This article is about ‘Ransomware 2026 Report March’.
ThreatMon has analysed an active espionage campaign conducted during the first quarter of 2026 by Seedworm, an Iran-linked threat actor assessed with high confidence to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).
The campaign affected at least nine organisations across nine countries and four continents, spanning industrial and electronics manufacturing, government, financial services, and education. The campaign demonstrates a clear evolution in Seedworm’s operational maturity. Attackers leveraged DLL sideloading via legitimately signed third-party binaries, orchestrated implant activity through Node.js rather than raw PowerShell, employed multiple redundant credential-theft tools, and exfiltrated data through a public file-transfer service to blend into legitimate network traffic
We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:
