{"id":12852,"date":"2026-05-14T10:04:35","date_gmt":"2026-05-14T10:04:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/14\/seedworm-apt-abuses-signed-fortemedia-and-sentinelone-binaries-for-dll-sideloading\/"},"modified":"2026-05-14T10:04:35","modified_gmt":"2026-05-14T10:04:35","slug":"seedworm-apt-abuses-signed-fortemedia-and-sentinelone-binaries-for-dll-sideloading","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/14\/seedworm-apt-abuses-signed-fortemedia-and-sentinelone-binaries-for-dll-sideloading\/","title":{"rendered":"Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading"},"content":{"rendered":"<p>    Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Iran-linked hackers have been quietly breaking into networks around the world, and their latest campaign is more calculated than anything we have seen from them before. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/seedworm-hackers-exploit\/\" id=\"63040\" target=\"_blank\" rel=\"noreferrer noopener\">The group known as Seedworm, also tracked as MuddyWater<\/a>, spent the first quarter of 2026 targeting at least nine organizations across nine countries on four continents, leaving a trail of stolen data and compromised credentials.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The targets ranged widely, touching industrial and electronics manufacturing firms, educational institutions, government agencies, financial services providers, and even an international airport in the Middle East. <\/p>\n<p>One of the most striking intrusions took place in February 2026, when the group spent a full week inside the network of a major South Korean electronics manufacturer, a region far outside its traditional hunting ground.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.security.com\/threat-intelligence\/iran-seedworm-electronics\" id=\"https:\/\/www.security.com\/threat-intelligence\/iran-seedworm-electronics\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Analysts from Symantec\u2019s Threat Hunter Team identified the campaign<\/a> and linked it to Seedworm, a group widely believed to operate on behalf of Iran\u2019s Ministry of Intelligence and Security. <\/p>\n<p>The researchers noted that every targeted organization likely held information of direct intelligence value to Tehran, whether that was intellectual property, government data, or access to downstream customers.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"abusing-signed-binaries-for-dll-sideloading\"><strong>Abusing Signed Binaries for DLL Sideloading<\/strong><\/h2>\n<p>What stands out is not just the range of victims, but how the attackers moved through their targets. Rather than relying on noisy, easily detected methods, Seedworm showed a level of operational discipline that signals real maturity in its tradecraft. The attackers blended their techniques to stay hidden, move quietly, and extract data without triggering obvious alarms.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The group also updated its tooling, mixing familiar tools with new delivery methods and choosing exfiltration paths that are harder to detect. This campaign is a clear reminder that state-linked espionage actors are constantly refining their approach, and defenders need to stay ahead.<\/p>\n<p>The most striking technique in this campaign was how the attackers turned trusted software against the organizations it was supposed to protect. They dropped pairs of files on targeted systems: one legitimate, signed executable, and one malicious DLL crafted to be secretly loaded by it.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\"><\/a><\/p>\n<p>The first pair used fmapp.exe, a legitimate audio-driver utility, to load a malicious file called fmapp.dll. The second pair was more provocative: sentinelmemoryscanner.exe, <a href=\"https:\/\/cybersecuritynews.com\/hackers-use-fake-security-software-to-deliver-lucidrook\/\" id=\"146986\" target=\"_blank\" rel=\"noreferrer noopener\">a legitimate component from a well-known security product<\/a>, was used to sideload a malicious file called sentinelagentcore.dll. By sheltering behind trusted, signed software, the attackers made their activity look benign at a glance, defeating both path-based and signature-based detection.