group MuddyWater (a.k.a. Seedworm, Static Kitten) launched a broad cyber-espionage campaign targeting at least nine high-profile organizations across multiple sectors and countries. Among the victims are a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, industrial manufacturers in Asia, and educational institutions. Researchers at Symantec say that the threat actor “spent a week inside the network of a major South Korean electronics manufacturer in February 2026.” Symantec’s Threat Hunter Team believes the attacker was intelligence-driven, focusing on industrial and intellectual property theft, government espionage, and access to downstream customers or corporate networks. Fortemedia and SentinelOne abuse Seedworm's campaign relied heavily on DLL sideloading, a common technique in which legitimate, signed software loads malicious DLLs. Two of the binaries leveraged in the attack are ‘fmapp.exe,’ a legitimate Foremedia audio utility, and ‘sentinelmemoryscanner.exe,’ a legitimate SentinelOne component. The malicious DLLs (fmapp.dll and sentinelagentcore.dll) contained ChromElevator, a commodity post-exploitation tool that steals data stored in Chrome-based browsers. Symantec also found that PowerShell, used in previous Seedworm attacks, was still heavily used in the recent incidents, although the payloads were controlled through Node.js loaders rather than directly. PowerShell was used to capture screenshots, conduct reconnaissance, fetch additional payloads, establish persistence, steal credentials, and create SOCKS5 tunnels. Attack on a Korean firm According to Symantec's observations, the attack on the South Korean electronics manufacturer lasted between February 20 and 27. The researchers did not disclose the name of the targeted organization. In the first stage, Seedworm performed host and domain reconnaissance, followed by antivirus enumeration via WMI, screenshot capture, and the download of additional malware. Credential theft occurred via fake Windows prompts, registry hive theft (SAM\u002FSECURITY\u002FSYSTEM), and Kerberos ticket abuse tools. Persistence was established through registry modifications, beaconing occurred at 90-second intervals, and sideloaded binaries were repeatedly relaunched to maintain access. “The cadence is again consistent with implant-driven activity rather than continuous operator presence,” the researchers said. The attackers leveraged sendit.sh, a public file-sharing service for data exfiltration, likely to obscure the malicious activity and make it appear as normal traffic. Overall, Symantec has found the latest Seedworm campaign notable for the threat actors’ geographic expansion, operational maturity, and the abuse of legitimate tools and services, which mark a shift toward quieter attacks. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: MuddyWater hackers use Chaos ransomware as a decoy in attacksChinese hackers target telcos with new Linux, Windows malwareFoxconn confirms cyberattack claimed by Nitrogen ransomware gangNew GopherWhisper APT group abuses Outlook, Slack, Discord for commsNearly 4,000 US industrial devices exposed to Iranian cyberattacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Firanian-hackers-targeted-major-south-korean-electronics-maker\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F07\u002FIranian-hackers.jpg","2026-05-13T21:59:33+00:00","2026-05-13T22:00:19.099076+00:00",9,[18,21,23,25,28,31],{"name":19,"type":20},"MuddyWater","threat_actor",{"name":22,"type":20},"Seedworm",{"name":24,"type":20},"Static Kitten",{"name":26,"type":27},"Symantec","vendor",{"name":29,"type":30},"ChromElevator","product",{"name":32,"type":33},"DLL sideloading","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":34,"icon":36,"name":37,"slug":38},null,"Nation-state","nation-state",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,58,60],{"type":49,"value":29,"context":57},"Post-exploitation tool deployed via sideloaded DLLs to steal Chrome browser data",{"type":49,"value":19,"context":59},"Iran-linked APT group conducting espionage campaign",{"type":49,"value":22,"context":61},"Alias for MuddyWater threat group"]