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Both <a href=\"https:\/\/cybersecuritynews.com\/malicious-chrome-installer-alert\/\" id=\"72170\" target=\"_blank\" rel=\"noreferrer noopener\">malicious DLLs carried ChromElevator, a post-exploitation tool<\/a> capable of stealing passwords, cookies, and payment card data from Chromium-based browsers. In every observed case, the parent process launching these files was node.exe, meaning a Node.js script was driving the entire sideloading chain rather than a human operator at a keyboard.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"credential-theft-exfiltration-and-defensive-steps\"><strong>Credential Theft, Exfiltration, and Defensive Steps<\/strong><\/h2>\n<p>Once inside a network, the attackers wasted no time collecting credentials and locking in their access. They used registry changes to ensure their loader chain would restart every time the affected user logged in. They also dumped Windows registry hives containing password hashes, giving them offline material for cracking and lateral movement.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\"><\/a><\/p>\n<p>Multiple credential-theft tools were deployed in rapid succession, showing the attackers wanted redundancy in case any single method was caught. One tool triggered a fake Windows login prompt to harvest a password and saved it to a plaintext file on disk. Another automated Kerberos ticket extraction without ever needing a domain administrator\u2019s password.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\"><\/a><\/p>\n<p>For exfiltration, the group used sendit[.]sh, a public file-transfer service, to move stolen files off the network. <a href=\"https:\/\/cybersecuritynews.com\/hackers-could-abuse-google-cloud-platform\/\" id=\"107459\" target=\"_blank\" rel=\"noreferrer noopener\">Routing data through a consumer cloud platform is a deliberate tactic to blend malicious traffic<\/a> with ordinary internet activity. Organizations should monitor for unexpected use of public file-sharing services and audit all outbound transfers from sensitive directories.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Defenders should also watch for unusual node.exe process trees, unexpected DLL loads from signed third-party binaries, and PowerShell pulling content from external staging servers. Keeping endpoint detection rules current and reviewing registry run keys regularly can reduce the window attackers have to maintain their foothold.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4fadbbc9-8a4f-4982-8b81-93303b1d5065\/Seedworm-APT-Abuses-Signed-Fortemedia-and-SentinelOne-Binaries-for-DLL-Sideloading.pdf?AWSAccessKeyId=ASIA2F3EMEYERZ7TEAPO&amp;Signature=xYwk18W%2BIAuCLeptUeFCz2IcuBk%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQC1MK%2FYo6X6s22fy%2FajXmG22UX6OO1qWlOo4Fkp8gxucQIgegYQzo493uVWW2Dju3WEY11awRqtRNgNcpUADIEJDbAq8wQIWBABGgw2OTk3NTMzMDk3MDUiDFFLwZF2wX26bm%2FDLSrQBKxRpKUJgvgcJWv0r7TvBM8JXfuibovdKZABN5soJDZedgMmtWFACCdMXdA7%2B%2FlE3RCSTkGcgDSQugU9Tap8Md%2FiMe7hMOZAGaX0Jud%2F1GJYrgZMbTC5a8Aq9VuzHyjVprGdbN3r4VkziaBouN9Zn51SgcfoEgp4CsCIxFD2rV7YSKJzNcn6zd81h7i6N%2BeSylA0ZXXJ52Lp0wsZO9Yn%2FQn4C9TJHHzOqqaU8%2FK8TrxJ7ryQlKmDrZKmG88V27d8e7MEPnIRaKDv4OgswXKhD1hbc3AQarFfAuQWf1U%2FhujFDoYH%2F%2BjJqgo4929V1fT1fTzWlbgGtQaFLNkbQcTRErXzqPLk1GvvMeiY6DAmvLHe6KcSjZoLOr4ISHvxyFp%2BCbU3NL3ghj1kn1i8qtjs%2BfwhA%2FKhQVDNnum0%2FOvNxwge4Qa53P5dSnq0Mfp3mKlfq3w4TIXR%2F%2FxMMbcI9LA7UDjj%2F7CT4IowslJYKSiWOZl2zsDel%2FfNmQzJ%2BvNKXp53aIevNFFtNHgYwsg2RrgB0SdxSKzLX9aeIHXY7dixCmkOg5JafrNhodpvk2tnr7Mak7wCsBexHDU8WOIzle1p%2ByUfhEl1YTGszwe6yloBaFMX%2FwQNGVX%2Bbb7MldSlytwHhyGNZE1jlMTUxSQdfGRRYHztxeIFoU2SeoiNgIBiuFlDGzDP72m8yDYL0bFGaa6u9IIFTyQXapimAxtEZ0MMQegxE6AfW69XXjkMQxEzgTWR3X5vD85ntg1TyRq65pyklzgdz0wCY7vBHjs2esyG2lowrOOV0AY6mAFOjgOuPUmgznSEAM7K1oXylctggw3MWZW%2F8V1oI1M1%2F9KZmhZkk35DCRxCbLJFjBiaCdm%2BdDd7LVbMW%2B5ngB0D7%2Fr5TE%2Fsk4XBitDwLE3gOISM%2BRhmtlUwEi%2BEy1EaEwqGmL1ThaSTK1roD12cvxHr%2B%2FAOjx1job9jhClpwMBocRs9AJq3qWOe1mAIuQaaJj42%2BMM62F6Fvg%3D%3D&amp;Expires=1778742926\"><\/a><\/p>\n<p id=\"indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>SHA256<\/td>\n<td>e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b<\/td>\n<td>fmapp.exe (legitimate sideloading binary)<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>c6182fd01b14d84723e3c9d11bc0e16b34de6607ccb8334fc9bb97c1b44f0cde<\/td>\n<td>fmapp.dll (malicious sideloaded DLL)<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>128b58a2a2f1df66c474094aacb7e50189025fbf45d7cd8e0834e93a8fbed667<\/td>\n<td>sentinelmemoryscanner.exe (legitimate sideloading binary)<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>0c9b911935a3705b0ad569446804d80026feb6db3884aeb240b6c76e9b8cf139<\/td>\n<td>sentinelagentcore.dll (malicious sideloaded DLL)<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>74ab3838ebed7054b2254bf7d334c80c8b2cfec4a97d1706723f8ea55f11061f<\/td>\n<td>Privilege escalation tool<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>3ee7dab4ae4f6d4f16dfabb6f38faef370411a9fc00ff035844e54703b99600a<\/td>\n<td>SAM hive credential extractor<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>bee79c3302b1a7afc0952842d14eff83a604ef00bfdae525176c16c80b2045f7<\/td>\n<td>SAM hive credential extractor<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc<\/td>\n<td>Credential harvester<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>b21c802775df0c0d82c8cfde299084abc624898b10258db641b820172a0ba29a<\/td>\n<td>SOCKS5 proxy tool<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>179.43.177[.]220<\/td>\n<td>Attacker-controlled staging server<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>178.128.233[.]36<\/td>\n<td>Network IOC<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>172.67.156[.]47<\/td>\n<td>Network IOC<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>104.21.48[.]205<\/td>\n<td>Network IOC<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>37.187.78[.]41<\/td>\n<td>Network IOC<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>34.117.59[.]81<\/td>\n<td>Network IOC<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>timetrakr[.]cloud<\/td>\n<td>Attacker-owned staging domain<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>sendit[.]sh<\/td>\n<td>Public file-transfer service used for exfiltration<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>svc.wompworthy[.]com<\/td>\n<td>Network IOC<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>http:\/\/179.43.177[.]220:8080\/nm.ps1<\/td>\n<td>PowerShell payload download URL<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>http:\/\/179.43.177[.]220:8080\/a.dat<\/td>\n<td>Encoded payload download URL<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>http:\/\/179.43.177[.]220:8080\/a.exe<\/td>\n<td>Binary download URL<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>http:\/\/ipinfo[.]io\/json<\/td>\n<td>Used to identify host\u2019s public IP<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https:\/\/svc.wompworthy[.]com<\/td>\n<td>Network IOC<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/seedworm-apt-abuses-signed-fortemedia\/\">Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/seedworm-apt-abuses-signed-fortemedia\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading Iran-linked hackers have been quietly breaking into networks around the world, and their latest campaign is more calculated than anything we have seen from them before. The group known as Seedworm, also tracked as MuddyWater, spent the first quarter of 2026 targeting at least [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12852","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12852"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12852"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12852\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}